invoiceninja/app/Http/Middleware/PasswordProtection.php

<?php
/**
 * Invoice Ninja (https://invoiceninja.com).
 *
 * @link https://github.com/invoiceninja/invoiceninja source repository
 *
 * @copyright Copyright (c) 2022. Invoice Ninja LLC (https://invoiceninja.com)
 *
 * @license https://www.elastic.co/licensing/elastic-license
 */

namespace App\Http\Middleware;

use App\Libraries\MultiDB;
use App\Libraries\OAuth\Providers\Google;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Str;
use stdClass;

class PasswordProtection
{
    /**
     * Handle an incoming request.
     *
     * @param  Request  $request
     * @param Closure $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
   
        $error = [
            'message' => 'Invalid Password',
            'errors' => new stdClass,
        ];

        $timeout = auth()->user()->company()->default_password_timeout;

        if($timeout == 0)
            $timeout = 30*60*1000*1000;
        else
            $timeout = $timeout/1000;

        //test if password if base64 encoded
        $x_api_password = $request->header('X-API-PASSWORD');

        if($request->header('X-API-PASSWORD-BASE64'))
        {
            $x_api_password = base64_decode($request->header('X-API-PASSWORD-BASE64'));
        }

        // If no password supplied - then we just check if their authentication is in cache //
        if (Cache::get(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in') && !$x_api_password) {

            Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);

            return $next($request);

        }elseif( $request->header('X-API-OAUTH-PASSWORD') && strlen($request->header('X-API-OAUTH-PASSWORD')) >=1){

            //user is attempting to reauth with OAuth - check the token value
            //todo expand this to include all OAuth providers
            if(auth()->user()->oauth_provider_id == 'google')
            {
                $user = false;
                $google = new Google();
                $user = $google->getTokenResponse(request()->header('X-API-OAUTH-PASSWORD'));

                if (is_array($user)) {
                    
                    $query = [
                        'oauth_user_id' => $google->harvestSubField($user),
                        'oauth_provider_id'=> 'google'
                    ];

                    //If OAuth and user also has a password set  - check both
                    if ($existing_user = MultiDB::hasUser($query) && auth()->user()->company()->oauth_password_required && auth()->user()->has_password && Hash::check(auth()->user()->password, $x_api_password)) {

                        nlog("existing user with password");

                        Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);

                        return $next($request);
                    }
                    elseif($existing_user = MultiDB::hasUser($query) && !auth()->user()->company()->oauth_password_required){

                        nlog("existing user without password");

                        Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);
                        return $next($request);                    
                    }
                }

            }
            elseif(auth()->user()->oauth_provider_id == 'microsoft')
            {
                try{
                    $payload = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', request()->header('X-API-OAUTH-PASSWORD'))[1]))));
                }
                catch(\Exception $e){
                    nlog("could not decode microsoft response");
                    return response()->json(['message' => 'Could not decode the response from Microsoft'], 412);
                }

                if($payload->preferred_username == auth()->user()->email){

                    Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);
                    return $next($request);
                }
            }


            return response()->json($error, 412);


        }elseif ($x_api_password && Hash::check($x_api_password, auth()->user()->password))  {

            Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);

            return $next($request);

        } else {

            return response()->json($error, 412);
        }


    }
}
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`<?php`
			`/**`
Laravel 7.x Shift (#40) * Adopt Laravel coding style The Laravel framework adopts the PSR-2 coding style with some additions. Laravel apps should adopt this coding style as well. However, Shift allows you to customize the adopted coding style by adding your own [PHP CS Fixer][1] `.php_cs` config to your project. You may use [Shift's .php_cs][2] file as a base. [1]: https://github.com/FriendsOfPHP/PHP-CS-Fixer [2]: https://gist.github.com/laravel-shift/cab527923ed2a109dda047b97d53c200 * Shift bindings PHP 5.5.9+ adds the new static `class` property which provides the fully qualified class name. This is preferred over using class name strings as these references are checked by the parser. * Shift core files * Shift to Throwable * Add laravel/ui dependency * Unindent vendor mail templates * Shift config files * Default config files In an effort to make upgrading the constantly changing config files easier, Shift defaulted them so you can review the commit diff for changes. Moving forward, you should use ENV variables or create a separate config file to allow the core config files to remain automatically upgradeable. * Shift Laravel dependencies * Shift cleanup * Upgrade to Laravel 7 Co-authored-by: Laravel Shift <shift@laravelshift.com> 2020-09-06 11:38:10 +02:00			`* Invoice Ninja (https://invoiceninja.com).`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`*`
			`* @link https://github.com/invoiceninja/invoiceninja source repository`
			`*`
Update Copyright text 2022-04-27 05:20:41 +02:00			`* @copyright Copyright (c) 2022. Invoice Ninja LLC (https://invoiceninja.com)`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`*`
Update license in codebase 2021-06-16 08:58:16 +02:00			`* @license https://www.elastic.co/licensing/elastic-license`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`*/`

