Fix #80 - Cannot access accounts with proxy header auth

2024-11-08 01:14:29 +01:00 · 2022-05-19 15:50:06 +02:00 · 2022-05-19 15:50:06 +02:00 · abce20419b
commit abce20419b
parent 9deb821d53
6 changed files with 50 additions and 33 deletions
--- a/app/Exceptions/Handler.php
+++ b/app/Exceptions/Handler.php
@ -67,7 +67,7 @@ public function register()
            }
            else {
                return response()->json([
-                    'message' => $exception->getMessage()], $exception->getCode());
+                    'message' => $exception->getMessage()], 401);
            }
        });
    }
--- a/app/Http/Middleware/Authenticate.php
+++ b/app/Http/Middleware/Authenticate.php
@ -3,7 +3,6 @@
 namespace App\Http\Middleware;

 use Illuminate\Auth\Middleware\Authenticate as Middleware;
-use Illuminate\Support\Arr;

 class Authenticate extends Middleware
 {
@ -23,13 +22,11 @@ protected function authenticate($request, array $guards)
            $guards = [null];
        }
        else {
-            // We inject the reserve-proxy guard to ensure it will be available for every routes
-            // besides their declared guards. This way we ensure priority to declared guards and
-            // a fallback to the reverse-proxy guard
+            // We replace routes guard by the reverse proxy guard if necessary 
            $proxyGuard = 'reverse-proxy-guard';

-            if (config('auth.defaults.guard') === $proxyGuard && !Arr::has($guards, $proxyGuard)) {
-                $guards[] = $proxyGuard;
+            if (config('auth.defaults.guard') === $proxyGuard) {
+                $guards = [$proxyGuard];
            }
        }

--- a/resources/js/api.js
+++ b/resources/js/api.js
@ -40,6 +40,11 @@ Vue.axios.interceptors.response.use(response => response, error => {
        routeName = 'login'
    }

+    if ( error.response.status === 407 ) {
+        router.push({ name: 'genericError', params: { err: error.response, closable: false } })
+        throw new Vue.axios.Cancel();
+    }
+
    // api calls are stateless so when user inactivity is detected
    // by the backend middleware it cannot logout the user directly
    // so it returns a 418 response.
--- a/resources/js/routes.js
+++ b/resources/js/routes.js
@ -48,12 +48,12 @@ const router = new Router({
        { path: '/settings/webauthn', name: 'settings.webauthn', component: SettingsWebAuthn, meta: { requiresAuth: true } },
        { path: '/settings/oauth/pat/create', name: 'settings.oauth.generatePAT', component: GeneratePAT, meta: { requiresAuth: true } },

-        { path: '/login', name: 'login', component: Login },
-        { path: '/register', name: 'register', component: Register },
-        { path: '/password/request', name: 'password.request', component: PasswordRequest },
-        { path: '/password/reset/:token', name: 'password.reset', component: PasswordReset },
-        { path: '/webauthn/lost', name: 'webauthn.lost', component: WebauthnLost },
-        { path: '/webauthn/recover', name: 'webauthn.recover', component: WebauthnRecover },
+        { path: '/login', name: 'login', component: Login, meta: { disabledWithAuthProxy: true } },
+        { path: '/register', name: 'register', component: Register, meta: { disabledWithAuthProxy: true } },
+        { path: '/password/request', name: 'password.request', component: PasswordRequest, meta: { disabledWithAuthProxy: true } },
+        { path: '/password/reset/:token', name: 'password.reset', component: PasswordReset, meta: { disabledWithAuthProxy: true } },
+        { path: '/webauthn/lost', name: 'webauthn.lost', component: WebauthnLost, meta: { disabledWithAuthProxy: true } },
+        { path: '/webauthn/recover', name: 'webauthn.recover', component: WebauthnRecover, meta: { disabledWithAuthProxy: true } },
        { path: '/flooded', name: 'flooded',component: Errors,props: true },
        { path: '/error', name: 'genericError',component: Errors,props: true },
        { path: '/404', name: '404',component: Errors,props: true },
@ -70,8 +70,13 @@ router.beforeEach((to, from, next) => {
        isFirstLoad = false;
    }

-    next()
-
+    if (to.matched.some(record => record.meta.disabledWithAuthProxy)) {
+        if (window.appConfig.proxyAuth) {
+            next({ name: 'accounts' })
+        }
+        else next()
+    }
+    else next()
 });

 router.afterEach(to => {
--- a/resources/js/views/Error.vue
+++ b/resources/js/views/Error.vue
@ -1,6 +1,6 @@
 <template>
    <div class="error-message">
-        <modal v-model="ShowModal">
+        <modal v-model="ShowModal" :closable="this.showcloseButton">
            <div class="error-message" v-if="$route.name == '404'">
                <p class="error-404"></p>
                <p>{{ $t('errors.resource_not_found') }}</p>
@ -17,9 +17,9 @@
            <div v-else>
                <p class="error-generic"></p>
                <p>{{ $t('errors.error_occured') }} </p>
-                <p v-if="error" class="has-text-grey-lighter">{{ error.message }}</p>
+                <p v-if="error.message" class="has-text-grey-lighter">{{ error.message }}</p>
                <p v-if="error.originalMessage" class="has-text-grey-lighter">{{ error.originalMessage }}</p>
-                <p><router-link :to="{ name: 'accounts' }" class="is-text">{{ $t('errors.refresh') }}</router-link></p>
+                <p><router-link :to="{ name: 'accounts', params: { toRefresh: true } }" class="is-text">{{ $t('errors.refresh') }}</router-link></p>
                <p v-if="debugMode == 'development' && error.debug">
                    <br>
                    {{ error.debug }}
@ -37,6 +37,7 @@
        data(){
            return {
                ShowModal : true,
+                showcloseButton: this.closable,
            }
        },

@ -47,17 +48,21 @@
            },

            error: function() {
-                if( this.err == null ) {
+                if( this.err === null || this.err === undefined ) {
                    return false
                }
                else
                {
-                    if(this.err.data) {
-                        console.log(this.err.data)
+                    if (this.err.status === 407) {
+                        return {
+                            'message' : this.$t('errors.auth_proxy_failed'),
+                            'originalMessage' : this.$t('errors.auth_proxy_failed_legend')
+                        }
+                    }
+                    else if(this.err.data) {
                        return this.err.data
                    }
-                    else
-                    {
+                    else {
                        return { 'message' : this.err }
                    }

@ -66,7 +71,13 @@

        },

-        props: ['err'], // on object (error.response) or a string
+        props: {
+            err: [String, Object], // on object (error.response) or a string
+            closable: {
+                type: Boolean,
+                default: true
+            }
+        }, 

        components: {
            Modal
@ -81,14 +92,11 @@
        },

        beforeRouteEnter (to, from, next) {
-
-            next(vm => {
-                if( !vm.err ) {
+            // return to home if no err is provided to prevent an empty error message
+            if (to.params.err == undefined) {
                next({ name: 'accounts' });
            }
-            });
-
-            next();
+            else next()
        },
    }

--- a/resources/lang/en/errors.php
+++ b/resources/lang/en/errors.php
@ -37,4 +37,6 @@
    'security_device_unsupported' => 'Security device unsupported',
    'unsupported_with_reverseproxy' => 'Not applicable when using an auth proxy',
    'user_deletion_failed' => 'User account deletion failed, no data have been deleted',
+    'auth_proxy_failed' => 'Proxy authentication failed',
+    'auth_proxy_failed_legend' => '2Fauth is configured to run behind an authentication proxy but your proxy does not return the expected header. Check your configuration and try again.'
 ];