From 387109002e942bc46cba5306d6ad87687b42e551 Mon Sep 17 00:00:00 2001 From: Toby Zerner Date: Sat, 5 Dec 2015 15:11:25 +1030 Subject: [PATCH] Rework sessions, remember cookies, and auth again - Use Symfony's Session component to work with sessions, instead of a custom database model. Separate the concept of access tokens from sessions once again. - Extract common session/remember cookie logic into SessionAuthenticator and Rememberer classes. - Extract AuthenticateUserTrait into a new AuthenticationResponseFactory class. - Fix forgot password process. --- composer.json | 1 + ..._12_03_010529_drop_access_tokens_table.php | 32 ---- ...015_12_03_010610_create_sessions_table.php | 34 ----- ...05_042721_change_access_tokens_columns.php | 31 ++++ src/Admin/Server.php | 3 +- src/Api/Client.php | 13 +- src/Api/Controller/TokenController.php | 11 +- src/Api/Server.php | 5 +- src/Core/Access/AssertPermissionTrait.php | 3 +- src/Core/User.php | 9 +- src/Event/UserLoggedIn.php | 8 +- src/Forum/AuthenticationResponseFactory.php | 113 ++++++++++++++ .../Controller/AuthenticateUserTrait.php | 76 ---------- .../Controller/ConfirmEmailController.php | 12 +- src/Forum/Controller/LogInController.php | 39 +++-- src/Forum/Controller/LogOutController.php | 36 ++++- src/Forum/Controller/RegisterController.php | 44 +++--- .../Controller/ResetPasswordController.php | 4 +- .../Controller/SavePasswordController.php | 17 ++- src/Forum/Server.php | 4 +- src/Http/AbstractServer.php | 14 ++ src/Http/AccessToken.php | 71 +++++++++ src/Http/Controller/ClientView.php | 2 +- .../Middleware/AuthenticateWithCookie.php | 52 ------- .../Middleware/AuthenticateWithHeader.php | 16 +- .../Middleware/AuthenticateWithSession.php | 46 ++++++ src/Http/Middleware/RememberFromCookie.php | 40 +++++ src/Http/Middleware/StartSession.php | 71 ++++----- src/Http/Rememberer.php | 54 +++++++ src/Http/Session.php | 140 ------------------ src/Http/SessionAuthenticator.php | 36 +++++ src/Http/WriteSessionCookieTrait.php | 29 ---- src/Install/Controller/InstallController.php | 29 ++-- views/reset.blade.php | 3 +- 34 files changed, 596 insertions(+), 502 deletions(-) delete mode 100644 migrations/2015_12_03_010529_drop_access_tokens_table.php delete mode 100644 migrations/2015_12_03_010610_create_sessions_table.php create mode 100644 migrations/2015_12_05_042721_change_access_tokens_columns.php create mode 100644 src/Forum/AuthenticationResponseFactory.php delete mode 100644 src/Forum/Controller/AuthenticateUserTrait.php create mode 100644 src/Http/AccessToken.php delete mode 100644 src/Http/Middleware/AuthenticateWithCookie.php create mode 100644 src/Http/Middleware/AuthenticateWithSession.php create mode 100644 src/Http/Middleware/RememberFromCookie.php create mode 100644 src/Http/Rememberer.php delete mode 100644 src/Http/Session.php create mode 100644 src/Http/SessionAuthenticator.php delete mode 100644 src/Http/WriteSessionCookieTrait.php diff --git a/composer.json b/composer.json index fb18a9bbe..2f6694077 100644 --- a/composer.json +++ b/composer.json @@ -45,6 +45,7 @@ "nikic/fast-route": "^0.6", "dflydev/fig-cookies": "^1.0", "symfony/console": "^2.7", + "symfony/http-foundation": "^2.7", "symfony/yaml": "^2.7", "symfony/translation": "^2.7", "doctrine/dbal": "^2.5", diff --git a/migrations/2015_12_03_010529_drop_access_tokens_table.php b/migrations/2015_12_03_010529_drop_access_tokens_table.php deleted file mode 100644 index d2739dda4..000000000 --- a/migrations/2015_12_03_010529_drop_access_tokens_table.php +++ /dev/null @@ -1,32 +0,0 @@ - - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Flarum\Core\Migration; - -use Flarum\Database\AbstractMigration; -use Illuminate\Database\Schema\Blueprint; - -class DropAccessTokensTable extends AbstractMigration -{ - public function up() - { - $this->schema->drop('access_tokens'); - } - - public function down() - { - $this->schema->create('access_tokens', function (Blueprint $table) { - $table->string('id', 100)->primary(); - $table->integer('user_id')->unsigned(); - $table->timestamp('created_at'); - $table->timestamp('expires_at'); - }); - } -} diff --git a/migrations/2015_12_03_010610_create_sessions_table.php b/migrations/2015_12_03_010610_create_sessions_table.php deleted file mode 100644 index 9c37e07ba..000000000 --- a/migrations/2015_12_03_010610_create_sessions_table.php +++ /dev/null @@ -1,34 +0,0 @@ - - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Flarum\Core\Migration; - -use Flarum\Database\AbstractMigration; -use Illuminate\Database\Schema\Blueprint; - -class CreateSessionsTable extends AbstractMigration -{ - public function up() - { - $this->schema->create('sessions', function (Blueprint $table) { - $table->string('id', 40)->primary(); - $table->integer('user_id')->unsigned()->nullable(); - $table->string('csrf_token', 40); - $table->integer('last_activity'); - $table->integer('duration'); - $table->dateTime('sudo_expiry_time'); - }); - } - - public function down() - { - $this->schema->drop('sessions'); - } -} diff --git a/migrations/2015_12_05_042721_change_access_tokens_columns.php b/migrations/2015_12_05_042721_change_access_tokens_columns.php new file mode 100644 index 000000000..5d94c911b --- /dev/null +++ b/migrations/2015_12_05_042721_change_access_tokens_columns.php @@ -0,0 +1,31 @@ +schema->table('access_tokens', function (Blueprint $table) { + $table->string('id', 40)->change(); + $table->dropColumn('created_at'); + $table->dropColumn('expires_at'); + $table->integer('last_activity'); + $table->integer('lifetime'); + }); + } + + public function down() + { + $this->schema->table('access_tokens', function (Blueprint $table) { + $table->string('id', 100)->change(); + $table->dropColumn('last_activity'); + $table->dropColumn('lifetime'); + $table->timestamp('created_at'); + $table->timestamp('expires_at'); + }); + } +} diff --git a/src/Admin/Server.php b/src/Admin/Server.php index 1047d8923..f81c03727 100644 --- a/src/Admin/Server.php +++ b/src/Admin/Server.php @@ -32,8 +32,9 @@ class Server extends AbstractServer if ($app->isUpToDate()) { $pipe->pipe($adminPath, $app->make('Flarum\Http\Middleware\ParseJsonBody')); - $pipe->pipe($adminPath, $app->make('Flarum\Http\Middleware\AuthenticateWithCookie')); $pipe->pipe($adminPath, $app->make('Flarum\Http\Middleware\StartSession')); + $pipe->pipe($adminPath, $app->make('Flarum\Http\Middleware\RememberFromCookie')); + $pipe->pipe($adminPath, $app->make('Flarum\Http\Middleware\AuthenticateWithSession')); $pipe->pipe($adminPath, $app->make('Flarum\Http\Middleware\SetLocale')); $pipe->pipe($adminPath, $app->make('Flarum\Admin\Middleware\RequireAdministrateAbility')); $pipe->pipe($adminPath, $app->make('Flarum\Http\Middleware\DispatchRoute', ['routes' => $app->make('flarum.admin.routes')])); diff --git a/src/Api/Client.php b/src/Api/Client.php index ea6666f74..c1db8e1f1 100644 --- a/src/Api/Client.php +++ b/src/Api/Client.php @@ -12,7 +12,7 @@ namespace Flarum\Api; use Flarum\Http\Controller\ControllerInterface; use Flarum\Core\User; -use Flarum\Http\Session; +use Flarum\Http\AccessToken; use Illuminate\Contracts\Container\Container; use Exception; use InvalidArgumentException; @@ -44,22 +44,15 @@ class Client * Execute the given API action class, pass the input and return its response. * * @param string|ControllerInterface $controller - * @param Session|User|null $session + * @param User|null $actor * @param array $queryParams * @param array $body * @return \Psr\Http\Message\ResponseInterface */ - public function send($controller, $session, array $queryParams = [], array $body = []) + public function send($controller, $actor, array $queryParams = [], array $body = []) { $request = ServerRequestFactory::fromGlobals(null, $queryParams, $body); - if ($session instanceof Session) { - $request = $request->withAttribute('session', $session); - $actor = $session->user; - } else { - $actor = $session; - } - $request = $request->withAttribute('actor', $actor); if (is_string($controller)) { diff --git a/src/Api/Controller/TokenController.php b/src/Api/Controller/TokenController.php index 38279dfcc..a2c901c2d 100644 --- a/src/Api/Controller/TokenController.php +++ b/src/Api/Controller/TokenController.php @@ -13,7 +13,7 @@ namespace Flarum\Api\Controller; use Flarum\Core\Exception\PermissionDeniedException; use Flarum\Core\Repository\UserRepository; use Flarum\Http\Controller\ControllerInterface; -use Flarum\Http\Session; +use Flarum\Http\AccessToken; use Illuminate\Contracts\Bus\Dispatcher as BusDispatcher; use Illuminate\Contracts\Events\Dispatcher as EventDispatcher; use Psr\Http\Message\ServerRequestInterface; @@ -64,13 +64,12 @@ class TokenController implements ControllerInterface throw new PermissionDeniedException; } - $session = $request->getAttribute('session') ?: Session::generate($user); - $session->assign($user)->regenerateId()->renew()->save(); + $token = AccessToken::generate($user->id); + $token->save(); return (new JsonResponse([ - 'token' => $session->id, + 'token' => $token->id, 'userId' => $user->id - ])) - ->withHeader('X-CSRF-Token', $session->csrf_token); + ])); } } diff --git a/src/Api/Server.php b/src/Api/Server.php index ab518cd86..d74f8a493 100644 --- a/src/Api/Server.php +++ b/src/Api/Server.php @@ -30,9 +30,10 @@ class Server extends AbstractServer if ($app->isInstalled() && $app->isUpToDate()) { $pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\ParseJsonBody')); $pipe->pipe($apiPath, $app->make('Flarum\Api\Middleware\FakeHttpMethods')); - $pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\AuthenticateWithCookie')); - $pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\AuthenticateWithHeader')); $pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\StartSession')); + $pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\RememberFromCookie')); + $pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\AuthenticateWithSession')); + $pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\AuthenticateWithHeader')); $pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\SetLocale')); $pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\DispatchRoute', ['routes' => $app->make('flarum.api.routes')])); $pipe->pipe($apiPath, $app->make('Flarum\Api\Middleware\HandleErrors')); diff --git a/src/Core/Access/AssertPermissionTrait.php b/src/Core/Access/AssertPermissionTrait.php index 0bc5eee7f..760548263 100644 --- a/src/Core/Access/AssertPermissionTrait.php +++ b/src/Core/Access/AssertPermissionTrait.php @@ -10,6 +10,7 @@ namespace Flarum\Core\Access; +use DateTime; use Flarum\Api\Exception\InvalidAccessTokenException; use Flarum\Core\Exception\PermissionDeniedException; use Flarum\Core\User; @@ -74,7 +75,7 @@ trait AssertPermissionTrait { $session = $request->getAttribute('session'); - if (! $session || ! $session->isSudo()) { + if (! $session || $session->get('sudo_expiry') < new DateTime) { throw new InvalidAccessTokenException; } } diff --git a/src/Core/User.php b/src/Core/User.php index 195844898..108d250a1 100755 --- a/src/Core/User.php +++ b/src/Core/User.php @@ -31,7 +31,6 @@ use Flarum\Event\UserEmailChangeWasRequested; use Flarum\Event\PrepareUserGroups; use Flarum\Core\Support\ScopeVisibilityTrait; use Flarum\Core\Support\EventGeneratorTrait; -use Flarum\Core\Exception\ValidationException; /** * @property int $id @@ -135,7 +134,7 @@ class User extends AbstractModel $user->read()->detach(); $user->groups()->detach(); - $user->sessions()->delete(); + $user->accessTokens()->delete(); $user->notifications()->delete(); }); @@ -654,13 +653,13 @@ class User extends AbstractModel } /** - * Define the relationship with the user's sessions. + * Define the relationship with the user's access tokens. * * @return \Illuminate\Database\Eloquent\Relations\HasMany */ - public function sessions() + public function accessTokens() { - return $this->hasMany('Flarum\Http\Session'); + return $this->hasMany('Flarum\Http\AccessToken'); } /** diff --git a/src/Event/UserLoggedIn.php b/src/Event/UserLoggedIn.php index 32c0ceaf4..509fffa3d 100644 --- a/src/Event/UserLoggedIn.php +++ b/src/Event/UserLoggedIn.php @@ -11,17 +11,17 @@ namespace Flarum\Event; use Flarum\Core\User; -use Flarum\Http\Session; +use Flarum\Http\AccessToken; class UserLoggedIn { public $user; - public $session; + public $token; - public function __construct(User $user, Session $session) + public function __construct(User $user, AccessToken $token) { $this->user = $user; - $this->session = $session; + $this->token = $token; } } diff --git a/src/Forum/AuthenticationResponseFactory.php b/src/Forum/AuthenticationResponseFactory.php new file mode 100644 index 000000000..60370c66e --- /dev/null +++ b/src/Forum/AuthenticationResponseFactory.php @@ -0,0 +1,113 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Flarum\Forum; + +use Flarum\Core\AuthToken; +use Flarum\Core\User; +use Flarum\Http\AccessToken; +use Flarum\Http\Rememberer; +use Flarum\Http\SessionAuthenticator; +use Psr\Http\Message\ServerRequestInterface as Request; +use Zend\Diactoros\Response\HtmlResponse; + +class AuthenticationResponseFactory +{ + /** + * @var SessionAuthenticator + */ + protected $authenticator; + + /** + * @var Rememberer + */ + protected $rememberer; + + /** + * AuthenticationResponseFactory constructor. + * @param SessionAuthenticator $authenticator + * @param Rememberer $rememberer + */ + public function __construct(SessionAuthenticator $authenticator, Rememberer $rememberer) + { + + $this->authenticator = $authenticator; + $this->rememberer = $rememberer; + } + + public function make(Request $request, array $identification, array $suggestions = []) + { + if (isset($suggestions['username'])) { + $suggestions['username'] = $this->sanitizeUsername($suggestions['username']); + } + + $user = User::where($identification)->first(); + + $payload = $this->getPayload($identification, $suggestions, $user); + + $response = $this->getResponse($payload); + + if ($user) { + $session = $request->getAttribute('session'); + $this->authenticator->logIn($session, $user->id); + + $response = $this->rememberer->rememberUser($response, $user->id); + } + + return $response; + } + + /** + * @param string $username + * @return string + */ + private function sanitizeUsername($username) + { + return preg_replace('/[^a-z0-9-_]/i', '', $username); + } + + /** + * @param array $payload + * @return HtmlResponse + */ + private function getResponse(array $payload) + { + $content = sprintf( + '', + json_encode($payload) + ); + + return new HtmlResponse($content); + } + + /** + * @param array $identification + * @param array $suggestions + * @param User|null $user + * @return array + */ + private function getPayload(array $identification, array $suggestions, User $user = null) + { + // If a user with these attributes already exists, then we will log them + // in by generating an access token. Otherwise, we will generate a + // unique token for these attributes and add it to the response, along + // with the suggested account information. + if ($user) { + $payload = ['authenticated' => true]; + } else { + $token = AuthToken::generate($identification); + $token->save(); + + $payload = array_merge($identification, $suggestions, ['token' => $token->id]); + } + + return $payload; + } +} diff --git a/src/Forum/Controller/AuthenticateUserTrait.php b/src/Forum/Controller/AuthenticateUserTrait.php deleted file mode 100644 index f53250da2..000000000 --- a/src/Forum/Controller/AuthenticateUserTrait.php +++ /dev/null @@ -1,76 +0,0 @@ - - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Flarum\Forum\Controller; - -use Flarum\Core\User; -use Zend\Diactoros\Response\HtmlResponse; -use Flarum\Core\AuthToken; -use Psr\Http\Message\ServerRequestInterface as Request; - -trait AuthenticateUserTrait -{ - /** - * @var \Illuminate\Contracts\Bus\Dispatcher - */ - protected $bus; - - /** - * Respond with JavaScript to inform the Flarum app about the user's - * authentication status. - * - * An array of identification attributes must be passed as the first - * argument. These are checked against existing user accounts; if a match is - * found, then the user is authenticated and logged into that account via - * cookie. The Flarum app will then simply refresh the page. - * - * If no matching account is found, then an AuthToken will be generated to - * store the identification attributes. This token, along with an optional - * array of suggestions, will be passed into the Flarum app's sign up modal. - * This results in the user not having to choose a password. When they - * complete their registration, the identification attributes will be - * set on their new user account. - * - * @param array $identification - * @param array $suggestions - * @return HtmlResponse - */ - protected function authenticate(Request $request, array $identification, array $suggestions = []) - { - $user = User::where($identification)->first(); - - // If a user with these attributes already exists, then we will log them - // in by generating an access token. Otherwise, we will generate a - // unique token for these attributes and add it to the response, along - // with the suggested account information. - if ($user) { - $payload = ['authenticated' => true]; - } else { - $token = AuthToken::generate($identification); - $token->save(); - - $payload = array_merge($identification, $suggestions, ['token' => $token->id]); - } - - $content = sprintf( - '', - json_encode($payload) - ); - - $response = new HtmlResponse($content); - - if ($user) { - $session = $request->getAttribute('session'); - $session->assign($user)->regenerateId()->renew()->setDuration(60 * 24 * 14)->save(); - } - - return $response; - } -} diff --git a/src/Forum/Controller/ConfirmEmailController.php b/src/Forum/Controller/ConfirmEmailController.php index d763ac94d..0ce819420 100644 --- a/src/Forum/Controller/ConfirmEmailController.php +++ b/src/Forum/Controller/ConfirmEmailController.php @@ -14,6 +14,7 @@ use Flarum\Core\Command\ConfirmEmail; use Flarum\Core\Exception\InvalidConfirmationTokenException; use Flarum\Foundation\Application; use Flarum\Http\Controller\ControllerInterface; +use Flarum\Http\SessionAuthenticator; use Illuminate\Contracts\Bus\Dispatcher; use Psr\Http\Message\ServerRequestInterface as Request; use Zend\Diactoros\Response\HtmlResponse; @@ -31,14 +32,21 @@ class ConfirmEmailController implements ControllerInterface */ protected $app; + /** + * @var SessionAuthenticator + */ + protected $authenticator; + /** * @param Dispatcher $bus * @param Application $app + * @param SessionAuthenticator $authenticator */ - public function __construct(Dispatcher $bus, Application $app) + public function __construct(Dispatcher $bus, Application $app, SessionAuthenticator $authenticator) { $this->bus = $bus; $this->app = $app; + $this->authenticator = $authenticator; } /** @@ -58,7 +66,7 @@ class ConfirmEmailController implements ControllerInterface } $session = $request->getAttribute('session'); - $session->assign($user)->regenerateId()->renew()->setDuration(60 * 24 * 14)->save(); + $this->authenticator->logIn($session, $user->id); return new RedirectResponse($this->app->url()); } diff --git a/src/Forum/Controller/LogInController.php b/src/Forum/Controller/LogInController.php index 974668106..3a864c81b 100644 --- a/src/Forum/Controller/LogInController.php +++ b/src/Forum/Controller/LogInController.php @@ -11,10 +11,13 @@ namespace Flarum\Forum\Controller; use Flarum\Api\Client; -use Flarum\Http\Session; +use Flarum\Api\Controller\TokenController; +use Flarum\Http\AccessToken; use Flarum\Event\UserLoggedIn; use Flarum\Core\Repository\UserRepository; use Flarum\Http\Controller\ControllerInterface; +use Flarum\Http\Rememberer; +use Flarum\Http\SessionAuthenticator; use Psr\Http\Message\ServerRequestInterface as Request; use Zend\Diactoros\Response\EmptyResponse; use Zend\Diactoros\Response\JsonResponse; @@ -31,36 +34,52 @@ class LogInController implements ControllerInterface */ protected $apiClient; + /** + * @var SessionAuthenticator + */ + protected $authenticator; + + /** + * @var Rememberer + */ + protected $rememberer; + /** * @param \Flarum\Core\Repository\UserRepository $users * @param Client $apiClient + * @param SessionAuthenticator $authenticator + * @param Rememberer $rememberer */ - public function __construct(UserRepository $users, Client $apiClient) + public function __construct(UserRepository $users, Client $apiClient, SessionAuthenticator $authenticator, Rememberer $rememberer) { $this->users = $users; $this->apiClient = $apiClient; + $this->authenticator = $authenticator; + $this->rememberer = $rememberer; } /** * @param Request $request - * @param array $routeParams * @return JsonResponse|EmptyResponse */ - public function handle(Request $request, array $routeParams = []) + public function handle(Request $request) { - $controller = 'Flarum\Api\Controller\TokenController'; - $session = $request->getAttribute('session'); + $actor = $request->getAttribute('actor'); $params = array_only($request->getParsedBody(), ['identification', 'password']); - $response = $this->apiClient->send($controller, $session, [], $params); + $response = $this->apiClient->send(TokenController::class, $actor, [], $params); if ($response->getStatusCode() === 200) { $data = json_decode($response->getBody()); - $session = Session::find($data->token); - $session->setDuration(60 * 24 * 14)->save(); + $session = $request->getAttribute('session'); + $this->authenticator->logIn($session, $data->userId); - event(new UserLoggedIn($this->users->findOrFail($data->userId), $session)); + $token = AccessToken::find($data->token); + + event(new UserLoggedIn($this->users->findOrFail($data->userId), $token)); + + $response = $this->rememberer->remember($response, $token->id); } return $response; diff --git a/src/Forum/Controller/LogOutController.php b/src/Forum/Controller/LogOutController.php index c00dc0f43..839c2babd 100644 --- a/src/Forum/Controller/LogOutController.php +++ b/src/Forum/Controller/LogOutController.php @@ -10,10 +10,13 @@ namespace Flarum\Forum\Controller; +use Flarum\Core\User; use Flarum\Event\UserLoggedOut; use Flarum\Foundation\Application; use Flarum\Http\Controller\ControllerInterface; use Flarum\Http\Exception\TokenMismatchException; +use Flarum\Http\Rememberer; +use Flarum\Http\SessionAuthenticator; use Illuminate\Contracts\Events\Dispatcher; use Psr\Http\Message\ServerRequestInterface as Request; use Zend\Diactoros\Response\RedirectResponse; @@ -30,38 +33,55 @@ class LogOutController implements ControllerInterface */ protected $events; + /** + * @var SessionAuthenticator + */ + protected $authenticator; + + /** + * @var Rememberer + */ + protected $rememberer; + /** * @param Application $app * @param Dispatcher $events + * @param SessionAuthenticator $authenticator + * @param Rememberer $rememberer */ - public function __construct(Application $app, Dispatcher $events) + public function __construct(Application $app, Dispatcher $events, SessionAuthenticator $authenticator, Rememberer $rememberer) { $this->app = $app; $this->events = $events; + $this->authenticator = $authenticator; + $this->rememberer = $rememberer; } /** * @param Request $request - * @param array $routeParams * @return \Psr\Http\Message\ResponseInterface * @throws TokenMismatchException */ - public function handle(Request $request, array $routeParams = []) + public function handle(Request $request) { $session = $request->getAttribute('session'); - if ($user = $session->user) { - if (array_get($request->getQueryParams(), 'token') !== $session->csrf_token) { + $response = new RedirectResponse($this->app->url()); + + if ($user = User::find($session->get('user_id'))) { + if (array_get($request->getQueryParams(), 'token') !