mirror of
https://github.com/Bubka/2FAuth.git
synced 2024-11-22 16:23:18 +01:00
Refactor routes rejection using middlewares
This commit is contained in:
Bubka
parent
30331998d2
commit
5eee3de134
@ -59,10 +59,5 @@ public function register()
|
||||
return response()->json([
|
||||
'message' => $exception->getMessage()], 400);
|
||||
});
|
||||
|
||||
$this->renderable(function (UnsupportedWithReverseProxyException $exception, $request) {
|
||||
return response()->json([
|
||||
'message' => __('errors.unsupported_with_reverseproxy')], 400);
|
||||
});
|
||||
}
|
||||
}
|
||||
@ -1,14 +0,0 @@
|
||||
<?php
|
||||
|
||||
namespace App\Exceptions;
|
||||
|
||||
use Exception;
|
||||
|
||||
/**
|
||||
* Class UnsupportedWithReverseProxyException.
|
||||
*
|
||||
* @codeCoverageIgnore
|
||||
*/
|
||||
class UnsupportedWithReverseProxyException extends Exception
|
||||
{
|
||||
}
|
||||
@ -5,7 +5,6 @@
|
||||
use Illuminate\Http\Request;
|
||||
use App\Http\Controllers\Controller;
|
||||
use Illuminate\Foundation\Auth\SendsPasswordResetEmails;
|
||||
use App\Exceptions\UnsupportedWithReverseProxyException;
|
||||
|
||||
class ForgotPasswordController extends Controller
|
||||
{
|
||||
@ -23,19 +22,6 @@ class ForgotPasswordController extends Controller
|
||||
use SendsPasswordResetEmails;
|
||||
|
||||
|
||||
/**
|
||||
* Create a new controller instance.
|
||||
*/
|
||||
public function __construct()
|
||||
{
|
||||
$authGuard = config('auth.defaults.guard');
|
||||
|
||||
if ($authGuard === 'reverse-proxy-guard') {
|
||||
throw new UnsupportedWithReverseProxyException();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Validate the email for the given request.
|
||||
*
|
||||
|
||||
@ -10,7 +10,6 @@
|
||||
use App\Http\Requests\LoginRequest;
|
||||
use Illuminate\Foundation\Auth\AuthenticatesUsers;
|
||||
use Carbon\Carbon;
|
||||
use App\Exceptions\UnsupportedWithReverseProxyException;
|
||||
|
||||
|
||||
class LoginController extends Controller
|
||||
@ -29,19 +28,6 @@ class LoginController extends Controller
|
||||
use AuthenticatesUsers;
|
||||
|
||||
|
||||
/**
|
||||
* Create a new controller instance.
|
||||
*/
|
||||
public function __construct()
|
||||
{
|
||||
$authGuard = config('auth.defaults.guard');
|
||||
|
||||
if ($authGuard === 'reverse-proxy-guard') {
|
||||
throw new UnsupportedWithReverseProxyException();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Handle a login request to the application.
|
||||
*
|
||||
|
||||
@ -6,25 +6,9 @@
|
||||
use App\Http\Controllers\Controller;
|
||||
use Illuminate\Support\Facades\Auth;
|
||||
use Illuminate\Support\Facades\Hash;
|
||||
use App\Exceptions\UnsupportedWithReverseProxyException;
|
||||
|
||||
class PasswordController extends Controller
|
||||
{
|
||||
|
||||
|
||||
/**
|
||||
* Create a new controller instance.
|
||||
*/
|
||||
public function __construct()
|
||||
{
|
||||
$authGuard = config('auth.defaults.guard');
|
||||
|
||||
if ($authGuard === 'reverse-proxy-guard') {
|
||||
throw new UnsupportedWithReverseProxyException();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Update the user's password.
|
||||
*
|
||||
|
||||
@ -1,29 +0,0 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Controllers\Auth;
|
||||
|
||||
use Illuminate\Http\Request;
|
||||
use Laravel\Passport\Http\Controllers\PersonalAccessTokenController as PassportPersonalAccessTokenController;
|
||||
|
||||
class PersonalAccessTokenController extends PassportPersonalAccessTokenController
|
||||
{
|
||||
/**
|
||||
* Get all of the personal access tokens for the authenticated user.
