From bc6faa282de50cbc6b178a9a385f3d727c1aa045 Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Sat, 23 Dec 2023 16:14:26 +1100
Subject: [PATCH] Signup RSA hash checks

---
 app/Http/Controllers/AccountController.php | 25 +++++++++++++++-------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/app/Http/Controllers/AccountController.php b/app/Http/Controllers/AccountController.php
index ce9e4918713f..0c1cea241993 100644
--- a/app/Http/Controllers/AccountController.php
+++ b/app/Http/Controllers/AccountController.php
@@ -11,17 +11,18 @@
 
 namespace App\Http\Controllers;
 
-use App\Http\Requests\Account\CreateAccountRequest;
-use App\Http\Requests\Account\UpdateAccountRequest;
-use App\Jobs\Account\CreateAccount;
-use App\Libraries\MultiDB;
 use App\Models\Account;
+use App\Libraries\MultiDB;
+use App\Utils\TruthSource;
 use App\Models\CompanyUser;
+use Illuminate\Http\Response;
+use App\Helpers\Encrypt\Secure;
+use App\Jobs\Account\CreateAccount;
 use App\Transformers\AccountTransformer;
 use App\Transformers\CompanyUserTransformer;
-use App\Utils\TruthSource;
 use Illuminate\Foundation\Bus\DispatchesJobs;
-use Illuminate\Http\Response;
+use App\Http\Requests\Account\CreateAccountRequest;
+use App\Http\Requests\Account\UpdateAccountRequest;
 
 class AccountController extends BaseController
 {
@@ -66,7 +67,7 @@ class AccountController extends BaseController
     public function store(CreateAccountRequest $request)
     {
 
-        if(config('ninja.cloudflare.turnstile.secret')) {
+        if($request->has('cf-turnstile-response') && config('ninja.cloudflare.turnstile.secret')) {
             $r = \Illuminate\Support\Facades\Http::post('https://challenges.cloudflare.com/turnstile/v0/siteverify', [
                 'secret' => config('ninja.cloudflare.turnstile.secret'),
                 'response' => $request->input('cf-turnstile-response'),
@@ -76,7 +77,7 @@ class AccountController extends BaseController
             if($r->successful()){
 
                 if($r->json()['success'] === true) {
-                    // return response()->json(['message' => 'Captcha Success'], 200);
+                    // Captcha passed
                 } else {
                     return response()->json(['message' => 'Captcha Failed'], 400);
                 }
@@ -84,6 +85,14 @@ class AccountController extends BaseController
 
         }
 
+        if($request->has('hash') && config('ninja.cloudflare.turnstile.secret')) { //@todo once all platforms are implemented, we disable access to the rest of this route without a success response.
+            
+            if(Secure::decrypt($request->input('hash')) !== $request->input('email')) {
+                return response()->json(['message' => 'Invalid Signup Payload'], 400);
+            }
+
+        }
+
         $account = (new CreateAccount($request->all(), $request->getClientIp()))->handle();
         if (! ($account instanceof Account)) {
             return $account;