== $session->get('csrf_token')) { throw new TokenMismatchException; } - $session->exists = false; + $this->authenticator->logOut($session); - $user->sessions()->delete(); + $user->accessTokens()->delete(); $this->events->fire(new UserLoggedOut($user)); + + $response = $this->rememberer->forget($response); } - return new RedirectResponse($this->app->url()); + return $response; } } diff --git a/src/Forum/Controller/RegisterController.php b/src/Forum/Controller/RegisterController.php index 6c0f7c954..dd240858a 100644 --- a/src/Forum/Controller/RegisterController.php +++ b/src/Forum/Controller/RegisterController.php @@ -11,42 +11,47 @@ namespace Flarum\Forum\Controller; use Flarum\Api\Client; -use Flarum\Core\User; +use Flarum\Http\AccessToken; use Flarum\Http\Controller\ControllerInterface; +use Flarum\Http\Rememberer; +use Flarum\Http\SessionAuthenticator; use Psr\Http\Message\ServerRequestInterface as Request; -use Zend\Diactoros\Response\EmptyResponse; use Zend\Diactoros\Response\JsonResponse; -use Illuminate\Contracts\Bus\Dispatcher; class RegisterController implements ControllerInterface { - /** - * @var Dispatcher - */ - protected $bus; - /** * @var Client */ protected $api; /** - * @param Dispatcher $bus - * @param Client $api + * @var SessionAuthenticator */ - public function __construct(Dispatcher $bus, Client $api) + protected $authenticator; + + /** + * @var Rememberer + */ + protected $rememberer; + + /** + * @param Client $api + * @param SessionAuthenticator $authenticator + * @param Rememberer $rememberer + */ + public function __construct(Client $api, SessionAuthenticator $authenticator, Rememberer $rememberer) { - $this->bus = $bus; $this->api = $api; + $this->authenticator = $authenticator; + $this->rememberer = $rememberer; } /** * @param Request $request - * @param array $routeParams - * * @return JsonResponse */ - public function handle(Request $request, array $routeParams = []) + public function handle(Request $request) { $controller = 'Flarum\Api\Controller\CreateUserController'; $actor = $request->getAttribute('actor'); @@ -55,15 +60,16 @@ class RegisterController implements ControllerInterface $response = $this->api->send($controller, $actor, [], $body); $body = json_decode($response->getBody()); - $statusCode = $response->getStatusCode(); if (isset($body->data)) { - $user = User::find($body->data->id); + $userId = $body->data->id; $session = $request->getAttribute('session'); - $session->assign($user)->regenerateId()->renew()->setDuration(60 * 24 * 14)->save(); + $this->authenticator->logIn($session, $userId); + + $response = $this->rememberer->rememberUser($response, $userId); } - return new JsonResponse($body, $statusCode); + return $response; } } diff --git a/src/Forum/Controller/ResetPasswordController.php b/src/Forum/Controller/ResetPasswordController.php index 07106624b..61e661ff9 100644 --- a/src/Forum/Controller/ResetPasswordController.php +++ b/src/Forum/Controller/ResetPasswordController.php @@ -47,6 +47,8 @@ class ResetPasswordController extends AbstractHtmlController throw new InvalidConfirmationTokenException; } - return $this->view->make('flarum::reset')->with('token', $token->id); + return $this->view->make('flarum::reset') + ->with('passwordToken', $token->id) + ->with('csrfToken', $request->getAttribute('session')->get('csrf_token')); } } diff --git a/src/Forum/Controller/SavePasswordController.php b/src/Forum/Controller/SavePasswordController.php index 934bac58e..0ec531926 100644 --- a/src/Forum/Controller/SavePasswordController.php +++ b/src/Forum/Controller/SavePasswordController.php @@ -14,6 +14,7 @@ use Flarum\Core\PasswordToken; use Flarum\Core\Command\EditUser; use Flarum\Forum\UrlGenerator; use Flarum\Http\Controller\ControllerInterface; +use Flarum\Http\SessionAuthenticator; use Psr\Http\Message\ServerRequestInterface as Request; use Zend\Diactoros\Response\RedirectResponse; @@ -25,11 +26,18 @@ class SavePasswordController implements ControllerInterface protected $url; /** - * @param UrlGenerator $url + * @var SessionAuthenticator */ - public function __construct(UrlGenerator $url) + protected $authenticator; + + /** + * @param UrlGenerator $url + * @param SessionAuthenticator $authenticator + */ + public function __construct(UrlGenerator $url, SessionAuthenticator $authenticator) { $this->url = $url; + $this->authenticator = $authenticator; } /** @@ -40,7 +48,7 @@ class SavePasswordController implements ControllerInterface { $input = $request->getParsedBody(); - $token = PasswordToken::findOrFail(array_get($input, 'token')); + $token = PasswordToken::findOrFail(array_get($input, 'passwordToken')); $password = array_get($input, 'password'); $confirmation = array_get($input, 'password_confirmation'); @@ -54,6 +62,9 @@ class SavePasswordController implements ControllerInterface $token->delete(); + $session = $request->getAttribute('session'); + $this->authenticator->logIn($session, $token->user->id); + return new RedirectResponse($this->url->toBase()); } } diff --git a/src/Forum/Server.php b/src/Forum/Server.php index 49f3a5235..ed6faec98 100644 --- a/src/Forum/Server.php +++ b/src/Forum/Server.php @@ -32,12 +32,14 @@ class Server extends AbstractServer if (! $app->isInstalled()) { $app->register('Flarum\Install\InstallServiceProvider'); + $pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\StartSession')); $pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\DispatchRoute', ['routes' => $app->make('flarum.install.routes')])); $pipe->pipe($basePath, new HandleErrors($errorDir, true)); } elseif ($app->isUpToDate() && ! $app->isDownForMaintenance()) { $pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\ParseJsonBody')); - $pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\AuthenticateWithCookie')); $pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\StartSession')); + $pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\RememberFromCookie')); + $pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\AuthenticateWithSession')); $pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\SetLocale')); $pipe->pipe($basePath, $app->make('Flarum\Http\Middleware\DispatchRoute', ['routes' => $app->make('flarum.forum.routes')])); $pipe->pipe($basePath, new