mirror of
https://github.com/Bubka/2FAuth.git
synced 2024-11-25 01:34:15 +01:00
117 lines
4.5 KiB
PHP
117 lines
4.5 KiB
PHP
<?php
|
|
|
|
namespace App\Providers;
|
|
|
|
use App\Extensions\RemoteUserProvider;
|
|
use App\Extensions\WebauthnCredentialBroker;
|
|
use App\Models\Group;
|
|
use App\Models\TwoFAccount;
|
|
use App\Models\User;
|
|
use App\Policies\GroupPolicy;
|
|
use App\Policies\TwoFAccountPolicy;
|
|
use App\Policies\UserPolicy;
|
|
use App\Services\Auth\ReverseProxyGuard;
|
|
use Illuminate\Auth\Passwords\DatabaseTokenRepository;
|
|
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
|
|
use Illuminate\Support\Facades\Auth;
|
|
use Illuminate\Support\Str;
|
|
use RuntimeException;
|
|
|
|
class AuthServiceProvider extends ServiceProvider
|
|
{
|
|
/**
|
|
* The model to policy mappings for the application.
|
|
*
|
|
* @var array<class-string, class-string>
|
|
*/
|
|
protected $policies = [
|
|
TwoFAccount::class => TwoFAccountPolicy::class,
|
|
Group::class => GroupPolicy::class,
|
|
User::class => UserPolicy::class,
|
|
];
|
|
|
|
/**
|
|
* Register the service provider.
|
|
*
|
|
*
|
|
* @throws \Illuminate\Contracts\Container\BindingResolutionException
|
|
*/
|
|
public function register() : void
|
|
{
|
|
$this->app->singleton(
|
|
WebauthnCredentialBroker::class,
|
|
static function ($app) {
|
|
if (! $config = $app['config']['auth.passwords.webauthn']) {
|
|
throw new RuntimeException('You must set the [webauthn] key broker in [auth] config.');
|
|
}
|
|
|
|
$key = $app['config']['app.key'];
|
|
|
|
if (Str::startsWith($key, 'base64:')) {
|
|
$key = base64_decode(substr($key, 7));
|
|
}
|
|
|
|
return new WebauthnCredentialBroker(
|
|
new DatabaseTokenRepository(
|
|
$app['db']->connection($config['connection'] ?? null),
|
|
$app['hash'],
|
|
$config['table'],
|
|
$key,
|
|
$config['expire'],
|
|
$config['throttle'] ?? 0
|
|
),
|
|
$app['auth']->createUserProvider($config['provider'] ?? null)
|
|
);
|
|
}
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Register any authentication / authorization services.
|
|
*
|
|
* @return void
|
|
*/
|
|
public function boot()
|
|
{
|
|
// Register a custom provider for reverse-proxy authentication
|
|
Auth::provider('remote-user', function ($app, array $config) {
|
|
// Return an instance of Illuminate\Contracts\Auth\UserProvider...
|
|
|
|
return new RemoteUserProvider;
|
|
});
|
|
|
|
// Register a custom driver for reverse-proxy authentication
|
|
Auth::extend('reverse-proxy', function ($app, string $name, array $config) {
|
|
// Return an instance of Illuminate\Contracts\Auth\Guard...
|
|
|
|
return new ReverseProxyGuard(Auth::createUserProvider($config['provider']));
|
|
});
|
|
|
|
// We use a custom user provider derivated from the Laragear\WebAuthn one to honor the "useWebauthnOnly" user option.
|
|
// As this option is now available in the $user->preferences array it is no more possible to overload the $fallback
|
|
// value here because $user is not available at registration.
|
|
Auth::provider(
|
|
'eloquent-webauthn',
|
|
static function (\Illuminate\Contracts\Foundation\Application $app, array $config) : \Laragear\WebAuthn\Auth\WebAuthnUserProvider {
|
|
return new \App\Extensions\WebauthnTwoFAuthUserProvider(
|
|
$app->make('hash'),
|
|
$config['model'],
|
|
$app->make(\Laragear\WebAuthn\Assertion\Validator\AssertionValidator::class),
|
|
true
|
|
);
|
|
}
|
|
);
|
|
|
|
// Normally we should set the Passport routes here using Passport::routes().
|
|
// If so the passport routes would be set for both 'web' and 'api' middlewares without
|
|
// possibility to exclude the web middleware (we can only pass additional middlewares to Passport::routes())
|
|
//
|
|
// The problem is that 2Fauth front-end uses the Laravel FreshApiToken to consum its API as a first party app.
|
|
// So we have a laravel_token cookie added to each response to perform the authentication.
|
|
//
|
|
// Don't know why but when passing through the web middleware the requests to Personal Access Tokens management routes return
|
|
// responses with inconsistent cookies that make the next request unauthorized.
|
|
// To avoid this the Passport routes for PAT management are set in the /routes/api.php file
|
|
}
|
|
}
|