BookStack/app/Http/Middleware/EnforceMfaRequirements.php
Dan Brown 78f9c01519
Started on some MFA access-time checks
Discovered some difficult edge cases:
- User image loading in header bar when using local_secure storage
- 404s showing user-specific visible content due to content listing on
  404 page since user is in semi-logged in state. Maybe need to go
  through and change up how logins are handled to centralise and
  provide us better control at login time to prevent any auth level.
2021-07-16 23:23:36 +01:00

49 lines
1.4 KiB
PHP

<?php
namespace BookStack\Http\Middleware;
use BookStack\Auth\Access\Mfa\MfaSession;
use Closure;
class EnforceMfaRequirements
{
protected $mfaSession;
/**
* EnforceMfaRequirements constructor.
*/
public function __construct(MfaSession $mfaSession)
{
$this->mfaSession = $mfaSession;
}
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
if (
!$this->mfaSession->isVerified()
&& !$request->is('mfa/verify*', 'uploads/images/user/*')
&& $this->mfaSession->requiredForCurrentUser()
) {
return redirect('/mfa/verify');
}
// TODO - URI wildcard exceptions above allow access to the 404 page of this user
// which could then expose content. Either need to lock that down (Tricky to do image thing)
// or prevent any level of auth until verified.
// TODO - Need to redirect to setup if not configured AND ONLY IF NO OPTIONS CONFIGURED
// Might need to change up such routes to start with /configure/ for such identification.
// (Can't allow access to those if already configured)
// TODO - Store mfa_pass into session for future requests?
return $next($request);
}
}