HandleErrors($errorDir, $app->inDebugMode())); diff --git a/src/Http/AbstractServer.php b/src/Http/AbstractServer.php index b1abe4d4c..e85f93d61 100644 --- a/src/Http/AbstractServer.php +++ b/src/Http/AbstractServer.php @@ -21,6 +21,8 @@ abstract class AbstractServer extends BaseAbstractServer { $app = $this->getApp(); + $this->collectGarbage($app); + $server = Server::createServer( $this->getMiddleware($app), $_SERVER, @@ -38,4 +40,16 @@ abstract class AbstractServer extends BaseAbstractServer * @return MiddlewareInterface */ abstract protected function getMiddleware(Application $app); + + private function collectGarbage() + { + if ($this->hitsLottery()) { + AccessToken::whereRaw('last_activity <= ? - lifetime', [time()])->delete(); + } + } + + private function hitsLottery() + { + return mt_rand(1, 100) <= 2; + } } diff --git a/src/Http/AccessToken.php b/src/Http/AccessToken.php new file mode 100644 index 000000000..6c4192641 --- /dev/null +++ b/src/Http/AccessToken.php @@ -0,0 +1,71 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Flarum\Http; + +use Flarum\Database\AbstractModel; + +/** + * @property string $id + * @property int $user_id + * @property int $last_activity + * @property int $lifetime + * @property \Flarum\Core\User|null $user + */ +class AccessToken extends AbstractModel +{ + /** + * {@inheritdoc} + */ + protected $table = 'access_tokens'; + + /** + * Use a custom primary key for this model. + * + * @var bool + */ + public $incrementing = false; + + /** + * Generate an access token for the specified user. + * + * @param int $userId + * @param int $lifetime + * @return static + */ + public static function generate($userId, $lifetime = 3600) + { + $token = new static; + + $token->id = str_random(40); + $token->user_id = $userId; + $token->last_activity = time(); + $token->lifetime = $lifetime; + + return $token; + } + + public function touch() + { + $this->last_activity = time(); + + return $this->save(); + } + + /** + * Define the relationship with the owner of this access token. + * + * @return \Illuminate\Database\Eloquent\Relations\BelongsTo + */ + public function user() + { + return $this->belongsTo('Flarum\Core\User'); + } +} diff --git a/src/Http/Controller/ClientView.php b/src/Http/Controller/ClientView.php index 4f5e919db..77f0d33cc 100644 --- a/src/Http/Controller/ClientView.php +++ b/src/Http/Controller/ClientView.php @@ -343,7 +343,7 @@ class ClientView implements Renderable return [ 'userId' => $this->actor->id, - 'csrfToken' => $session->csrf_token + 'csrfToken' => $session->get('csrf_token') ]; } } diff --git a/src/Http/Middleware/AuthenticateWithCookie.php b/src/Http/Middleware/AuthenticateWithCookie.php deleted file mode 100644 index aca046548..000000000 --- a/src/Http/Middleware/AuthenticateWithCookie.php +++ /dev/null @@ -1,52 +0,0 @@ - - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Flarum\Http\Middleware; - -use Flarum\Http\Exception\TokenMismatchException; -use Flarum\Http\Session; -use Psr\Http\Message\ResponseInterface as Response; -use Psr\Http\Message\ServerRequestInterface as Request; -use Zend\Stratigility\MiddlewareInterface; - -class AuthenticateWithCookie implements MiddlewareInterface -{ - /** - * {@inheritdoc} - */ - public function __invoke(Request $request, Response $response, callable $out = null) - { - $id = array_get($request->getCookieParams(), 'flarum_session'); - - if ($id) { - $session = Session::find($id); - - $request = $request->withAttribute('session', $session); - - if (! $this->isReading($request) && ! $this->tokensMatch($request)) { - throw new TokenMismatchException; - } - } - - return $out ? $out($request, $response) : $response; - } - - private function isReading(Request $request) - { - return in_array($request->getMethod(), ['HEAD', 'GET', 'OPTIONS']); - } - - private function tokensMatch(Request $request) - { - $input = $request->getHeaderLine('X-CSRF-Token') ?: array_get($request->getParsedBody(), 'token'); - - return $request->getAttribute('session')->csrf_token === $input; - } -} diff --git a/src/Http/Middleware/AuthenticateWithHeader.php b/src/Http/Middleware/AuthenticateWithHeader.php index 638ea5cc5..438463ed2 100644 --- a/src/Http/Middleware/AuthenticateWithHeader.php +++ b/src/Http/Middleware/AuthenticateWithHeader.php @@ -12,7 +12,7 @@ namespace Flarum\Http\Middleware; use Flarum\Api\ApiKey; use Flarum\Core\User; -use Flarum\Http\Session; +use Flarum\Http\AccessToken; use Psr\Http\Message\ResponseInterface as Response; use Psr\Http\Message\ServerRequestInterface as Request; use Zend\Stratigility\MiddlewareInterface; @@ -37,13 +37,15 @@ class AuthenticateWithHeader implements MiddlewareInterface $id = substr($parts[0], strlen($this->prefix)); if (isset($parts[1]) && ApiKey::valid($id)) { - if ($actor = $this->getUser($parts[1])) { - $request = $request->withAttribute('actor', $actor); - } - } else { - $session = Session::find($id); + $actor = $this->getUser($parts[1]); + } elseif ($token = AccessToken::find($id)) { + $token->touch(); - $request = $request->withAttribute('session', $session); + $actor = $token->user; + } + + if (isset($actor)) { + $request = $request->withAttribute('actor', $actor); } } diff --git a/src/Http/Middleware/AuthenticateWithSession.php b/src/Http/Middleware/AuthenticateWithSession.php new file mode 100644 index 000000000..8331d3156 --- /dev/null +++ b/src/Http/Middleware/AuthenticateWithSession.php @@ -0,0 +1,46 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Flarum\Http\Middleware; + +use Flarum\Core\Guest; +use Flarum\Core\User; +use Psr\Http\Message\ResponseInterface as Response; +use Psr\Http\Message\ServerRequestInterface as Request; +use Symfony\Component\HttpFoundation\Session\SessionInterface; +use Zend\Stratigility\MiddlewareInterface; + +class AuthenticateWithSession implements MiddlewareInterface +{ + /** + * {@inheritdoc} + */ + public function __invoke(Request $request, Response $response, callable $out = null) + { + $session = $request->getAttribute('session'); + + $actor = $this->getActor($session); + + $request = $request->withAttribute('actor', $actor); + + return $out ? $out($request, $response) : $response;; + } + + private function getActor(SessionInterface $session) + { + $actor = User::find($session->get('user_id')) ?: new Guest; + + if ($actor->exists) { + $actor->updateLastSeen()->save(); + } + + return $actor; + } +} diff --git a/src/Http/Middleware/RememberFromCookie.php b/src/Http/Middleware/RememberFromCookie.php new file mode 100644 index 000000000..7d425704b --- /dev/null +++ b/src/Http/Middleware/RememberFromCookie.php @@ -0,0 +1,40 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Flarum\Http\Middleware; + +use Flarum\Http\AccessToken; +use Psr\Http\Message\ResponseInterface as Response; +use Psr\Http\Message\ServerRequestInterface as Request; +use Zend\Stratigility\MiddlewareInterface; + +class RememberFromCookie implements MiddlewareInterface +{ + /** + * {@inheritdoc} + */ + public function __invoke(Request $request, Response $response, callable $out = null) + { + $id = array_get($request->getCookieParams(), 'flarum_remember'); + + if ($id) { + $token = AccessToken::find($id); + + if ($token) { + $token->touch(); + + $session = $request->getAttribute('session'); + $session->set('user_id', $token->user_id); + } + } + + return $out ? $out($request, $response) : $response; + } +} diff --git a/src/Http/Middleware/StartSession.php b/src/Http/Middleware/StartSession.php index 9ba822492..134616cf4 100644 --- a/src/Http/Middleware/StartSession.php +++ b/src/Http/Middleware/StartSession.php @@ -10,72 +10,57 @@ namespace Flarum\Http\Middleware; +use Dflydev\FigCookies\Cookie; use Dflydev\FigCookies\FigResponseCookies; use Dflydev\FigCookies\SetCookie; -use Dflydev\FigCookies\SetCookies; -use Flarum\Http\Session; -use Flarum\Core\Guest; -use Flarum\Http\WriteSessionCookieTrait; +use Illuminate\Support\Str; use Psr\Http\Message\ResponseInterface as Response; use Psr\Http\Message\ServerRequestInterface as Request; +use Symfony\Component\HttpFoundation\Session\Session; +use Symfony\Component\HttpFoundation\Session\SessionInterface; use Zend\Stratigility\MiddlewareInterface; class StartSession implements MiddlewareInterface { - use WriteSessionCookieTrait; - /** * {@inheritdoc} */ public function __invoke(Request $request, Response $response, callable $out = null) { - $this->collectGarbage(); + $session = $this->startSession(); - $session = $this->getSession($request); - $actor = $this->getActor($session); - - $request = $request - ->withAttribute('session', $session) - ->withAttribute('actor', $actor); + $request = $request->withAttribute('session', $session); $response = $out ? $out($request, $response) : $response; - return $this->addSessionCookieToResponse($response, $session, 'flarum_session'); - } - - private function getSession(Request $request) - { - $session = $request->getAttribute('session'); - - if (! $session) { - $session = Session::generate(); + if ($session->has('csrf_token')) { + $response = $response->withHeader('X-CSRF-Token', $session->get('csrf_token')); } - $session->extend()->save(); + return $this->withSessionCookie($response, $session); + } + + private function startSession() + { + $session = new Session; + + $session->setName('flarum_session'); + $session->start(); + + if (! $session->has('csrf_token')) { + $session->set('csrf_token', Str::random(40)); + } return $session; } - private function getActor(Session $session) + private function withSessionCookie(Response $response, SessionInterface $session) { - $actor = $session->user ?: new Guest; - - if ($actor->exists) { - $actor->updateLastSeen()->save(); - } - - return $actor; - } - - private function collectGarbage() - { - if ($this->hitsLottery()) { - Session::whereRaw('last_activity <= ? - duration * 60', [time()])->delete(); - } - } - - private function hitsLottery() - { - return mt_rand(1, 100) <= 1; + return FigResponseCookies::set( + $response, + SetCookie::create($session->getName(), $session->getId()) + ->withPath('/') + ->withHttpOnly(true) + ); } } diff --git a/src/Http/Rememberer.php b/src/Http/Rememberer.php new file mode 100644 index 000000000..254bbf99f --- /dev/null +++ b/src/Http/Rememberer.php @@ -0,0 +1,54 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Flarum\Http; + +use Dflydev\FigCookies\FigResponseCookies; +use Dflydev\FigCookies\SetCookie; +use Psr\Http\Message\ResponseInterface; + +class Rememberer +{ + protected $cookieName = 'flarum_remember'; + + public function remember(ResponseInterface $response, $token) + { + return FigResponseCookies::set( + $response, + $this->createCookie() + ->withValue($token) + ->withMaxAge(14 * 24 * 60 * 60) + ); + } + + public function rememberUser(ResponseInterface $response, $userId) + { + $token = AccessToken::generate($userId); + $token->lifetime = 60 * 60 * 24 * 14; + $token->save(); + + return $this->remember($response, $token->id); + } + + public function forget(ResponseInterface $response) + { + return FigResponseCookies::set( + $response, + $this->createCookie()->withMaxAge(-2628000) + ); + } + + private function createCookie() + { + return SetCookie::create($this->cookieName) + ->withPath('/') + ->withHttpOnly(true); + } +} diff --git a/src/Http/Session.php b/src/Http/Session.php deleted file mode 100644 index dff826e49..000000000 --- a/src/Http/Session.php +++ /dev/null @@ -1,140 +0,0 @@ - - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Flarum\Http; - -use DateTime; -use Flarum\Core\User; -use Flarum\Database\AbstractModel; -use Illuminate\Support\Str; - -/** - * @property string $id - * @property int $user_id - * @property int $last_activity - * @property int $duration - * @property \Carbon\Carbon $sudo_expiry_time - * @property string $csrf_token - * @property \Flarum\Core\User|null $user - */ -class Session