From 3aebd458b071cf80076372da5dccf6edfa24e8d8 Mon Sep 17 00:00:00 2001
From: Toby Zerner <toby.zerner@gmail.com>
Date: Thu, 6 Aug 2015 15:04:38 +0930
Subject: [PATCH] Make sure access/email/password tokens are valid

---
 .../Middleware/LoginWithCookieAndCheckAdmin.php      |  2 +-
 src/Api/AccessToken.php                              | 12 ++++++++++++
 src/Api/Middleware/LoginWithHeader.php               |  2 +-
 src/Core/Users/Commands/ConfirmEmailHandler.php      |  3 ++-
 src/Forum/Actions/LoginAction.php                    |  6 ++++++
 src/Forum/Actions/ResetPasswordAction.php            |  6 ++++++
 src/Forum/Middleware/LoginWithCookie.php             |  2 +-
 7 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/Admin/Middleware/LoginWithCookieAndCheckAdmin.php b/src/Admin/Middleware/LoginWithCookieAndCheckAdmin.php
index 8871607ea..691725c41 100644
--- a/src/Admin/Middleware/LoginWithCookieAndCheckAdmin.php
+++ b/src/Admin/Middleware/LoginWithCookieAndCheckAdmin.php
@@ -27,7 +27,7 @@ class LoginWithCookieAndCheckAdmin implements MiddlewareInterface
     public function __invoke(Request $request, Response $response, callable $out = null)
     {
         if (($token = array_get($request->getCookieParams(), 'flarum_remember')) &&
-            ($accessToken = AccessToken::where('id', $token)->first()) &&
+            ($accessToken = AccessToken::valid($token)) &&
             $accessToken->user->isAdmin()
         ) {
             $this->app->instance('flarum.actor', $accessToken->user);
diff --git a/src/Api/AccessToken.php b/src/Api/AccessToken.php
index c44ae85fd..6f39d277d 100644
--- a/src/Api/AccessToken.php
+++ b/src/Api/AccessToken.php
@@ -1,6 +1,7 @@
 <?php namespace Flarum\Api;
 
 use Flarum\Core\Model;
+use DateTime;
 
 /**
  * @todo document database columns with @property
@@ -43,6 +44,17 @@ class AccessToken extends Model
         return $token;
     }
 
+    /**
+     * Get the given token only if it is valid.
+     *
+     * @param string $token
+     * @return static|null
+     */
+    public static function valid($token)
+    {
+        return static::where('id', $token)->where('expires_at', '>', new DateTime)->first();
+    }
+
     /**
      * Define the relationship with the owner of this access token.
      *
diff --git a/src/Api/Middleware/LoginWithHeader.php b/src/Api/Middleware/LoginWithHeader.php
index 7dc905ae0..702ab2db6 100644
--- a/src/Api/Middleware/LoginWithHeader.php
+++ b/src/Api/Middleware/LoginWithHeader.php
@@ -34,7 +34,7 @@ class LoginWithHeader implements MiddlewareInterface
         $header = $request->getHeaderLine('authorization');
         if (starts_with($header, $this->prefix) &&
             ($token = substr($header, strlen($this->prefix))) &&
-            ($accessToken = AccessToken::where('id', $token)->first())
+            ($accessToken = AccessToken::valid($token))
         ) {
             $this->app->instance('flarum.actor', $user = $accessToken->user);
 
diff --git a/src/Core/Users/Commands/ConfirmEmailHandler.php b/src/Core/Users/Commands/ConfirmEmailHandler.php
index dd946511d..aac2d2b2f 100644
--- a/src/Core/Users/Commands/ConfirmEmailHandler.php
+++ b/src/Core/Users/Commands/ConfirmEmailHandler.php
@@ -5,6 +5,7 @@ use Flarum\Events\UserWillBeSaved;
 use Flarum\Core\Support\DispatchesEvents;
 use Flarum\Core\Exceptions\InvalidConfirmationTokenException;
 use Flarum\Core\Users\EmailToken;
+use DateTime;
 
 class ConfirmEmailHandler
 {
@@ -32,7 +33,7 @@ class ConfirmEmailHandler
     {
         $token = EmailToken::find($command->token);
 
-        if (! $token) {
+        if (! $token || $token->created_at < new DateTime('-1 day')) {
             throw new InvalidConfirmationTokenException;
         }
 
diff --git a/src/Forum/Actions/LoginAction.php b/src/Forum/Actions/LoginAction.php
index dfcf1a863..9f6a49407 100644
--- a/src/Forum/Actions/LoginAction.php
+++ b/src/Forum/Actions/LoginAction.php
@@ -1,12 +1,14 @@
 <?php namespace Flarum\Forum\Actions;
 
 use Flarum\Api\Client;
+use Flarum\Api\AccessToken;
 use Flarum\Events\UserLoggedIn;
 use Flarum\Core\Users\UserRepository;
 use Flarum\Support\Action;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Zend\Diactoros\Response\EmptyResponse;
 use Zend\Diactoros\Response\JsonResponse;
+use DateTime;
 
 class LoginAction extends Action
 {
@@ -47,6 +49,10 @@ class LoginAction extends Action
         // response so we can look at the response code. For now if there isn't
         // any useful data we just assume it's a 401.
         if (isset($data->userId)) {
+            // Extend the token's expiry to 2 weeks so that we can set a
+            // remember cookie
+            AccessToken::where('id', $data->token)->update(['expires_at' => new DateTime('+2 weeks')]);
+
             event(new UserLoggedIn($this->users->findOrFail($data->userId), $data->token));
 
             return $this->withRememberCookie(
diff --git a/src/Forum/Actions/ResetPasswordAction.php b/src/Forum/Actions/ResetPasswordAction.php
index 82fa6d5c3..7effcb0ec 100644
--- a/src/Forum/Actions/ResetPasswordAction.php
+++ b/src/Forum/Actions/ResetPasswordAction.php
@@ -2,7 +2,9 @@
 
 use Flarum\Core\Users\PasswordToken;
 use Flarum\Support\HtmlAction;
+use Flarum\Core\Exceptions\InvalidConfirmationTokenException;
 use Psr\Http\Message\ServerRequestInterface as Request;
+use DateTime;
 
 class ResetPasswordAction extends HtmlAction
 {
@@ -17,6 +19,10 @@ class ResetPasswordAction extends HtmlAction
 
         $token = PasswordToken::findOrFail($token);
 
+        if ($token->created_at < new DateTime('-1 day')) {
+            throw new InvalidConfirmationTokenException;
+        }
+
         return view('flarum::reset')->with('token', $token->id);
     }
 }
diff --git a/src/Forum/Middleware/LoginWithCookie.php b/src/Forum/Middleware/LoginWithCookie.php
index e4d73f2f7..af70711c5 100644
--- a/src/Forum/Middleware/LoginWithCookie.php
+++ b/src/Forum/Middleware/LoginWithCookie.php
@@ -27,7 +27,7 @@ class LoginWithCookie implements MiddlewareInterface
     public function __invoke(Request $request, Response $response, callable $out = null)
     {
         if (($token = array_get($request->getCookieParams(), 'flarum_remember')) &&
-            ($accessToken = AccessToken::where('id', $token)->first())
+            ($accessToken = AccessToken::valid($token))
         ) {
             $this->app->instance('flarum.actor', $user = $accessToken->user);