BookStack/app/Http/Kernel.php

<?php

namespace BookStack\Http;

use Illuminate\Foundation\Http\Kernel as HttpKernel;

class Kernel extends HttpKernel
{
    /**
     * The application's global HTTP middleware stack.
     * These middleware are run during every request to your application.
     */
    protected $middleware = [
        \BookStack\Http\Middleware\PreventRequestsDuringMaintenance::class,
        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
        \BookStack\Http\Middleware\TrimStrings::class,
        \BookStack\Http\Middleware\TrustProxies::class,
    ];

    /**
     * The application's route middleware groups.
     *
     * @var array
     */
    protected $middlewareGroups = [
        'web' => [
            \BookStack\Http\Middleware\ApplyCspRules::class,
            \BookStack\Http\Middleware\EncryptCookies::class,
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\StartSession::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \BookStack\Http\Middleware\VerifyCsrfToken::class,
            \BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,
            \BookStack\Http\Middleware\CheckEmailConfirmed::class,
            \BookStack\Http\Middleware\RunThemeActions::class,
            \BookStack\Http\Middleware\Localization::class,
        ],
        'api' => [
            \BookStack\Http\Middleware\ThrottleApiRequests::class,
            \BookStack\Http\Middleware\EncryptCookies::class,
            \BookStack\Http\Middleware\StartSessionIfCookieExists::class,
            \BookStack\Http\Middleware\ApiAuthenticate::class,
            \BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,
            \BookStack\Http\Middleware\CheckEmailConfirmed::class,
        ],
    ];

    /**
     * The application's route middleware.
     *
     * @var array
     */
    protected $routeMiddleware = [
        'auth'       => \BookStack\Http\Middleware\Authenticate::class,
        'can'        => \BookStack\Http\Middleware\CheckUserHasPermission::class,
        'guest'      => \BookStack\Http\Middleware\RedirectIfAuthenticated::class,
        'throttle'   => \Illuminate\Routing\Middleware\ThrottleRequests::class,
        'guard'      => \BookStack\Http\Middleware\CheckGuard::class,
        'mfa-setup'  => \BookStack\Http\Middleware\AuthenticatedOrPendingMfa::class,
    ];
}
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`<?php`

			`namespace BookStack\Http;`
Initial commit 2015-07-12 15:01:42 -04:00
			`use Illuminate\Foundation\Http\Kernel as HttpKernel;`

			`class Kernel extends HttpKernel`
			`{`
			`/**`
			`* The application's global HTTP middleware stack.`
Laravel 5.3 upgrade (#189) * Started move to laravel 5.3 * Started updating login & registration flows for laravel 5.3 update * Updated app emails to notification system * Fixed registations bugs and removed email confirmation model * Fixed large portion of laravel post-upgrade issues * Fixed and tested LDAP process 2016-09-17 13:22:04 -04:00			`* These middleware are run during every request to your application.`
Initial commit 2015-07-12 15:01:42 -04:00			`*/`
			`protected $middleware = [`
Laravel 8 shift squash & merge (#3029) * Temporarily moved back config path * Apply Laravel coding style * Shift exception handler * Shift HTTP kernel and middleware * Shift service providers * Convert options array to fluent methods * Shift to class based routes * Shift console routes * Ignore temporary framework files * Shift to class based factories * Namespace seeders * Shift PSR-4 autoloading * Shift config files * Default config files * Shift Laravel dependencies * Shift return type of base TestCase methods * Shift cleanup * Applied stylci style changes * Reverted config files location * Applied manual changes to Laravel 8 shift Co-authored-by: Shift <shift@laravelshift.com> 2021-10-30 16:29:59 -04:00			`\BookStack\Http\Middleware\PreventRequestsDuringMaintenance::class,`
Added missing middleware to trim input 2017-09-30 09:31:27 -04:00			`\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,`
			`\BookStack\Http\Middleware\TrimStrings::class,`
Updated to laravel 5.5 Closes #590 2017-11-19 10:56:06 -05:00			`\BookStack\Http\Middleware\TrustProxies::class,`
Laravel 5.3 upgrade (#189) * Started move to laravel 5.3 * Started updating login & registration flows for laravel 5.3 update * Updated app emails to notification system * Fixed registations bugs and removed email confirmation model * Fixed large portion of laravel post-upgrade issues * Fixed and tested LDAP process 2016-09-17 13:22:04 -04:00			`];`

