Handle base64 encoded passwords

app/Http/Controllers/Auth/LoginController.php

@@ -16,6 +16,7 @@ use App\DataMapper\Analytics\LoginSuccess;
 use App\Events\User\UserLoggedIn;
 use App\Http\Controllers\BaseController;
 use App\Http\Controllers\Controller;
+use App\Http\Requests\Login\LoginRequest;
 use App\Jobs\Account\CreateAccount;
 use App\Jobs\Company\CreateCompanyToken;
 use App\Jobs\Util\SystemLogger;
@@ -156,7 +157,7 @@ class LoginController extends BaseController
      *       ),
      *     )
      */
-    public function apiLogin(Request $request)
+    public function apiLogin(LoginRequest $request)
     {
         $this->forced_includes = ['company_users'];
 

app/Http/Middleware/PasswordProtection.php

@@ -44,6 +44,12 @@ class PasswordProtection
         else
             $timeout = $timeout/1000;
 
+        //test if password if base64 encoded
+        $x_api_password = $request->header('X-API-PASSWORD');
+
+        if(base64_decode(base64_encode($x_api_password)) === $x_api_password)
+            $x_api_password = base64_decode($x_api_password);
+
         if (Cache::get(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in')) {
 
             Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);
@@ -66,7 +72,7 @@ class PasswordProtection
                 ];
 
                 //If OAuth and user also has a password set  - check both
-                if ($existing_user = MultiDB::hasUser($query) && auth()->user()->company()->oauth_password_required && auth()->user()->has_password && Hash::check(auth()->user()->password, $request->header('X-API-PASSWORD'))) {
+                if ($existing_user = MultiDB::hasUser($query) && auth()->user()->company()->oauth_password_required && auth()->user()->has_password && Hash::check(auth()->user()->password, $x_api_password)) {
 
                     nlog("existing user with password");
 
@@ -86,7 +92,7 @@ class PasswordProtection
             return response()->json($error, 412);
 
 
-        }elseif ($request->header('X-API-PASSWORD') && Hash::check($request->header('X-API-PASSWORD'), auth()->user()->password))  {
+        }elseif ($x_api_password && Hash::check($x_api_password, auth()->user()->password))  {
 
             Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);