BookStack/app/Http/Middleware/EnforceMfaRequirements.php

<?php

namespace BookStack\Http\Middleware;

use BookStack\Auth\Access\Mfa\MfaSession;
use Closure;

class EnforceMfaRequirements
{
    protected $mfaSession;

    /**
     * EnforceMfaRequirements constructor.
     */
    public function __construct(MfaSession $mfaSession)
    {
        $this->mfaSession = $mfaSession;
    }

    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if (
            !$this->mfaSession->isVerified()
            && !$request->is('mfa/verify*', 'uploads/images/user/*')
            && $this->mfaSession->requiredForCurrentUser()
        ) {
            return redirect('/mfa/verify');
        }

        // TODO - URI wildcard exceptions above allow access to the 404 page of this user
        //  which could then expose content. Either need to lock that down (Tricky to do image thing)
        //  or prevent any level of auth until verified.

        // TODO - Need to redirect to setup if not configured AND ONLY IF NO OPTIONS CONFIGURED
        //    Might need to change up such routes to start with /configure/ for such identification.
        //    (Can't allow access to those if already configured)
        // TODO - Store mfa_pass into session for future requests?

        return $next($request);
    }
}
Added role based MFA control - Added new DB column for control and role updated create/update actions. - Created new middleware as a start to actual enforcement logic. - Added indicator to role list of whether MFA is enforced. 2021-07-03 08:34:48 -04:00			`<?php`

			`namespace BookStack\Http\Middleware;`

Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-16 18:23:36 -04:00			`use BookStack\Auth\Access\Mfa\MfaSession;`
Added role based MFA control - Added new DB column for control and role updated create/update actions. - Created new middleware as a start to actual enforcement logic. - Added indicator to role list of whether MFA is enforced. 2021-07-03 08:34:48 -04:00			`use Closure;`

			`class EnforceMfaRequirements`
			`{`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-16 18:23:36 -04:00			`protected $mfaSession;`

			`/**`
			`* EnforceMfaRequirements constructor.`
			`*/`
			`public function __construct(MfaSession $mfaSession)`
			`{`
			`$this->mfaSession = $mfaSession;`
			`}`

Added role based MFA control - Added new DB column for control and role updated create/update actions. - Created new middleware as a start to actual enforcement logic. - Added indicator to role list of whether MFA is enforced. 2021-07-03 08:34:48 -04:00			`/**`
			`* Handle an incoming request.`
			`*`
			`* @param \Illuminate\Http\Request $request`
			`* @param \Closure $next`
			`* @return mixed`
			`*/`
			`public function handle($request, Closure $next)`
			`{`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-16 18:23:36 -04:00			`if (`
			`!$this->mfaSession->isVerified()`
			`&& !$request->is('mfa/verify', 'uploads/images/user/')`
			`&& $this->mfaSession->requiredForCurrentUser()`
			`) {`
			`return redirect('/mfa/verify');`
			`}`

			`// TODO - URI wildcard exceptions above allow access to the 404 page of this user`
			`// which could then expose content. Either need to lock that down (Tricky to do image thing)`
			`// or prevent any level of auth until verified.`

			`// TODO - Need to redirect to setup if not configured AND ONLY IF NO OPTIONS CONFIGURED`
			`// Might need to change up such routes to start with /configure/ for such identification.`
			`// (Can't allow access to those if already configured)`
Added role based MFA control - Added new DB column for control and role updated create/update actions. - Created new middleware as a start to actual enforcement logic. - Added indicator to role list of whether MFA is enforced. 2021-07-03 08:34:48 -04:00			`// TODO - Store mfa_pass into session for future requests?`
Started on some MFA access-time checks Discovered some difficult edge cases: - User image loading in header bar when using local_secure storage - 404s showing user-specific visible content due to content listing on 404 page since user is in semi-logged in state. Maybe need to go through and change up how logins are handled to centralise and provide us better control at login time to prevent any auth level. 2021-07-16 18:23:36 -04:00
Added role based MFA control - Added new DB column for control and role updated create/update actions. - Created new middleware as a start to actual enforcement logic. - Added indicator to role list of whether MFA is enforced. 2021-07-03 08:34:48 -04:00			`return $next($request);`
			`}`
			`}`