			`namespace App\Http\Middleware;`

Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00			`use App\Libraries\MultiDB;`
			`use App\Libraries\OAuth\Providers\Google;`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`use Closure;`
Psalm cleanup 2020-10-28 11:10:49 +01:00			`use Illuminate\Http\Request;`
Fixes for settings (#3009) * Add Includes * Clean up company settings + tests * Update Company Settings Schema * Fixes for tests * fixes for tests * fixes for settings 2019-10-23 03:01:25 +02:00			`use Illuminate\Support\Facades\Cache;`
			`use Illuminate\Support\Facades\Hash;`
Track signup platform (#3014) * update company settings and OpenAPI definitions * Fixes for tests * Add extra variables to company settings * Track signup platform when new account signup processed 2019-10-24 06:46:24 +02:00			`use Illuminate\Support\Str;`
Psalm cleanup 2020-10-28 11:10:49 +01:00			`use stdClass;`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00
			`class PasswordProtection`
			`{`
			`/**`
			`* Handle an incoming request.`
			`*`
Psalm cleanup 2020-10-28 11:10:49 +01:00			`* @param Request $request`
			`* @param Closure $next`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`* @return mixed`
			`*/`
			`public function handle($request, Closure $next)`
			`{`
Reorder middleware to allow route model binding to be delayed 2021-05-13 14:41:32 +02:00
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`$error = [`
			`'message' => 'Invalid Password',`
Psalm cleanup 2020-10-28 11:10:49 +01:00			`'errors' => new stdClass,`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`];`

Customize the password protect timeout 2021-03-09 11:52:48 +01:00			`$timeout = auth()->user()->company()->default_password_timeout;`
Fixes for password protection middleware 2021-03-04 06:03:28 +01:00
Customize the password protect timeout 2021-03-09 11:52:48 +01:00			`if($timeout == 0)`
Fixes for password protection 2021-05-05 08:44:31 +02:00			`$timeout = 30601000*1000;`
Customize the password protect timeout 2021-03-09 11:52:48 +01:00			`else`
Fixes for password protection 2021-05-05 08:44:31 +02:00			`$timeout = $timeout/1000;`
Fixes for password protection middleware 2021-03-04 06:03:28 +01:00
Handle base64 encoded passwords 2021-07-19 02:57:13 +02:00			`//test if password if base64 encoded`
			`$x_api_password = $request->header('X-API-PASSWORD');`

Email user when another user is added into the system 2021-07-19 06:17:58 +02:00			`if($request->header('X-API-PASSWORD-BASE64'))`
			`{`
			`$x_api_password = base64_decode($request->header('X-API-PASSWORD-BASE64'));`
			`}`
Handle base64 encoded passwords 2021-07-19 02:57:13 +02:00
Fixes for password protection route - always check if a password is presented! 2021-08-31 06:09:12 +02:00			`// If no password supplied - then we just check if their authentication is in cache //`
			`if (Cache::get(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in') && !$x_api_password) {`
Fixes for password protection middleware 2021-03-04 06:03:28 +01:00
Reorder middleware to allow route model binding to be delayed 2021-05-13 14:41:32 +02:00			`Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);`
Fixes for password protection middleware 2021-03-04 06:03:28 +01:00
			`return $next($request);`