|
||||
*
|
||||
* @param \Illuminate\Http\Request $request
|
||||
* @return \Illuminate\Database\Eloquent\Collection
|
||||
*/
|
||||
public function forUser(Request $request)
|
||||
{
|
||||
// WebAuthn is useless when authentication is handle by
|
||||
// a reverse proxy so we return a 202 response to tell the
|
||||
// client nothing more will happen
|
||||
if (config('auth.defaults.guard') === 'reverse-proxy-guard') {
|
||||
return response()->json([
|
||||
'message' => 'no personal access token with reverse proxy'], 202);
|
||||
}
|
||||
|
||||
parent::forUser($request);
|
||||
}
|
||||
|
||||
}
|
||||
@ -8,7 +8,6 @@
|
||||
use Illuminate\Support\Facades\Hash;
|
||||
use Illuminate\Auth\Events\Registered;
|
||||
use Illuminate\Foundation\Auth\RegistersUsers;
|
||||
use App\Exceptions\UnsupportedWithReverseProxyException;
|
||||
|
||||
class RegisterController extends Controller
|
||||
{
|
||||
@ -26,19 +25,6 @@ class RegisterController extends Controller
|
||||
use RegistersUsers;
|
||||
|
||||
|
||||
/**
|
||||
* Create a new controller instance.
|
||||
*/
|
||||
public function __construct()
|
||||
{
|
||||
$authGuard = config('auth.defaults.guard');
|
||||
|
||||
if ($authGuard === 'reverse-proxy-guard') {
|
||||
throw new UnsupportedWithReverseProxyException();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Handle a registration request for the application.
|
||||
*
|
||||
|
||||
@ -4,7 +4,6 @@
|
||||
|
||||
use App\Http\Controllers\Controller;
|
||||
use Illuminate\Foundation\Auth\ResetsPasswords;
|
||||
use App\Exceptions\UnsupportedWithReverseProxyException;
|
||||
|
||||
class ResetPasswordController extends Controller
|
||||
{
|
||||
@ -21,17 +20,4 @@ class ResetPasswordController extends Controller
|
||||
|
||||
use ResetsPasswords;
|
||||
|
||||
|
||||
/**
|
||||
* Create a new controller instance.
|
||||
*/
|
||||
public function __construct()
|
||||
{
|
||||
$authGuard = config('auth.defaults.guard');
|
||||
|
||||
if ($authGuard === 'reverse-proxy-guard') {
|
||||
throw new UnsupportedWithReverseProxyException();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -12,7 +12,6 @@
|
||||
use Illuminate\Support\Facades\Hash;
|
||||
use Illuminate\Support\Facades\DB;
|
||||
use Illuminate\Support\Facades\Artisan;
|
||||
use App\Exceptions\UnsupportedWithReverseProxyException;
|
||||
use Exception;
|
||||
|
||||
class UserController extends Controller
|
||||
@ -32,11 +31,6 @@ class UserController extends Controller
|
||||
public function __construct(TwoFAccountService $twofaccountService)
|
||||
{
|
||||
$this->twofaccountService = $twofaccountService;
|
||||
$authGuard = config('auth.defaults.guard');
|
||||
|
||||
if ($authGuard === 'reverse-proxy-guard') {
|
||||
throw new UnsupportedWithReverseProxyException();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -5,7 +5,6 @@
|
||||
use App\Http\Controllers\Controller;
|
||||
use App\Providers\RouteServiceProvider;
|
||||
use DarkGhostHunter\Larapass\Http\ConfirmsWebAuthn;
|
||||
use App\Exceptions\UnsupportedWithReverseProxyException;
|
||||
|
||||
class WebAuthnConfirmController extends Controller
|
||||
{
|
||||
@ -28,18 +27,4 @@ class WebAuthnConfirmController extends Controller
|
||||
* @var string
|
||||
*/
|
||||
protected $redirectTo = RouteServiceProvider::HOME;
|
||||
|
||||
/**
|
||||
* Create a new controller instance.
