From 700fd6bf99635e35d35d6a2aaaaa84be3f97fef8 Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Tue, 31 Aug 2021 14:09:12 +1000
Subject: [PATCH] Fixes for password protection route - always check if a
 password is presented!

---
 app/Http/Controllers/CompanyController.php | 3 ++-
 app/Http/Middleware/PasswordProtection.php | 3 ++-
 routes/api.php                             | 2 ++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/Http/Controllers/CompanyController.php b/app/Http/Controllers/CompanyController.php
index af8bb9522ece..25800eae7ecd 100644
--- a/app/Http/Controllers/CompanyController.php
+++ b/app/Http/Controllers/CompanyController.php
@@ -69,11 +69,12 @@ class CompanyController extends BaseController
      */
     public function __construct(CompanyRepository $company_repo)
     {
+        
         parent::__construct();
 
         $this->company_repo = $company_repo;
 
-        // $this->middleware('password_protected')->only(['destroy']);
+        $this->middleware('password_protected')->only(['destroy']);
 
     }
 
diff --git a/app/Http/Middleware/PasswordProtection.php b/app/Http/Middleware/PasswordProtection.php
index 54163fac473c..fdcbfd3dfdf1 100644
--- a/app/Http/Middleware/PasswordProtection.php
+++ b/app/Http/Middleware/PasswordProtection.php
@@ -52,7 +52,8 @@ class PasswordProtection
             $x_api_password = base64_decode($request->header('X-API-PASSWORD-BASE64'));
         }
 
-        if (Cache::get(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in')) {
+        // If no password supplied - then we just check if their authentication is in cache //
+        if (Cache::get(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in') && !$x_api_password) {
 
             Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);
 
diff --git a/routes/api.php b/routes/api.php
index 38ac51ac3863..0eceb6ef2aba 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -47,7 +47,9 @@ Route::group(['middleware' => ['api_db', 'token_auth', 'locale'], 'prefix' => 'a
 
     Route::post('companies/purge/{company}', 'MigrationController@purgeCompany')->middleware('password_protected');
     Route::post('companies/purge_save_settings/{company}', 'MigrationController@purgeCompanySaveSettings')->middleware('password_protected');
+    
     Route::resource('companies', 'CompanyController'); // name = (companies. index / create / show / update / destroy / edit
+    
     Route::put('companies/{company}/upload', 'CompanyController@upload');
 
     Route::get('company_ledger', 'CompanyLedgerController@index')->name('company_ledger.index');