Cutlery/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2025-05-31 15:04:37 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fixes for password protection middleware

Browse Source
This commit is contained in:
David Bomba 2021-03-04 16:03:28 +11:00
parent 609cb1ee8d
commit 20440189d2
2 changed files with 29 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
app/Http/Middleware/PasswordProtection.php
View File

@ -31,12 +31,26 @@ class PasswordProtection
*/ */
public function handle($request, Closure $next) public function handle($request, Closure $next)
{ {
// {nlog($request->headers->all());
// nlog($request->all());
$error = [ $error = [
'message' => 'Invalid Password', 'message' => 'Invalid Password',
'errors' => new stdClass, 'errors' => new stdClass,
]; ];
if( $request->header('X-API-OAUTH-PASSWORD') && strlen($request->header('X-API-OAUTH-PASSWORD')) >=1 ){ nlog(Cache::get(auth()->user()->hashed_id.'_logged_in'));
nlog($request->header('X-API-OAUTH-PASSWORD'));
if (Cache::get(auth()->user()->hashed_id.'_logged_in')) {
Cache::pull(auth()->user()->hashed_id.'_logged_in');
Cache::add(auth()->user()->hashed_id.'_logged_in', Str::random(64), now()->addMinutes(30));
return $next($request);
}elseif( $request->header('X-API-OAUTH-PASSWORD') && strlen($request->header('X-API-OAUTH-PASSWORD')) >=1){
//user is attempting to reauth with OAuth - check the token value //user is attempting to reauth with OAuth - check the token value
//todo expand this to include all OAuth providers //todo expand this to include all OAuth providers
@ -48,51 +62,36 @@ class PasswordProtection
$query = [ $query = [
'oauth_user_id' => $google->harvestSubField($user), 'oauth_user_id' => $google->harvestSubField($user),
'oauth_provider_id'=> 'google', 'oauth_provider_id'=> 'google'
]; ];
/* Cannot allow duplicates! */ //If OAuth and user also has a password set - check both
if ($existing_user = MultiDB::hasUser($query)) { if ($existing_user = MultiDB::hasUser($query) && auth()->user()->has_password && Hash::check(auth()->user()->password, $request->header('X-API-PASSWORD'))) {
Cache::add(auth()->user()->hashed_id.'_logged_in', Str::random(64), now()->addMinutes(30)); Cache::add(auth()->user()->hashed_id.'_logged_in', Str::random(64), now()->addMinutes(30));
return $next($request); return $next($request);
} }
} elseif($existing_user = MultiDB::hasUser($query) && !auth()->uer()->has_password){
$error = [ Cache::add(auth()->user()->hashed_id.'_logged_in', Str::random(64), now()->addMinutes(30));
'message' => 'Access denied', return $next($request);
'errors' => new stdClass, }
]; }
return response()->json($error, 412); return response()->json($error, 412);
}elseif ($request->header('X-API-PASSWORD')) { }elseif ($request->header('X-API-PASSWORD') && Hash::check($request->header('X-API-PASSWORD'), auth()->user()->password)) {
//user is attempting to reauth with regular password
//
if (! Hash::check($request->header('X-API-PASSWORD'), auth()->user()->password)) {
return response()->json($error, 403);
}
} elseif (Cache::get(auth()->user()->hashed_id.'_logged_in')) {
Cache::pull(auth()->user()->hashed_id.'_logged_in');
Cache::add(auth()->user()->hashed_id.'_logged_in', Str::random(64), now()->addMinutes(30)); Cache::add(auth()->user()->hashed_id.'_logged_in', Str::random(64), now()->addMinutes(30));
return $next($request); return $next($request);
} else { } else {
$error = [
'message' => 'Access denied',
'errors' => new stdClass,
];
return response()->json($error, 412); return response()->json($error, 412);
} }
Cache::add(auth()->user()->email.'_logged_in', Str::random(64), now()->addMinutes(30));
return $next($request);
} }
} }

4
app/Repositories/UserRepository.php
View File

@ -74,6 +74,10 @@ class UserRepository extends BaseRepository
} }
$user->account_id = $account->id; $user->account_id = $account->id;
if(strlen($user->password) >=1)
$user->has_password = true;
$user->save(); $user->save();
if (isset($data['company_user'])) { if (isset($data['company_user'])) {