|
||||
*
|
||||
* @return void
|
||||
*/
|
||||
public function __construct()
|
||||
{
|
||||
$authGuard = config('auth.defaults.guard');
|
||||
|
||||
if ($authGuard === 'reverse-proxy-guard') {
|
||||
throw new UnsupportedWithReverseProxyException();
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -6,7 +6,6 @@
|
||||
use DarkGhostHunter\Larapass\Http\SendsWebAuthnRecoveryEmail;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
use App\Exceptions\UnsupportedWithReverseProxyException;
|
||||
|
||||
class WebAuthnDeviceLostController extends Controller
|
||||
{
|
||||
@ -23,19 +22,6 @@ class WebAuthnDeviceLostController extends Controller
|
||||
|
|
||||
*/
|
||||
|
||||
/**
|
||||
* Create a new controller instance.
|
||||
*/
|
||||
public function __construct()
|
||||
{
|
||||
$authGuard = config('auth.defaults.guard');
|
||||
|
||||
if ($authGuard === 'reverse-proxy-guard') {
|
||||
throw new UnsupportedWithReverseProxyException();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* The recovery credentials to retrieve through validation rules.
|
||||
*
|
||||
|
||||
@ -6,7 +6,6 @@
|
||||
use Illuminate\Http\Request;
|
||||
use App\Http\Controllers\Controller;
|
||||
use DarkGhostHunter\Larapass\Http\AuthenticatesWebAuthn;
|
||||
use App\Exceptions\UnsupportedWithReverseProxyException;
|
||||
|
||||
class WebAuthnLoginController extends Controller
|
||||
{
|
||||
@ -27,18 +26,6 @@ class WebAuthnLoginController extends Controller
|
||||
|
|
||||
*/
|
||||
|
||||
/**
|
||||
* Create a new controller instance.
|
||||
*/
|
||||
public function __construct()
|
||||
{
|
||||
$authGuard = config('auth.defaults.guard');
|
||||
|
||||
if ($authGuard === 'reverse-proxy-guard') {
|
||||
throw new UnsupportedWithReverseProxyException();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public function options(Request $request)
|
||||
{
|
||||
|
||||
@ -6,12 +6,9 @@
|
||||
use Illuminate\Http\Request;
|
||||
use App\Http\Requests\WebauthnRenameRequest;
|
||||
use DarkGhostHunter\Larapass\Eloquent\WebAuthnCredential;
|
||||
use App\Exceptions\UnsupportedWithReverseProxyException;
|
||||
|
||||
class WebAuthnManageController extends Controller
|
||||
{
|
||||
// use RecoversWebAuthn;
|
||||
|
||||
/*
|
||||
|--------------------------------------------------------------------------
|
||||
| WebAuthn Manage Controller
|
||||
@ -33,14 +30,6 @@ public function __construct()
|
||||
*/
|
||||
public function index(Request $request)
|
||||
{
|
||||
// WebAuthn is useless when authentication is handle by
|
||||
// a reverse proxy so we return a 202 response to tell the
|
||||
// client nothing more will happen
|
||||
if (config('auth.defaults.guard') === 'reverse-proxy-guard') {
|
||||
return response()->json([
|
||||
'message' => 'no webauthn with reverse proxy'], 202);
|
||||
}
|
||||
|
||||
$user = $request->user();
|
||||
$allUserCredentials = $user->webAuthnCredentials()
|
||||
->enabled()
|
||||
@ -73,6 +62,9 @@ public function rename(WebauthnRenameRequest $request, string $credential)
|
||||
/**
|
||||
* Remove the specified credential from storage.
|
||||
*
|
||||
* @param \Illuminate\Http\Request $request
|
||||
* @param string|array $credential
|
||||
*
|
||||
* @return \Illuminate\Http\JsonResponse
|
||||
*/
|
||||
public function delete(Request $request, $credential)
|
||||
|
||||
@ -9,7 +9,6 @@
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
use App\Exceptions\UnsupportedWithReverseProxyException;
|
||||
|
||||
class WebAuthnRecoveryController extends Controller
|
||||
{
|
||||
@ -34,18 +33,6 @@ class WebAuthnRecoveryController extends Controller
|
||||
protected $redirectTo = RouteServiceProvider::HOME;
|
||||
|
||||
|
||||
/**
|
||||
* Create a new controller instance.