			`}elseif( $request->header('X-API-OAUTH-PASSWORD') && strlen($request->header('X-API-OAUTH-PASSWORD')) >=1){`
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00
			`//user is attempting to reauth with OAuth - check the token value`
			`//todo expand this to include all OAuth providers`
Password protection route with Microsoft OAuth 2022-06-24 23:47:15 +02:00			`if(auth()->user()->oauth_provider_id == 'google')`
			`{`
			`$user = false;`
			`$google = new Google();`
			`$user = $google->getTokenResponse(request()->header('X-API-OAUTH-PASSWORD'));`
Password protection route with Microsoft OAuth 2022-06-25 00:30:06 +02:00
			`if (is_array($user)) {`

			`$query = [`
			`'oauth_user_id' => $google->harvestSubField($user),`
			`'oauth_provider_id'=> 'google'`
			`];`

			`//If OAuth and user also has a password set - check both`
			`if ($existing_user = MultiDB::hasUser($query) && auth()->user()->company()->oauth_password_required && auth()->user()->has_password && Hash::check(auth()->user()->password, $x_api_password)) {`

			`nlog("existing user with password");`

			`Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);`

			`return $next($request);`
			`}`
			`elseif($existing_user = MultiDB::hasUser($query) && !auth()->user()->company()->oauth_password_required){`

			`nlog("existing user without password");`

			`Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);`
			`return $next($request);`
			`}`
			`}`

Password protection route with Microsoft OAuth 2022-06-24 23:47:15 +02:00			`}`
			`elseif(auth()->user()->oauth_provider_id == 'microsoft')`
			`{`
Password protection route with Microsoft OAuth 2022-06-25 00:39:45 +02:00			`try{`
			`$payload = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', request()->header('X-API-OAUTH-PASSWORD'))[1]))));`
			`}`
			`catch(\Exception $e){`
			`nlog("could not decode microsoft response");`
			`return response()->json(['message' => 'Could not decode the response from Microsoft'], 412);`
			`}`
Fixes for password protection middleware 2021-03-04 06:03:28 +01:00
Password protection route with Microsoft OAuth 2022-06-25 00:40:29 +02:00			`if($payload->preferred_username == auth()->user()->email){`
Logging for Password Protection 2021-06-09 08:01:09 +02:00
Reorder middleware to allow route model binding to be delayed 2021-05-13 14:41:32 +02:00			`Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);`
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00			`return $next($request);`
			`}`
Password protection route with Microsoft OAuth 2022-06-25 00:30:06 +02:00			`}`
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00
Updates for Password Protection with OAuth 2021-06-09 08:22:25 +02:00
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00
			`return response()->json($error, 412);`


Handle base64 encoded passwords 2021-07-19 02:57:13 +02:00			`}elseif ($x_api_password && Hash::check($x_api_password, auth()->user()->password)) {`
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00
Reorder middleware to allow route model binding to be delayed 2021-05-13 14:41:32 +02:00			`Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);`
Fixes and Refactors for Invoice Emails. (#3339) * Working on emailing invoices * Working on emailing and displaying email * Working on emailing and displaying email * Email invoices * Fixes for html emails * Ensure valid client prior to store * Ensure client exists when storing an entity * Update variable name send -> send_email for client_contacts * Mailable download files * Extend timeouts of password protected routes when a protected route is hit * Add default portal design to company settings * Minor fixes * Fixes for Tests * Fixes for invoicing emails * Refactors for InvoiceEmail * Implement abstractservice * Refactors for services * Refactors for emails * Fixes for Invoice Emails 2020-02-17 10:37:44 +01:00
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`return $next($request);`
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00
Fixes for tests (#3184) * fix typo * php-cs traits * CS fixer pass * Password protect User routes * Implement checks to prevent editing a deleted record * Clean up payment flows * Fixes for tests 2019-12-30 22:59:12 +01:00			`} else {`
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00
Fixes for tests (#3184) * fix typo * php-cs traits * CS fixer pass * Password protect User routes * Implement checks to prevent editing a deleted record * Clean up payment flows * Fixes for tests 2019-12-30 22:59:12 +01:00			`return response()->json($error, 412);`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`}`


			`}`
Minor fixes 2021-03-09 11:30:34 +01:00			`}`