Mirrors/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2024-11-10 13:12:50 +01:00
Code Issues Releases Activity

Fixes for password protection middleware

Browse Source
This commit is contained in:
David Bomba 2021-03-04 16:03:28 +11:00
parent 609cb1ee8d
commit 20440189d2
2 changed files with 29 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
app/Http/Middleware/PasswordProtection.php
View File

@ -31,12 +31,26 @@ class PasswordProtection
*/
public function handle($request, Closure $next)
{
// {nlog($request->headers->all());
// nlog($request->all());
$error = [
'message' => 'Invalid Password',
'errors' => new stdClass,
];
if( $request->header('X-API-OAUTH-PASSWORD') && strlen($request->header('X-API-OAUTH-PASSWORD')) >=1 ){
nlog(Cache::get(auth()->user()->hashed_id.'_logged_in'));
nlog($request->header('X-API-OAUTH-PASSWORD'));
if (Cache::get(auth()->user()->hashed_id.'_logged_in')) {
Cache::pull(auth()->user()->hashed_id.'_logged_in');
Cache::add(auth()->user()->hashed_id.'_logged_in', Str::random(64), now()->addMinutes(30));
return $next($request);
}elseif( $request->header('X-API-OAUTH-PASSWORD') && strlen($request->header('X-API-OAUTH-PASSWORD')) >=1){
//user is attempting to reauth with OAuth - check the token value
//todo expand this to include all OAuth providers
@ -48,51 +62,36 @@ class PasswordProtection
$query = [
'oauth_user_id' => $google->harvestSubField($user),
'oauth_provider_id'=> 'google',
'oauth_provider_id'=> 'google'
];
/* Cannot allow duplicates! */
if ($existing_user = MultiDB::hasUser($query)) {
//If OAuth and user also has a password set - check both
if ($existing_user = MultiDB::hasUser($query) && auth()->user()->has_password && Hash::check(auth()->user()->password, $request->header('X-API-PASSWORD'))) {
Cache::add(auth()->user()->hashed_id.'_logged_in', Str::random(64), now()->addMinutes(30));
return $next($request);
}
}
elseif($existing_user = MultiDB::hasUser($query) && !auth()->uer()->has_password){
$error = [
'message' => 'Access denied',
'errors' => new stdClass,
];
Cache::add(auth()->user()->hashed_id.'_logged_in', Str::random(64), now()->addMinutes(30));
return $next($request);
}
}
return response()->json($error, 412);
}elseif ($request->header('X-API-PASSWORD')) {
}elseif ($request->header('X-API-PASSWORD') && Hash::check($request->header('X-API-PASSWORD'), auth()->user()->password)) {
//user is attempting to reauth with regular password
//
if (! Hash::check($request->header('X-API-PASSWORD'), auth()->user()->password)) {
return response()->json($error, 403);
}
} elseif (Cache::get(auth()->user()->hashed_id.'_logged_in')) {
Cache::pull(auth()->user()->hashed_id.'_logged_in');
Cache::add(auth()->user()->hashed_id.'_logged_in', Str::random(64), now()->addMinutes(30));
return $next($request);
} else {
$error = [
'message' => 'Access denied',
'errors' => new stdClass,
];
return response()->json($error, 412);
}
Cache::add(auth()->user()->email.'_logged_in', Str::random(64), now()->addMinutes(30));
return $next($request);
}
}

4
app/Repositories/UserRepository.php
View File

@ -74,6 +74,10 @@ class UserRepository extends BaseRepository
}
$user->account_id = $account->id;
if(strlen($user->password) >=1)
$user->has_password = true;
$user->save();
if (isset($data['company_user'])) {