|
||||
*/
|
||||
public function __construct()
|
||||
{
|
||||
$authGuard = config('auth.defaults.guard');
|
||||
|
||||
if ($authGuard === 'reverse-proxy-guard') {
|
||||
throw new UnsupportedWithReverseProxyException();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the credential creation options to the user.
|
||||
*
|
||||
|
||||
@ -4,7 +4,6 @@
|
||||
|
||||
use App\Http\Controllers\Controller;
|
||||
use DarkGhostHunter\Larapass\Http\RegistersWebAuthn;
|
||||
use App\Exceptions\UnsupportedWithReverseProxyException;
|
||||
|
||||
class WebAuthnRegisterController extends Controller
|
||||
{
|
||||
@ -20,16 +19,4 @@ class WebAuthnRegisterController extends Controller
|
||||
| persisted into the application, otherwise it will signal failure.
|
||||
|
|
||||
*/
|
||||
|
||||
/**
|
||||
* Create a new controller instance.
|
||||
*/
|
||||
public function __construct()
|
||||
{
|
||||
$authGuard = config('auth.defaults.guard');
|
||||
|
||||
if ($authGuard === 'reverse-proxy-guard') {
|
||||
throw new UnsupportedWithReverseProxyException();
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -71,7 +71,9 @@ class Kernel extends HttpKernel
|
||||
'auth' => \App\Http\Middleware\Authenticate::class,
|
||||
'guest' => \App\Http\Middleware\RejectIfAuthenticated::class,
|
||||
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
|
||||
'disableInDemoMode' => \App\Http\Middleware\DisableInDemoMode::class,
|
||||
'rejectIfDemoMode' => \App\Http\Middleware\RejectIfDemoMode::class,
|
||||
'rejectIfReverseProxy' => \App\Http\Middleware\RejectIfReverseProxy::class,
|
||||
|
||||
];
|
||||
|
||||
/**
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
use Illuminate\Http\Response;
|
||||
use Illuminate\Support\Facades\Log;
|
||||
|
||||
class DisableInDemoMode
|
||||
class RejectIfDemoMode
|
||||
{
|
||||
/**
|
||||
* Handle an incoming request.
|
||||
@ -19,7 +19,7 @@ public function handle($request, Closure $next)
|
||||
{
|
||||
|
||||
if( config('2fauth.config.isDemoApp') ) {
|
||||
Log::notice('Cannot request a password reset in Demo mode');
|
||||
Log::notice('Cannot request this action in Demo mode');
|
||||
|
||||
return response()->json(['message' => __('auth.forms.disabled_in_demo')], Response::HTTP_UNAUTHORIZED);
|
||||
}
|
||||
28
app/Http/Middleware/RejectIfReverseProxy.php
Normal file
28
app/Http/Middleware/RejectIfReverseProxy.php
Normal file
@ -0,0 +1,28 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use Illuminate\Support\Facades\Log;
|
||||
|
||||
class RejectIfReverseProxy
|
||||
{
|
||||
/**
|
||||
* Handle an incoming request.
|
||||
*
|
||||
* @param \Illuminate\Http\Request $request
|
||||
* @param \Closure $next
|
||||
* @return mixed
|
||||
*/
|
||||
public function handle($request, Closure $next)
|
||||
{
|
||||
if (config('auth.defaults.guard') === 'reverse-proxy-guard') {
|
||||
Log::notice('Cannot request this action in Demo mode');
|
||||
|
||||
return response()->json([
|
||||
'message' => __('errors.unsupported_with_reverseproxy')], 400);
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
@ -84,12 +84,8 @@
|
||||
|
||||
this.isFetching = true
|
||||
|
||||
await this.axios.get('/oauth/personal-access-tokens').then(response => {
|
||||
if (response.status === 202) {
|
||||
this.isRemoteUser = true
|
||||
return
|
||||
}
|
||||
|
||||
await this.axios.get('/oauth/personal-access-tokens')
|
||||
.then(response => {
|
||||
const tokens = []
|
||||
|
||||
response.data.forEach((data) => {
|
||||
@ -104,6 +100,16 @@
|
||||
|
||||
this.tokens = tokens
|
||||
})
|
||||
.catch(error => {
|
||||
if( error.response.status === 400 ) {
|
||||
|
||||
this.isRemoteUser = true
|
||||
}
|
||||
else {
|
||||
|
||||
