extern/2FAuth
1
0
Fork 0
mirror of https://github.com/Bubka/2FAuth.git synced 2025-01-11 16:58:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactor user deletion logic in a User observer

Browse Source
This commit is contained in:
Bubka 2024-01-29 08:46:09 +01:00
parent fab67097bc
commit 37e4711071
4 changed files with 121 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
app/Http/Controllers/Auth/UserController.php
View File

@ -24,6 +24,8 @@ public function update(UserUpdateRequest $request)
$user = $request->user(); $user = $request->user();
$validated = $request->validated(); $validated = $request->validated();
$this->authorize('update', $user);
if (config('auth.defaults.guard') === 'reverse-proxy-guard' || $user->oauth_provider) { if (config('auth.defaults.guard') === 'reverse-proxy-guard' || $user->oauth_provider) {
Log::notice('Account update rejected: reverse-proxy-guard enabled or account from external sso provider'); Log::notice('Account update rejected: reverse-proxy-guard enabled or account from external sso provider');
@ -57,37 +59,16 @@ public function delete(UserDeleteRequest $request)
$validated = $request->validated(); $validated = $request->validated();
$user = Auth::user(); $user = Auth::user();
Log::info(sprintf('Deletion of user ID #%s requested', $user->id));
if ($user->isAdministrator() && User::admins()->count() == 1) {
return response()->json(['message' => __('errors.cannot_delete_the_only_admin')], 400);
}
if (! Hash::check($validated['password'], Auth::user()->password)) { if (! Hash::check($validated['password'], Auth::user()->password)) {
return response()->json(['message' => __('errors.wrong_current_password')], 400); return response()->json(['message' => __('errors.wrong_current_password')], 400);
} }
try { // This will delete the user and all its 2FAs & Groups thanks to the onCascadeDelete constrains.
DB::transaction(function () use ($user) { // Deletion will not be done (and returns False) if the user is the only existing admin (see UserObserver clas)
DB::table('twofaccounts')->where('user_id', $user->id)->delete(); return $user->delete() === false
DB::table('groups')->where('user_id', $user->id)->delete(); ? response()->json([
DB::table('webauthn_credentials')->where('authenticatable_id', $user->id)->delete(); 'message' => __('errors.cannot_delete_the_only_admin'),
DB::table(config('auth.passwords.webauthn.table'))->where('email', $user->email)->delete(); ], 400)
DB::table('oauth_access_tokens')->where('user_id', $user->id)->delete(); : response()->json(null, 204);
DB::table(config('auth.passwords.users.table'))->where('email', $user->email)->delete();
DB::table('users')->where('id', $user->id)->delete();
});
}
// @codeCoverageIgnoreStart
catch (\Throwable $e) {
Log::error(sprintf('Deletion of user ID #%s failed, transaction has been rolled-back', $user->id));
return response()->json(['message' => __('errors.user_deletion_failed')], 400);
}
// @codeCoverageIgnoreEnd
Log::info(sprintf('User ID #%s deleted', $user->id));
return response()->json(null, 204);
} }
} }

