extern/2FAuth
1
0
Fork 0
mirror of https://github.com/Bubka/2FAuth.git synced 2025-06-24 22:12:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix #73 - CSRF token mismatch

Browse Source
This commit is contained in:
Bubka 2022-05-14 13:45:12 +02:00
parent 986e216896
commit 070c6a2486
4 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/Http/Middleware/KickOutInactiveUser.php
View File

@ -46,7 +46,7 @@ class KickOutInactiveUser
Auth::logout(); Auth::logout();
} }
return response()->json(['message' => 'unauthorised'], Response::HTTP_UNAUTHORIZED); return response()->json(['message' => 'inactivity detected'], Response::HTTP_I_AM_A_TEAPOT);
} }
return $next($request); return $next($request);

10
resources/js/api.js vendored
View File

@ -39,6 +39,16 @@ Vue.axios.interceptors.response.use(response => response, error => {
if ( error.response.status === 401 ) { if ( error.response.status === 401 ) {
routeName = 'login' routeName = 'login'
} }
// api calls are stateless so when user inactivity is detected
// by the backend middleware it cannot logout the user directly
// so it returns a 418 response.
// We catch the 418 response and push the user to the login view
// with the instruction to request a session logout
if ( error.response.status === 418 ) {
router.push({ name: 'login', params: { forceLogout: true } })
throw new Vue.axios.Cancel();
}
if ( error.response.status === 404 ) routeName = '404' if ( error.response.status === 404 ) routeName = '404'

2
resources/js/views/auth/Login.vue
View File

@ -130,6 +130,8 @@
beforeRouteEnter (to, from, next) { beforeRouteEnter (to, from, next) {
next(async vm => { next(async vm => {
if( to.params.forceLogout ) await vm.axios.get('/user/logout')
const { data } = await vm.axios.get('api/v1/user/name') const { data } = await vm.axios.get('api/v1/user/name')
if( data.name ) { if( data.name ) {

4
tests/Feature/Http/Auth/LoginTest.php
View File

@ -159,7 +159,7 @@ class LoginTest extends FeatureTestCase
/** /**
* @test * @test
*/ */
public function test_user_logout_after_inactivity_returns_unauthorized() public function test_user_logout_after_inactivity_returns_teapot()
{ {
// Set the autolock period to 1 minute // Set the autolock period to 1 minute
$settingService = resolve('App\Services\SettingService'); $settingService = resolve('App\Services\SettingService');
@ -178,7 +178,7 @@ class LoginTest extends FeatureTestCase
$response = $this->actingAs($this->user, 'api-guard') $response = $this->actingAs($this->user, 'api-guard')
->json('GET', '/api/v1/twofaccounts') ->json('GET', '/api/v1/twofaccounts')
->assertUnauthorized(); ->assertStatus(418);
} }
} }