			`/**`
			`* The application's route middleware groups.`
			`*`
			`* @var array`
			`*/`
			`protected $middlewareGroups = [`
			`'web' => [`
Started application of CSP headers 2021-09-03 18:32:42 -04:00			`\BookStack\Http\Middleware\ApplyCspRules::class,`
Laravel 5.3 upgrade (#189) * Started move to laravel 5.3 * Started updating login & registration flows for laravel 5.3 update * Updated app emails to notification system * Fixed registations bugs and removed email confirmation model * Fixed large portion of laravel post-upgrade issues * Fixed and tested LDAP process 2016-09-17 13:22:04 -04:00			`\BookStack\Http\Middleware\EncryptCookies::class,`
			`\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,`
Added missing middleware to trim input 2017-09-30 09:31:27 -04:00			`\Illuminate\Session\Middleware\StartSession::class,`
			`\Illuminate\View\Middleware\ShareErrorsFromSession::class,`
Laravel 5.3 upgrade (#189) * Started move to laravel 5.3 * Started updating login & registration flows for laravel 5.3 update * Updated app emails to notification system * Fixed registations bugs and removed email confirmation model * Fixed large portion of laravel post-upgrade issues * Fixed and tested LDAP process 2016-09-17 13:22:04 -04:00			`\BookStack\Http\Middleware\VerifyCsrfToken::class,`
Forced response cache revalidation on logged-in responses - Prevents authenticated responses being visible when back button pressed in browser. - Previously, 'no-cache, private' was added by default by Symfony which would have prevents proxy cache issues but this adds no-store and a max-age option to also invalidate all caching. Thanks to @haxatron via huntr.dev Ref: https://huntr.dev/bounties/6cda9df9-4987-4e1c-b48f-855b6901ef53/ 2021-10-08 10:22:09 -04:00			`\BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,`
Added back email confirmation check in middleware During writing of the update notes, found that the upgrade path would be tricky from a security point of view. If people were pending email confirmation but had an active session, they could technically be actively logged in after the next release. Added middlware as an extra precaution for now. 2021-08-30 16:28:17 -04:00			`\BookStack\Http\Middleware\CheckEmailConfirmed::class,`
Added web-middleware based theme events 2021-03-17 08:56:56 -04:00			`\BookStack\Http\Middleware\RunThemeActions::class,`
Refactored notification showing and global view data 2019-09-19 10:12:10 -04:00			`\BookStack\Http\Middleware\Localization::class,`
Laravel 5.3 upgrade (#189) * Started move to laravel 5.3 * Started updating login & registration flows for laravel 5.3 update * Updated app emails to notification system * Fixed registations bugs and removed email confirmation model * Fixed large portion of laravel post-upgrade issues * Fixed and tested LDAP process 2016-09-17 13:22:04 -04:00			`],`
			`'api' => [`
Added configurable API throttling, Handled API errors standardly 2020-01-18 10:03:28 -05:00			`\BookStack\Http\Middleware\ThrottleApiRequests::class,`
Change email confirmation from own middle to trait Email confirmation middleware caused more mess than good, As caused priority issues and it depended on auth actions. Instead its now a trai used on auth middlewares. Also used 'EncryptCookies' middleware on API instead of custom decryption in custom middleware since we'd need to do replicate all the same actions anyway. Shouldn't have too much effect since it only actions over cookies that exist, of which none should be there for most API requests. Also split out some large guard functions to be a little more readable and appease codeclimate. 2019-12-30 10:46:12 -05:00			`\BookStack\Http\Middleware\EncryptCookies::class,`
Extracted API auth into guard Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings. 2019-12-30 09:51:28 -05:00			`\BookStack\Http\Middleware\StartSessionIfCookieExists::class,`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-29 21:16:07 -05:00			`\BookStack\Http\Middleware\ApiAuthenticate::class,`
Forced response cache revalidation on logged-in responses - Prevents authenticated responses being visible when back button pressed in browser. - Previously, 'no-cache, private' was added by default by Symfony which would have prevents proxy cache issues but this adds no-store and a max-age option to also invalidate all caching. Thanks to @haxatron via huntr.dev Ref: https://huntr.dev/bounties/6cda9df9-4987-4e1c-b48f-855b6901ef53/ 2021-10-08 10:22:09 -04:00			`\BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,`
Added back email confirmation check in middleware During writing of the update notes, found that the upgrade path would be tricky from a security point of view. If people were pending email confirmation but had an active session, they could technically be actively logged in after the next release. Added middlware as an extra precaution for now. 2021-08-30 16:28:17 -04:00			`\BookStack\Http\Middleware\CheckEmailConfirmed::class,`
Laravel 5.3 upgrade (#189) * Started move to laravel 5.3 * Started updating login & registration flows for laravel 5.3 update * Updated app emails to notification system * Fixed registations bugs and removed email confirmation model * Fixed large portion of laravel post-upgrade issues * Fixed and tested LDAP process 2016-09-17 13:22:04 -04:00			`],`
Initial commit 2015-07-12 15:01:42 -04:00			`];`

			`/**`
			`* The application's route middleware.`
			`*`
			`* @var array`
			`*/`
			`protected $routeMiddleware = [`
Change application namespace to BookStack 2015-09-10 14:31:09 -04:00			`'auth' => \BookStack\Http\Middleware\Authenticate::class,`
Applied styleci patches 2021-08-28 16:51:15 -04:00			`'can' => \BookStack\Http\Middleware\CheckUserHasPermission::class,`
Change application namespace to BookStack 2015-09-10 14:31:09 -04:00			`'guest' => \BookStack\Http\Middleware\RedirectIfAuthenticated::class,`
Simplified guard names and rolled out guard route checks - Included tests to cover for LDAP and SAML - Updated wording for external auth id option. - Updated 'assertPermissionError' test case to be usable in BrowserKitTests 2020-02-02 08:10:21 -05:00			`'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,`
			`'guard' => \BookStack\Http\Middleware\CheckGuard::class,`
Worked on MFA setup required flow - Restructured some of the route naming to be a little more consistent. - Moved the routes about to be more logically in one place. - Created a new middleware to handle the auth of people that should be allowed access to mfa setup routes, since these could be used by existing logged in users or by people needing to setup MFA on access. - Added testing to cover MFA setup required flow. - Added TTL and method tracking to session last-login tracking system. 2021-08-02 17:02:25 -04:00			`'mfa-setup' => \BookStack\Http\Middleware\AuthenticatedOrPendingMfa::class,`
Initial commit 2015-07-12 15:01:42 -04:00			`];`
			`}`