Handle base64 encoded passwords

2025-11-03 23:27:31 -05:00 · 2021-07-19 10:57:13 +10:00 · 2021-07-19 10:57:13 +10:00 · bcc286e537
commit bcc286e537
parent 856e3b846b
2 changed files with 10 additions and 3 deletions
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@ -16,6 +16,7 @@ use App\DataMapper\Analytics\LoginSuccess;
 use App\Events\User\UserLoggedIn;
 use App\Http\Controllers\BaseController;
 use App\Http\Controllers\Controller;
+use App\Http\Requests\Login\LoginRequest;
 use App\Jobs\Account\CreateAccount;
 use App\Jobs\Company\CreateCompanyToken;
 use App\Jobs\Util\SystemLogger;
@ -156,7 +157,7 @@ class LoginController extends BaseController
     *       ),
     *     )
     */
-    public function apiLogin(Request $request)
+    public function apiLogin(LoginRequest $request)
    {
        $this->forced_includes = ['company_users'];

--- a/app/Http/Middleware/PasswordProtection.php
+++ b/app/Http/Middleware/PasswordProtection.php
@ -44,6 +44,12 @@ class PasswordProtection
        else
            $timeout = $timeout/1000;

+        //test if password if base64 encoded
+        $x_api_password = $request->header('X-API-PASSWORD');
+
+        if(base64_decode(base64_encode($x_api_password)) === $x_api_password)
+            $x_api_password = base64_decode($x_api_password);
+
        if (Cache::get(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in')) {

            Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);
@ -66,7 +72,7 @@ class PasswordProtection
                ];

                //If OAuth and user also has a password set  - check both
-                if ($existing_user = MultiDB::hasUser($query) && auth()->user()->company()->oauth_password_required && auth()->user()->has_password && Hash::check(auth()->user()->password, $request->header('X-API-PASSWORD'))) {
+                if ($existing_user = MultiDB::hasUser($query) && auth()->user()->company()->oauth_password_required && auth()->user()->has_password && Hash::check(auth()->user()->password, $x_api_password)) {

                    nlog("existing user with password");

@ -86,7 +92,7 @@ class PasswordProtection
            return response()->json($error, 412);


-        }elseif ($request->header('X-API-PASSWORD') && Hash::check($request->header('X-API-PASSWORD'), auth()->user()->password))  {
+        }elseif ($x_api_password && Hash::check($x_api_password, auth()->user()->password))  {

            Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);