invoiceninja/app/Http/Middleware/PasswordProtection.php

<?php
/**
 * Invoice Ninja (https://invoiceninja.com).
 *
 * @link https://github.com/invoiceninja/invoiceninja source repository
 *
 * @copyright Copyright (c) 2021. Invoice Ninja LLC (https://invoiceninja.com)
 *
 * @license https://opensource.org/licenses/AAL
 */

namespace App\Http\Middleware;

use App\Libraries\MultiDB;
use App\Libraries\OAuth\Providers\Google;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Str;
use stdClass;

class PasswordProtection
{
    /**
     * Handle an incoming request.
     *
     * @param  Request  $request
     * @param Closure $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
    
        $error = [
            'message' => 'Invalid Password',
            'errors' => new stdClass,
        ];

        $timeout = auth()->user()->company()->default_password_timeout;

        if($timeout == 0)
            $timeout = 30*60*1000*1000;
        else
            $timeout = $timeout/1000;

        if (Cache::get(auth()->user()->hashed_id.'_logged_in')) {

            Cache::put(auth()->user()->hashed_id.'_logged_in', Str::random(64), $timeout);

            return $next($request);

        }elseif( $request->header('X-API-OAUTH-PASSWORD') && strlen($request->header('X-API-OAUTH-PASSWORD')) >=1){

            //user is attempting to reauth with OAuth - check the token value
            //todo expand this to include all OAuth providers
            $user = false;
            $google = new Google();
            $user = $google->getTokenResponse(request()->header('X-API-OAUTH-PASSWORD'));

            if (is_array($user)) {
                
                $query = [
                    'oauth_user_id' => $google->harvestSubField($user),
                    'oauth_provider_id'=> 'google'
                ];

                //If OAuth and user also has a password set  - check both
                if ($existing_user = MultiDB::hasUser($query) && auth()->user()->has_password && Hash::check(auth()->user()->password, $request->header('X-API-PASSWORD'))) {

                    Cache::put(auth()->user()->hashed_id.'_logged_in', Str::random(64), $timeout);
                    return $next($request);
                }
                elseif($existing_user = MultiDB::hasUser($query) && !auth()->user()->has_password){

                    Cache::put(auth()->user()->hashed_id.'_logged_in', Str::random(64), $timeout);
                    return $next($request);                    
                }
            }

            return response()->json($error, 412);


        }elseif ($request->header('X-API-PASSWORD') && Hash::check($request->header('X-API-PASSWORD'), auth()->user()->password))  {

            Cache::put(auth()->user()->hashed_id.'_logged_in', Str::random(64), $timeout);

            return $next($request);

        } else {

            return response()->json($error, 412);
        }


    }
}
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`<?php`
			`/**`
Laravel 7.x Shift (#40) * Adopt Laravel coding style The Laravel framework adopts the PSR-2 coding style with some additions. Laravel apps should adopt this coding style as well. However, Shift allows you to customize the adopted coding style by adding your own [PHP CS Fixer][1] `.php_cs` config to your project. You may use [Shift's .php_cs][2] file as a base. [1]: https://github.com/FriendsOfPHP/PHP-CS-Fixer [2]: https://gist.github.com/laravel-shift/cab527923ed2a109dda047b97d53c200 * Shift bindings PHP 5.5.9+ adds the new static `class` property which provides the fully qualified class name. This is preferred over using class name strings as these references are checked by the parser. * Shift core files * Shift to Throwable * Add laravel/ui dependency * Unindent vendor mail templates * Shift config files * Default config files In an effort to make upgrading the constantly changing config files easier, Shift defaulted them so you can review the commit diff for changes. Moving forward, you should use ENV variables or create a separate config file to allow the core config files to remain automatically upgradeable. * Shift Laravel dependencies * Shift cleanup * Upgrade to Laravel 7 Co-authored-by: Laravel Shift <shift@laravelshift.com> 2020-09-06 11:38:10 +02:00			`* Invoice Ninja (https://invoiceninja.com).`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`*`
			`* @link https://github.com/invoiceninja/invoiceninja source repository`
			`*`
Update copyright + version bump + set canadian dollar symbol to $ 2021-01-03 22:54:54 +01:00			`* @copyright Copyright (c) 2021. Invoice Ninja LLC (https://invoiceninja.com)`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`*`
			`* @license https://opensource.org/licenses/AAL`
			`*/`

			`namespace App\Http\Middleware;`

Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00			`use App\Libraries\MultiDB;`
			`use App\Libraries\OAuth\Providers\Google;`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`use Closure;`
Psalm cleanup 2020-10-28 11:10:49 +01:00			`use Illuminate\Http\Request;`
Fixes for settings (#3009) * Add Includes * Clean up company settings + tests * Update Company Settings Schema * Fixes for tests * fixes for tests * fixes for settings 2019-10-23 03:01:25 +02:00			`use Illuminate\Support\Facades\Cache;`
			`use Illuminate\Support\Facades\Hash;`
Track signup platform (#3014) * update company settings and OpenAPI definitions * Fixes for tests * Add extra variables to company settings * Track signup platform when new account signup processed 2019-10-24 06:46:24 +02:00			`use Illuminate\Support\Str;`
Psalm cleanup 2020-10-28 11:10:49 +01:00			`use stdClass;`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00
			`class PasswordProtection`
			`{`
			`/**`
			`* Handle an incoming request.`
			`*`
Psalm cleanup 2020-10-28 11:10:49 +01:00			`* @param Request $request`
			`* @param Closure $next`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`* @return mixed`
			`*/`
			`public function handle($request, Closure $next)`
			`{`
Fixes for password protection middleware 2021-03-04 06:03:28 +01:00
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`$error = [`
			`'message' => 'Invalid Password',`
Psalm cleanup 2020-10-28 11:10:49 +01:00			`'errors' => new stdClass,`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`];`