97
app/Observers/UserObserver.php Normal file
View File

@ -0,0 +1,97 @@
<?php
namespace App\Observers;
use App\Models\User;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Password;
use Illuminate\Support\Facades\Storage;
class UserObserver
{
/**
* Handle the User "created" event.
*/
public function created(User $user): void
{
//
}
/**
* Handle the User "updated" event.
*/
public function updated(User $user): void
{
//
}
/**
* Handle the User "deleting" event.
*/
public function deleting(User $user): bool
{
Log::info(sprintf('Deletion of User ID #%s requested by User ID #%s', $user->id, Auth::user()->id ?? 'unknown'));
// Prevent deletion of the only administrator
$isLastAdmin = $user->isAdministrator() && User::admins()->count() == 1;
if ($isLastAdmin) {
Log::notice(sprintf('Deletion of user ID #%s refused, cannot delete the only administrator', $user->id));
return false;
}
// Deleting user's twofaccounts icon
$iconPathes = $user->twofaccounts->filter(function ($twofaccount, $key) {
return $twofaccount->icon;
})->map(function ($twofaccount, $key) {
return $twofaccount->icon;
});
Storage::disk('icons')->delete($iconPathes->toArray());
return true;
}
/**
* Handle the User "deleted" event.
*/
public function deleted(User $user): void
{
// DB has cascade delete enabled to flush 2FA and Groups but,
// for an unknown reason, SQLite refuses to delete these related.
// (despite DB_FOREIGN_KEYS=true which is supposed to enable it)
// So it ends with a direct db delete for SQLite...
if (DB::getDriverName() === 'sqlite') {
DB::table('twofaccounts')->where('user_id', $user->id)->delete();
DB::table('groups')->where('user_id', $user->id)->delete();
}
// We flush webauthn credentials & tokens
Password::broker('webauthn')->deleteToken($user);
$user->flushCredentials();
// And Passport tokens
Password::broker()->deleteToken($user);
DB::table('oauth_access_tokens')->where('user_id', $user->id)->delete();
Log::info(sprintf('User ID #%s and all user traces deleted', $user->id));
}
/**
* Handle the User "restored" event.
*/
public function restored(User $user): void
{
//
}
/**
* Handle the User "force deleted" event.
*/
public function forceDeleted(User $user): void
{
//
}
}

11
app/Providers/EventServiceProvider.php
View File

@ -11,6 +11,8 @@
use App\Listeners\RegisterOpenId; use App\Listeners\RegisterOpenId;
use App\Listeners\ReleaseRadar; use App\Listeners\ReleaseRadar;
use App\Listeners\ResetUsersPreference; use App\Listeners\ResetUsersPreference;
use App\Models\User;
use App\Observers\UserObserver;
use Illuminate\Auth\Events\Registered; use Illuminate\Auth\Events\Registered;
use Illuminate\Auth\Listeners\SendEmailVerificationNotification; use Illuminate\Auth\Listeners\SendEmailVerificationNotification;
use Illuminate\Foundation\Support\Providers\EventServiceProvider as ServiceProvider; use Illuminate\Foundation\Support\Providers\EventServiceProvider as ServiceProvider;
@ -43,6 +45,15 @@ class EventServiceProvider extends ServiceProvider
RegisterOpenId::class, RegisterOpenId::class,
], ],
]; ];
/**
* The model observers for your application.
*
* @var array<string, string|object|array<int, string|object>>
*/
protected $observers = [
User::class => [UserObserver::class],
];
/** /**
* Register any events for your application. * Register any events for your application.

4
tests/Feature/Http/Auth/UserControllerTest.php
View File

@ -8,6 +8,8 @@
use App\Models\Group; use App\Models\Group;
use App\Models\TwoFAccount; use App\Models\TwoFAccount;
use App\Models\User; use App\Models\User;
use App\Observers\UserObserver;
use App\Policies\UserPolicy;
use Illuminate\Support\Facades\Config; use Illuminate\Support\Facades\Config;
use PHPUnit\Framework\Attributes\CoversClass; use PHPUnit\Framework\Attributes\CoversClass;
use Tests\FeatureTestCase; use Tests\FeatureTestCase;
@ -16,6 +18,8 @@
* UserControllerTest test class * UserControllerTest test class
*/ */
#[CoversClass(UserController::class)] #[CoversClass(UserController::class)]
#[CoversClass(UserObserver::class)]
#[CoversClass(UserPolicy::class)]
#[CoversClass(RejectIfDemoMode::class)] #[CoversClass(RejectIfDemoMode::class)]
#[CoversClass(UserUpdateRequest::class)] #[CoversClass(UserUpdateRequest::class)]
class UserControllerTest extends FeatureTestCase class UserControllerTest extends FeatureTestCase