From bcc286e537297e4feb55062e44a314e25f0139fc Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Mon, 19 Jul 2021 10:57:13 +1000
Subject: [PATCH] Handle base64 encoded passwords

---
 app/Http/Controllers/Auth/LoginController.php |  3 ++-
 app/Http/Middleware/PasswordProtection.php    | 10 ++++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
index a1960438fc..efd75e3841 100644
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@@ -16,6 +16,7 @@ use App\DataMapper\Analytics\LoginSuccess;
 use App\Events\User\UserLoggedIn;
 use App\Http\Controllers\BaseController;
 use App\Http\Controllers\Controller;
+use App\Http\Requests\Login\LoginRequest;
 use App\Jobs\Account\CreateAccount;
 use App\Jobs\Company\CreateCompanyToken;
 use App\Jobs\Util\SystemLogger;
@@ -156,7 +157,7 @@ class LoginController extends BaseController
      *       ),
      *     )
      */
-    public function apiLogin(Request $request)
+    public function apiLogin(LoginRequest $request)
     {
         $this->forced_includes = ['company_users'];
 
diff --git a/app/Http/Middleware/PasswordProtection.php b/app/Http/Middleware/PasswordProtection.php
index e3a80cf457..bcb9f9d077 100644
--- a/app/Http/Middleware/PasswordProtection.php
+++ b/app/Http/Middleware/PasswordProtection.php
@@ -44,6 +44,12 @@ class PasswordProtection
         else
             $timeout = $timeout/1000;
 
+        //test if password if base64 encoded
+        $x_api_password = $request->header('X-API-PASSWORD');
+
+        if(base64_decode(base64_encode($x_api_password)) === $x_api_password)
+            $x_api_password = base64_decode($x_api_password);
+
         if (Cache::get(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in')) {
 
             Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);
@@ -66,7 +72,7 @@ class PasswordProtection
                 ];
 
                 //If OAuth and user also has a password set  - check both
-                if ($existing_user = MultiDB::hasUser($query) && auth()->user()->company()->oauth_password_required && auth()->user()->has_password && Hash::check(auth()->user()->password, $request->header('X-API-PASSWORD'))) {
+                if ($existing_user = MultiDB::hasUser($query) && auth()->user()->company()->oauth_password_required && auth()->user()->has_password && Hash::check(auth()->user()->password, $x_api_password)) {
 
                     nlog("existing user with password");
 
@@ -86,7 +92,7 @@ class PasswordProtection
             return response()->json($error, 412);
 
 
-        }elseif ($request->header('X-API-PASSWORD') && Hash::check($request->header('X-API-PASSWORD'), auth()->user()->password))  {
+        }elseif ($x_api_password && Hash::check($x_api_password, auth()->user()->password))  {
 
             Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);