extends AbstractModel -{ - /** - * {@inheritdoc} - */ - protected $table = 'sessions'; - - /** - * Use a custom primary key for this model. - * - * @var bool - */ - public $incrementing = false; - - /** - * {@inheritdoc} - */ - protected $dates = ['sudo_expiry_time']; - - /** - * Generate a session. - * - * @param User|null $user - * @param int $duration How long before the session will expire, in minutes. - * @return static - */ - public static function generate(User $user = null, $duration = 60) - { - $session = new static; - - $session->assign($user) - ->regenerateId() - ->renew() - ->setDuration($duration); - - return $session->extend(); - } - - /** - * Assign the session to a user. - * - * @param User|null $user - * @return $this - */ - public function assign(User $user = null) - { - $this->user_id = $user ? $user->id : null; - - return $this; - } - - /** - * Regenerate the session ID. - * - * @return $this - */ - public function regenerateId() - { - $this->id = sha1(uniqid('', true).Str::random(25).microtime(true)); - $this->csrf_token = Str::random(40); - - return $this; - } - - /** - * @return $this - */ - public function extend() - { - $this->last_activity = time(); - - return $this; - } - - /** - * @return $this - */ - public function renew() - { - $this->extend(); - $this->sudo_expiry_time = time() + 30 * 60; - - return $this; - } - - /** - * @param int $duration How long before the session will expire, in minutes. - * @return $this - */ - public function setDuration($duration) - { - $this->duration = $duration; - - return $this; - } - - /** - * @return bool - */ - public function isSudo() - { - return $this->sudo_expiry_time > new DateTime; - } - - /** - * Define the relationship with the owner of this access token. - * - * @return \Illuminate\Database\Eloquent\Relations\BelongsTo - */ - public function user() - { - return $this->belongsTo(User::class); - } -} diff --git a/src/Http/SessionAuthenticator.php b/src/Http/SessionAuthenticator.php new file mode 100644 index 000000000..427ff924a --- /dev/null +++ b/src/Http/SessionAuthenticator.php @@ -0,0 +1,36 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Flarum\Http; + +use DateTime; +use Symfony\Component\HttpFoundation\Session\SessionInterface; + +class SessionAuthenticator +{ + /** + * @param SessionInterface $session + * @param int $userId + */ + public function logIn(SessionInterface $session, $userId) + { + $session->migrate(); + $session->set('user_id', $userId); + $session->set('sudo_expiry', new DateTime('+30 minutes')); + } + + /** + * @param SessionInterface $session + */ + public function logOut(SessionInterface $session) + { + $session->invalidate(); + } +} diff --git a/src/Http/WriteSessionCookieTrait.php b/src/Http/WriteSessionCookieTrait.php deleted file mode 100644 index f74cea56c..000000000 --- a/src/Http/WriteSessionCookieTrait.php +++ /dev/null @@ -1,29 +0,0 @@ - - * - * For the full copyright and license information, please view the LICENSE - * file that was distributed with this source code. - */ - -namespace Flarum\Http; - -use Dflydev\FigCookies\FigResponseCookies; -use Dflydev\FigCookies\SetCookie; -use Psr\Http\Message\ResponseInterface as Response; - -trait WriteSessionCookieTrait -{ - protected function addSessionCookieToResponse(Response $response, Session $session, $cookieName) - { - return FigResponseCookies::set( - $response, - SetCookie::create($cookieName, $session->exists ? $session->id : null) - ->withMaxAge($session->exists ? $session->duration * 60 : -2628000) - ->withPath('/') - ->withHttpOnly(true) - ); - } -} diff --git a/src/Install/Controller/InstallController.php b/src/Install/Controller/InstallController.php index d0f52ecbc..b9c7b13a7 100644 --- a/src/Install/Controller/InstallController.php +++ b/src/Install/Controller/InstallController.php @@ -12,8 +12,8 @@ namespace Flarum\Install\Controller; use Flarum\Core\User; use Flarum\Http\Controller\ControllerInterface; -use Flarum\Http\Session; -use Flarum\Http\WriteSessionCookieTrait; +use Flarum\Http\AccessToken; +use Flarum\Http\SessionAuthenticator; use Psr\Http\Message\ServerRequestInterface as Request; use Zend\Diactoros\Response\HtmlResponse; use Zend\Diactoros\Response; @@ -21,33 +21,34 @@ use Flarum\Install\Console\InstallCommand; use Flarum\Install\Console\DefaultsDataProvider; use Symfony\Component\Console\Output\StreamOutput; use Symfony\Component\Console\Input\StringInput; -use Illuminate\Contracts\Bus\Dispatcher; use Exception; use DateTime; class InstallController implements ControllerInterface { - use WriteSessionCookieTrait; - protected $command; /** - * @var Dispatcher + * @var SessionAuthenticator */ - protected $bus; + protected $authenticator; - public function __construct(InstallCommand $command, Dispatcher $bus) + /** + * InstallController constructor. + * @param InstallCommand $command + * @param SessionAuthenticator $authenticator + */ + public function __construct(InstallCommand $command, SessionAuthenticator $authenticator) { $this->command = $command; - $this->bus = $bus; + $this->authenticator = $authenticator; } /** * @param Request $request - * @param array $routeParams * @return \Psr\Http\Message\ResponseInterface */ - public function handle(Request $request, array $routeParams = []) + public function handle(Request $request) { $input = $request->getParsedBody(); @@ -88,9 +89,9 @@ class InstallController implements ControllerInterface return new HtmlResponse($e->getMessage(), 500); } - $session = Session::generate(User::find(1), 60 * 24 * 14); - $session->save(); + $session = $request->getAttribute('session'); + $this->authenticator->logIn($session, 1); - return $this->addSessionCookieToResponse(new Response($body, 200), $session, 'flarum_session'); + return new Response($body); } } diff --git a/views/reset.blade.php b/views/reset.blade.php index 8fd25b2ee..7a27a5149 100644 --- a/views/reset.blade.php +++ b/views/reset.blade.php @@ -12,7 +12,8 @@

Reset Your Password

- + +