From 70f39757b1e405bcbb40ec1618e5259d13c642dc Mon Sep 17 00:00:00 2001 From: Dan Brown Date: Thu, 5 Aug 2021 22:07:08 +0100 Subject: [PATCH] Updated API auth handling of email confirmations Email confirmations are now done within the guard during auth checking instead of at the middleware layer. --- app/Api/ApiTokenGuard.php | 13 ++++++++++++- app/Http/Middleware/ApiAuthenticate.php | 3 --- app/Providers/AuthServiceProvider.php | 7 ++++--- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/app/Api/ApiTokenGuard.php b/app/Api/ApiTokenGuard.php index 75ed5cb35..8b9cbc8e1 100644 --- a/app/Api/ApiTokenGuard.php +++ b/app/Api/ApiTokenGuard.php @@ -2,6 +2,7 @@ namespace BookStack\Api; +use BookStack\Auth\Access\LoginService; use BookStack\Exceptions\ApiAuthException; use Illuminate\Auth\GuardHelpers; use Illuminate\Contracts\Auth\Authenticatable; @@ -19,6 +20,11 @@ class ApiTokenGuard implements Guard */ protected $request; + /** + * @var LoginService + */ + protected $loginService; + /** * The last auth exception thrown in this request. * @@ -29,9 +35,10 @@ class ApiTokenGuard implements Guard /** * ApiTokenGuard constructor. */ - public function __construct(Request $request) + public function __construct(Request $request, LoginService $loginService) { $this->request = $request; + $this->loginService = $loginService; } /** @@ -95,6 +102,10 @@ class ApiTokenGuard implements Guard $this->validateToken($token, $secret); + if ($this->loginService->awaitingEmailConfirmation($token->user)) { + throw new ApiAuthException(trans('errors.email_confirmation_awaiting')); + } + return $token->user; } diff --git a/app/Http/Middleware/ApiAuthenticate.php b/app/Http/Middleware/ApiAuthenticate.php index 21d69810f..73192b0cf 100644 --- a/app/Http/Middleware/ApiAuthenticate.php +++ b/app/Http/Middleware/ApiAuthenticate.php @@ -9,7 +9,6 @@ use Illuminate\Http\Request; class ApiAuthenticate { - use ChecksForEmailConfirmation; /** * Handle an incoming request. @@ -37,7 +36,6 @@ class ApiAuthenticate // Return if the user is already found to be signed in via session-based auth. // This is to make it easy to browser the API via browser after just logging into the system. if (signedInUser() || session()->isStarted()) { - $this->ensureEmailConfirmedIfRequested(); if (!user()->can('access-api')) { throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403); } @@ -50,7 +48,6 @@ class ApiAuthenticate // Validate the token and it's users API access auth()->authenticate(); - $this->ensureEmailConfirmedIfRequested(); } /** diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php index 1a78214dc..71b7ab016 100644 --- a/app/Providers/AuthServiceProvider.php +++ b/app/Providers/AuthServiceProvider.php @@ -8,6 +8,7 @@ use BookStack\Auth\Access\ExternalBaseUserProvider; use BookStack\Auth\Access\Guards\LdapSessionGuard; use BookStack\Auth\Access\Guards\Saml2SessionGuard; use BookStack\Auth\Access\LdapService; +use BookStack\Auth\Access\LoginService; use BookStack\Auth\Access\RegistrationService; use Illuminate\Support\ServiceProvider; @@ -21,7 +22,7 @@ class AuthServiceProvider extends ServiceProvider public function boot() { Auth::extend('api-token', function ($app, $name, array $config) { - return new ApiTokenGuard($app['request']); + return new ApiTokenGuard($app['request'], $app->make(LoginService::class)); }); Auth::extend('ldap-session', function ($app, $name, array $config) { @@ -30,7 +31,7 @@ class AuthServiceProvider extends ServiceProvider return new LdapSessionGuard( $name, $provider, - $this->app['session.store'], + $app['session.store'], $app[LdapService::class], $app[RegistrationService::class] ); @@ -42,7 +43,7 @@ class AuthServiceProvider extends ServiceProvider return new Saml2SessionGuard( $name, $provider, - $this->app['session.store'], + $app['session.store'], $app[RegistrationService::class] ); });