mirror of
https://github.com/flarum/core.git
synced 2025-10-12 15:34:26 +02:00
Rework sessions, remember cookies, and auth again
- Use Symfony's Session component to work with sessions, instead of a custom database model. Separate the concept of access tokens from sessions once again. - Extract common session/remember cookie logic into SessionAuthenticator and Rememberer classes. - Extract AuthenticateUserTrait into a new AuthenticationResponseFactory class. - Fix forgot password process.
This commit is contained in:
Toby Zerner
@@ -12,7 +12,7 @@ namespace Flarum\Api;
|
||||
|
||||
use Flarum\Http\Controller\ControllerInterface;
|
||||
use Flarum\Core\User;
|
||||
use Flarum\Http\Session;
|
||||
use Flarum\Http\AccessToken;
|
||||
use Illuminate\Contracts\Container\Container;
|
||||
use Exception;
|
||||
use InvalidArgumentException;
|
||||
@@ -44,22 +44,15 @@ class Client
|
||||
* Execute the given API action class, pass the input and return its response.
|
||||
*
|
||||
* @param string|ControllerInterface $controller
|
||||
* @param Session|User|null $session
|
||||
* @param User|null $actor
|
||||
* @param array $queryParams
|
||||
* @param array $body
|
||||
* @return \Psr\Http\Message\ResponseInterface
|
||||
*/
|
||||
public function send($controller, $session, array $queryParams = [], array $body = [])
|
||||
public function send($controller, $actor, array $queryParams = [], array $body = [])
|
||||
{
|
||||
$request = ServerRequestFactory::fromGlobals(null, $queryParams, $body);
|
||||
|
||||
if ($session instanceof Session) {
|
||||
$request = $request->withAttribute('session', $session);
|
||||
$actor = $session->user;
|
||||
} else {
|
||||
$actor = $session;
|
||||
}
|
||||
|
||||
$request = $request->withAttribute('actor', $actor);
|
||||
|
||||
if (is_string($controller)) {
|
||||
|
||||
@@ -13,7 +13,7 @@ namespace Flarum\Api\Controller;
|
||||
use Flarum\Core\Exception\PermissionDeniedException;
|
||||
use Flarum\Core\Repository\UserRepository;
|
||||
use Flarum\Http\Controller\ControllerInterface;
|
||||
use Flarum\Http\Session;
|
||||
use Flarum\Http\AccessToken;
|
||||
use Illuminate\Contracts\Bus\Dispatcher as BusDispatcher;
|
||||
use Illuminate\Contracts\Events\Dispatcher as EventDispatcher;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
@@ -64,13 +64,12 @@ class TokenController implements ControllerInterface
|
||||
throw new PermissionDeniedException;
|
||||
}
|
||||
|
||||
$session = $request->getAttribute('session') ?: Session::generate($user);
|
||||
$session->assign($user)->regenerateId()->renew()->save();
|
||||
$token = AccessToken::generate($user->id);
|
||||
$token->save();
|
||||
|
||||
return (new JsonResponse([
|
||||
'token' => $session->id,
|
||||
'token' => $token->id,
|
||||
'userId' => $user->id
|
||||
]))
|
||||
->withHeader('X-CSRF-Token', $session->csrf_token);
|
||||
]));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -30,9 +30,10 @@ class Server extends AbstractServer
|
||||
if ($app->isInstalled() && $app->isUpToDate()) {
|
||||
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\ParseJsonBody'));
|
||||
$pipe->pipe($apiPath, $app->make('Flarum\Api\Middleware\FakeHttpMethods'));
|
||||
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\AuthenticateWithCookie'));
|
||||
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\AuthenticateWithHeader'));
|
||||
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\StartSession'));
|
||||
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\RememberFromCookie'));
|
||||
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\AuthenticateWithSession'));
|
||||
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\AuthenticateWithHeader'));
|
||||
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\SetLocale'));
|
||||
$pipe->pipe($apiPath, $app->make('Flarum\Http\Middleware\DispatchRoute', ['routes' => $app->make('flarum.api.routes')]));
|
||||
$pipe->pipe($apiPath, $app->make('Flarum\Api\Middleware\HandleErrors'));
|
||||
|
||||
Reference in New Issue
Block a user