attempt to fix "invalid signature" issue
This commit is contained in:
parent
b93efb91ae
commit
5d9bb28281
|
|
@ -258,7 +258,12 @@ class AuthController extends Controller
|
|||
|
||||
$dispatcher->dispatch('auth.forgot.ready', [$user]);
|
||||
|
||||
$url = URL::temporarySignedRoute('auth.reset', now()->addHour(), ['uid' => $user->uid]);
|
||||
$url = URL::temporarySignedRoute(
|
||||
'auth.reset',
|
||||
now()->addHour(),
|
||||
['uid' => $user->uid],
|
||||
false
|
||||
);
|
||||
try {
|
||||
Mail::to($email)->send(new ForgotPassword($url));
|
||||
} catch (\Exception $e) {
|
||||
|
|
@ -281,6 +286,8 @@ class AuthController extends Controller
|
|||
|
||||
public function handleReset(Dispatcher $dispatcher, Request $request, $uid)
|
||||
{
|
||||
abort_unless($request->hasValidSignature(false), 403, trans('auth.reset.invalid'));
|
||||
|
||||
['password' => $password] = $this->validate($request, [
|
||||
'password' => 'required|min:8|max:32',
|
||||
]);
|
||||
|
|
@ -314,12 +321,14 @@ class AuthController extends Controller
|
|||
return redirect('/user');
|
||||
}
|
||||
|
||||
public function verify($uid)
|
||||
public function verify(Request $request, $uid)
|
||||
{
|
||||
if (!option('require_verification')) {
|
||||
throw new PrettyPageException(trans('user.verification.disabled'), 1);
|
||||
}
|
||||
|
||||
abort_unless($request->hasValidSignature(false), 403, trans('auth.verify.invalid'));
|
||||
|
||||
$user = User::find($uid);
|
||||
|
||||
if (!$user || $user->verified) {
|
||||
|
|
|
|||
|
|
@ -185,7 +185,7 @@ class UserController extends Controller
|
|||
return json(trans('user.verification.verified'), 1);
|
||||
}
|
||||
|
||||
$url = URL::signedRoute('auth.verify', ['uid' => $user->uid]);
|
||||
$url = URL::signedRoute('auth.verify', ['uid' => $user->uid], null, false);
|
||||
|
||||
try {
|
||||
Mail::to($user->email)->send(new EmailVerification($url));
|
||||
|
|
|
|||
|
|
@ -62,7 +62,6 @@ class Kernel extends HttpKernel
|
|||
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
|
||||
'role' => \App\Http\Middleware\CheckRole::class,
|
||||
'setup' => \App\Http\Middleware\CheckInstallation::class,
|
||||
'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
|
||||
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
|
||||
'verified' => \App\Http\Middleware\CheckUserVerified::class,
|
||||
];
|
||||
|
|
|
|||
|
|
@ -26,10 +26,8 @@ Route::prefix('auth')->name('auth.')->group(function () {
|
|||
Route::get('forgot', 'AuthController@forgot')->name('forgot');
|
||||
Route::post('forgot', 'AuthController@handleForgot')->name('forgot');
|
||||
|
||||
Route::middleware('signed')->name('reset')->group(function () {
|
||||
Route::get('reset/{uid}', 'AuthController@reset');
|
||||
Route::post('reset/{uid}', 'AuthController@handleReset');
|
||||
});
|
||||
Route::get('reset/{uid}', 'AuthController@reset')->name('reset');
|
||||
Route::post('reset/{uid}', 'AuthController@handleReset')->name('reset');
|
||||
|
||||
Route::get('login/{driver}', 'AuthController@oauthLogin');
|
||||
Route::get('login/{driver}/callback', 'AuthController@oauthCallback');
|
||||
|
|
@ -45,7 +43,7 @@ Route::prefix('auth')->name('auth.')->group(function () {
|
|||
Route::post('bind', 'AuthController@fillEmail');
|
||||
});
|
||||
|
||||
Route::get('verify/{uid}', 'AuthController@verify')->name('verify')->middleware('signed');
|
||||
Route::get('verify/{uid}', 'AuthController@verify')->name('verify');
|
||||
});
|
||||
|
||||
Route::prefix('user')
|
||||
|
|
|
|||
|
|
@ -613,7 +613,16 @@ class AuthControllerTest extends TestCase
|
|||
Event::fake();
|
||||
|
||||
$user = factory(User::class)->create();
|
||||
$url = URL::temporarySignedRoute('auth.reset', now()->addHour(), ['uid' => $user->uid]);
|
||||
$url = URL::temporarySignedRoute(
|
||||
'auth.reset',
|
||||
now()->addHour(),
|
||||
['uid' => $user->uid],
|
||||
false
|
||||
);
|
||||
|
||||
// invalid signature
|
||||
$this->postJson(route('auth.reset', ['uid' => $user->uid]))
|
||||
->assertForbidden();
|
||||
|
||||
// Should return a warning if `password` is empty
|
||||
$this->postJson($url)->assertJsonValidationErrors('password');
|
||||
|
|
@ -676,21 +685,25 @@ class AuthControllerTest extends TestCase
|
|||
|
||||
public function testVerify()
|
||||
{
|
||||
$url = URL::signedRoute('auth.verify', ['uid' => 1]);
|
||||
$url = URL::signedRoute('auth.verify', ['uid' => 1], null, false);
|
||||
|
||||
// Should be forbidden if account verification is disabled
|
||||
option(['require_verification' => false]);
|
||||
$this->get($url)->assertSee(trans('user.verification.disabled'));
|
||||
option(['require_verification' => true]);
|
||||
|
||||
// Invalid link
|
||||
$this->get(route('auth.verify', ['uid' => 1]))->assertForbidden();
|
||||
|
||||
// Non-existed user
|
||||
$this->get($url)->assertSee(trans('auth.verify.invalid'));
|
||||
|
||||
$user = factory(User::class)->create();
|
||||
$url = URL::signedRoute('auth.verify', ['uid' => $user->uid]);
|
||||
$url = URL::signedRoute('auth.verify', ['uid' => $user->uid], null, false);
|
||||
$this->get($url)->assertSee(trans('auth.verify.invalid'));
|
||||
|
||||
$user = factory(User::class)->create(['verified' => false]);
|
||||
$url = URL::signedRoute('auth.verify', ['uid' => $user->uid]);
|
||||
$url = URL::signedRoute('auth.verify', ['uid' => $user->uid], null, false);
|
||||
$this->get($url)->assertViewIs('auth.verify');
|
||||
$this->assertEquals(1, User::find($user->uid)->verified);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user