attempt to fix "invalid signature" issue

This commit is contained in:
Pig Fang 2020-03-28 22:36:27 +08:00
parent b93efb91ae
commit 5d9bb28281
5 changed files with 32 additions and 13 deletions

View File

@ -258,7 +258,12 @@ class AuthController extends Controller
$dispatcher->dispatch('auth.forgot.ready', [$user]);
$url = URL::temporarySignedRoute('auth.reset', now()->addHour(), ['uid' => $user->uid]);
$url = URL::temporarySignedRoute(
'auth.reset',
now()->addHour(),
['uid' => $user->uid],
false
);
try {
Mail::to($email)->send(new ForgotPassword($url));
} catch (\Exception $e) {
@ -281,6 +286,8 @@ class AuthController extends Controller
public function handleReset(Dispatcher $dispatcher, Request $request, $uid)
{
abort_unless($request->hasValidSignature(false), 403, trans('auth.reset.invalid'));
['password' => $password] = $this->validate($request, [
'password' => 'required|min:8|max:32',
]);
@ -314,12 +321,14 @@ class AuthController extends Controller
return redirect('/user');
}
public function verify($uid)
public function verify(Request $request, $uid)
{
if (!option('require_verification')) {
throw new PrettyPageException(trans('user.verification.disabled'), 1);
}
abort_unless($request->hasValidSignature(false), 403, trans('auth.verify.invalid'));
$user = User::find($uid);
if (!$user || $user->verified) {

View File

@ -185,7 +185,7 @@ class UserController extends Controller
return json(trans('user.verification.verified'), 1);
}
$url = URL::signedRoute('auth.verify', ['uid' => $user->uid]);
$url = URL::signedRoute('auth.verify', ['uid' => $user->uid], null, false);
try {
Mail::to($user->email)->send(new EmailVerification($url));

View File

@ -62,7 +62,6 @@ class Kernel extends HttpKernel
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'role' => \App\Http\Middleware\CheckRole::class,
'setup' => \App\Http\Middleware\CheckInstallation::class,
'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'verified' => \App\Http\Middleware\CheckUserVerified::class,
];

View File

@ -26,10 +26,8 @@ Route::prefix('auth')->name('auth.')->group(function () {
Route::get('forgot', 'AuthController@forgot')->name('forgot');
Route::post('forgot', 'AuthController@handleForgot')->name('forgot');
Route::middleware('signed')->name('reset')->group(function () {
Route::get('reset/{uid}', 'AuthController@reset');
Route::post('reset/{uid}', 'AuthController@handleReset');
});
Route::get('reset/{uid}', 'AuthController@reset')->name('reset');
Route::post('reset/{uid}', 'AuthController@handleReset')->name('reset');
Route::get('login/{driver}', 'AuthController@oauthLogin');
Route::get('login/{driver}/callback', 'AuthController@oauthCallback');
@ -45,7 +43,7 @@ Route::prefix('auth')->name('auth.')->group(function () {
Route::post('bind', 'AuthController@fillEmail');
});
Route::get('verify/{uid}', 'AuthController@verify')->name('verify')->middleware('signed');
Route::get('verify/{uid}', 'AuthController@verify')->name('verify');
});
Route::prefix('user')

View File

@ -613,7 +613,16 @@ class AuthControllerTest extends TestCase
Event::fake();
$user = factory(User::class)->create();
$url = URL::temporarySignedRoute('auth.reset', now()->addHour(), ['uid' => $user->uid]);
$url = URL::temporarySignedRoute(
'auth.reset',
now()->addHour(),
['uid' => $user->uid],
false
);
// invalid signature
$this->postJson(route('auth.reset', ['uid' => $user->uid]))
->assertForbidden();
// Should return a warning if `password` is empty
$this->postJson($url)->assertJsonValidationErrors('password');
@ -676,21 +685,25 @@ class AuthControllerTest extends TestCase
public function testVerify()
{
$url = URL::signedRoute('auth.verify', ['uid' => 1]);
$url = URL::signedRoute('auth.verify', ['uid' => 1], null, false);
// Should be forbidden if account verification is disabled
option(['require_verification' => false]);
$this->get($url)->assertSee(trans('user.verification.disabled'));
option(['require_verification' => true]);
// Invalid link
$this->get(route('auth.verify', ['uid' => 1]))->assertForbidden();
// Non-existed user
$this->get($url)->assertSee(trans('auth.verify.invalid'));
$user = factory(User::class)->create();
$url = URL::signedRoute('auth.verify', ['uid' => $user->uid]);
$url = URL::signedRoute('auth.verify', ['uid' => $user->uid], null, false);
$this->get($url)->assertSee(trans('auth.verify.invalid'));
$user = factory(User::class)->create(['verified' => false]);
$url = URL::signedRoute('auth.verify', ['uid' => $user->uid]);
$url = URL::signedRoute('auth.verify', ['uid' => $user->uid], null, false);
$this->get($url)->assertViewIs('auth.verify');
$this->assertEquals(1, User::find($user->uid)->verified);
}