Customize the password protect timeout 2021-03-09 11:52:48 +01:00			`$timeout = auth()->user()->company()->default_password_timeout;`
Fixes for password protection middleware 2021-03-04 06:03:28 +01:00
Customize the password protect timeout 2021-03-09 11:52:48 +01:00			`if($timeout == 0)`
Fixes for password protection 2021-05-05 08:44:31 +02:00			`$timeout = 30601000*1000;`
Customize the password protect timeout 2021-03-09 11:52:48 +01:00			`else`
Fixes for password protection 2021-05-05 08:44:31 +02:00			`$timeout = $timeout/1000;`
Fixes for password protection middleware 2021-03-04 06:03:28 +01:00
			`if (Cache::get(auth()->user()->hashed_id.'_logged_in')) {`

Minor fixes for password protection cache 2021-05-05 07:56:54 +02:00			`Cache::put(auth()->user()->hashed_id.'_logged_in', Str::random(64), $timeout);`
Fixes for password protection middleware 2021-03-04 06:03:28 +01:00
			`return $next($request);`

			`}elseif( $request->header('X-API-OAUTH-PASSWORD') && strlen($request->header('X-API-OAUTH-PASSWORD')) >=1){`
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00
			`//user is attempting to reauth with OAuth - check the token value`
			`//todo expand this to include all OAuth providers`
			`$user = false;`
			`$google = new Google();`
			`$user = $google->getTokenResponse(request()->header('X-API-OAUTH-PASSWORD'));`

			`if (is_array($user)) {`

			`$query = [`
			`'oauth_user_id' => $google->harvestSubField($user),`
Fixes for password protection middleware 2021-03-04 06:03:28 +01:00			`'oauth_provider_id'=> 'google'`
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00			`];`

Fixes for password protection middleware 2021-03-04 06:03:28 +01:00			`//If OAuth and user also has a password set - check both`
Minor fixes 2021-03-19 13:37:57 +01:00			`if ($existing_user = MultiDB::hasUser($query) && auth()->user()->has_password && Hash::check(auth()->user()->password, $request->header('X-API-PASSWORD'))) {`
Fixes for password protection middleware 2021-03-04 06:03:28 +01:00
Fixes for password protection 2021-05-05 08:11:40 +02:00			`Cache::put(auth()->user()->hashed_id.'_logged_in', Str::random(64), $timeout);`
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00			`return $next($request);`
			`}`
Fixes for typo in password protection 2021-03-07 21:56:44 +01:00			`elseif($existing_user = MultiDB::hasUser($query) && !auth()->user()->has_password){`
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00
Fixes for password protection 2021-05-05 08:11:40 +02:00			`Cache::put(auth()->user()->hashed_id.'_logged_in', Str::random(64), $timeout);`
Fixes for password protection middleware 2021-03-04 06:03:28 +01:00			`return $next($request);`
			`}`
			`}`
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00
			`return response()->json($error, 412);`


Fixes for password protection middleware 2021-03-04 06:03:28 +01:00			`}elseif ($request->header('X-API-PASSWORD') && Hash::check($request->header('X-API-PASSWORD'), auth()->user()->password)) {`
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00
Fixes for password protection 2021-05-05 08:11:40 +02:00			`Cache::put(auth()->user()->hashed_id.'_logged_in', Str::random(64), $timeout);`
Fixes and Refactors for Invoice Emails. (#3339) * Working on emailing invoices * Working on emailing and displaying email * Working on emailing and displaying email * Email invoices * Fixes for html emails * Ensure valid client prior to store * Ensure client exists when storing an entity * Update variable name send -> send_email for client_contacts * Mailable download files * Extend timeouts of password protected routes when a protected route is hit * Add default portal design to company settings * Minor fixes * Fixes for Tests * Fixes for invoicing emails * Refactors for InvoiceEmail * Implement abstractservice * Refactors for services * Refactors for emails * Fixes for Invoice Emails 2020-02-17 10:37:44 +01:00
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`return $next($request);`
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00
Fixes for tests (#3184) * fix typo * php-cs traits * CS fixer pass * Password protect User routes * Implement checks to prevent editing a deleted record * Clean up payment flows * Fixes for tests 2019-12-30 22:59:12 +01:00			`} else {`
Working on OAuth password protection routes 2021-02-23 22:12:23 +01:00
Fixes for tests (#3184) * fix typo * php-cs traits * CS fixer pass * Password protect User routes * Implement checks to prevent editing a deleted record * Clean up payment flows * Fixes for tests 2019-12-30 22:59:12 +01:00			`return response()->json($error, 412);`
Default gateway type ID (#3008) * Show Recurring Invoice - Client Portal * Password protect some routes * Password Protection Routes * Add default_gateway_type_id to gateway table 2019-10-22 13:27:03 +02:00			`}`


			`}`
Minor fixes 2021-03-09 11:30:34 +01:00			`}`