this.$router.push({ name: 'genericError', params: { err: error.response } });
|
||||
}
|
||||
})
|
||||
|
||||
this.isFetching = false
|
||||
},
|
||||
|
||||
@ -101,11 +101,19 @@
|
||||
|
||||
this.isFetching = true
|
||||
|
||||
await this.axios.get('/webauthn/credentials').then(response => {
|
||||
if (response.status === 202) {
|
||||
await this.axios.get('/webauthn/credentials', {returnError: true})
|
||||
.then(response => {
|
||||
this.credentials = response.data
|
||||
})
|
||||
.catch(error => {
|
||||
if( error.response.status === 400 ) {
|
||||
|
||||
this.isRemoteUser = true
|
||||
}
|
||||
else this.credentials = response.data
|
||||
else {
|
||||
|
||||
this.$router.push({ name: 'genericError', params: { err: error.response } });
|
||||
}
|
||||
})
|
||||
|
||||
this.isFetching = false
|
||||
|
||||
@ -16,7 +16,7 @@
|
||||
/**
|
||||
* Routes that only work for unauthenticated user (return an error otherwise)
|
||||
*/
|
||||
Route::group(['middleware' => ['guest', 'disableInDemoMode']], function () {
|
||||
Route::group(['middleware' => ['guest', 'rejectIfDemoMode']], function () {
|
||||
Route::post('user', 'Auth\RegisterController@register')->name('user.register');
|
||||
Route::post('user/password/lost', 'Auth\ForgotPasswordController@sendResetLinkEmail')->name('user.password.lost');;
|
||||
Route::post('user/password/reset', 'Auth\ResetPasswordController@reset')->name('user.password.reset');
|
||||
@ -36,17 +36,17 @@
|
||||
});
|
||||
|
||||
/**
|
||||
* Routes protected by an authentication guard
|
||||
* Routes protected by an authentication guard but rejected when reverse-proxy guard is enabled
|
||||
*/
|
||||
Route::group(['middleware' => 'behind-auth'], function () {
|
||||
Route::group(['middleware' => ['behind-auth', 'rejectIfReverseProxy']], function () {
|
||||
Route::put('user', 'Auth\UserController@update')->name('user.update');
|
||||
Route::patch('user/password', 'Auth\PasswordController@update')->name('user.password.update')->middleware('disableInDemoMode');
|
||||
Route::patch('user/password', 'Auth\PasswordController@update')->name('user.password.update')->middleware('rejectIfDemoMode');
|
||||
Route::get('user/logout', 'Auth\LoginController@logout')->name('user.logout');
|
||||
Route::delete('user', 'Auth\UserController@delete')->name('user.delete')->middleware('disableInDemoMode');
|
||||
Route::delete('user', 'Auth\UserController@delete')->name('user.delete')->middleware('rejectIfDemoMode');
|
||||
|
||||
Route::get('oauth/personal-access-tokens', 'Auth\PersonalAccessTokenController@forUser')->name('passport.personal.tokens.index');
|
||||
Route::post('oauth/personal-access-tokens', 'Auth\PersonalAccessTokenController@store')->name('passport.personal.tokens.store');
|
||||
Route::delete('oauth/personal-access-tokens/{token_id}', 'Auth\PersonalAccessTokenController@destroy')->name('passport.personal.tokens.destroy');
|
||||
Route::get('oauth/personal-access-tokens', 'Laravel\Passport\Http\Controllers\PersonalAccessTokenController@forUser')->name('passport.personal.tokens.index');
|
||||
Route::post('oauth/personal-access-tokens', 'Laravel\Passport\Http\Controllers\PersonalAccessTokenController@store')->name('passport.personal.tokens.store');
|
||||
Route::delete('oauth/personal-access-tokens/{token_id}', 'Laravel\Passport\Http\Controllers\PersonalAccessTokenController@destroy')->name('passport.personal.tokens.destroy');
|
||||
|
||||
Route::post('webauthn/register/options', [WebAuthnRegisterController::class, 'options'])->name('webauthn.register.options');
|
||||
Route::post('webauthn/register', [WebAuthnRegisterController::class, 'register'])->name('webauthn.register');
|
||||
|
||||
Loading…
Reference in New Issue
Block a user