mirror of
https://github.com/flarum/core.git
synced 2025-10-12 07:24:27 +02:00
Overhaul sessions, tokens, and authentication
- Use cookies + CSRF token for API authentication in the default client. This mitigates potential XSS attacks by making the token unavailable to JavaScript. The Authorization header is still supported, but not used by default. - Make sensitive/destructive actions (editing a user, permanently deleting anything, visiting the admin CP) require the user to re-enter their password if they haven't entered it in the last 30 minutes. - Refactor and clean up the authentication middleware. - Add an `onhide` hook to the Modal component. (+1 squashed commit)
This commit is contained in:
Toby Zerner
@@ -10,12 +10,15 @@
|
||||
|
||||
namespace Flarum\Api\Controller;
|
||||
|
||||
use Flarum\Core\Access\AssertPermissionTrait;
|
||||
use Flarum\Core\Command\DeleteDiscussion;
|
||||
use Illuminate\Contracts\Bus\Dispatcher;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
|
||||
class DeleteDiscussionController extends AbstractDeleteController
|
||||
{
|
||||
use AssertPermissionTrait;
|
||||
|
||||
/**
|
||||
* @var Dispatcher
|
||||
*/
|
||||
@@ -38,6 +41,8 @@ class DeleteDiscussionController extends AbstractDeleteController
|
||||
$actor = $request->getAttribute('actor');
|
||||
$input = $request->getParsedBody();
|
||||
|
||||
$this->assertSudo($request);
|
||||
|
||||
$this->bus->dispatch(
|
||||
new DeleteDiscussion($id, $actor, $input)
|
||||
);
|
||||
|
||||
@@ -10,12 +10,15 @@
|
||||
|
||||
namespace Flarum\Api\Controller;
|
||||
|
||||
use Flarum\Core\Access\AssertPermissionTrait;
|
||||
use Flarum\Core\Command\DeleteGroup;
|
||||
use Illuminate\Contracts\Bus\Dispatcher;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
|
||||
class DeleteGroupController extends AbstractDeleteController
|
||||
{
|
||||
use AssertPermissionTrait;
|
||||
|
||||
/**
|
||||
* @var Dispatcher
|
||||
*/
|
||||
@@ -34,6 +37,8 @@ class DeleteGroupController extends AbstractDeleteController
|
||||
*/
|
||||
protected function delete(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertSudo($request);
|
||||
|
||||
$this->bus->dispatch(
|
||||
new DeleteGroup(array_get($request->getQueryParams(), 'id'), $request->getAttribute('actor'))
|
||||
);
|
||||
|
||||
@@ -10,12 +10,15 @@
|
||||
|
||||
namespace Flarum\Api\Controller;
|
||||
|
||||
use Flarum\Core\Access\AssertPermissionTrait;
|
||||
use Flarum\Core\Command\DeletePost;
|
||||
use Illuminate\Contracts\Bus\Dispatcher;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
|
||||
class DeletePostController extends AbstractDeleteController
|
||||
{
|
||||
use AssertPermissionTrait;
|
||||
|
||||
/**
|
||||
* @var Dispatcher
|
||||
*/
|
||||
@@ -34,6 +37,8 @@ class DeletePostController extends AbstractDeleteController
|
||||
*/
|
||||
protected function delete(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertSudo($request);
|
||||
|
||||
$this->bus->dispatch(
|
||||
new DeletePost(array_get($request->getQueryParams(), 'id'), $request->getAttribute('actor'))
|
||||
);
|
||||
|
||||
@@ -10,12 +10,15 @@
|
||||
|
||||
namespace Flarum\Api\Controller;
|
||||
|
||||
use Flarum\Core\Access\AssertPermissionTrait;
|
||||
use Flarum\Core\Command\DeleteUser;
|
||||
use Illuminate\Contracts\Bus\Dispatcher;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
|
||||
class DeleteUserController extends AbstractDeleteController
|
||||
{
|
||||
use AssertPermissionTrait;
|
||||
|
||||
/**
|
||||
* @var Dispatcher
|
||||
*/
|
||||
@@ -34,6 +37,8 @@ class DeleteUserController extends AbstractDeleteController
|
||||
*/
|
||||
protected function delete(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertSudo($request);
|
||||
|
||||
$this->bus->dispatch(
|
||||
new DeleteUser(array_get($request->getQueryParams(), 'id'), $request->getAttribute('actor'))
|
||||
);
|
||||
|
||||
@@ -25,7 +25,7 @@ class SetPermissionController implements ControllerInterface
|
||||
*/
|
||||
public function handle(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertAdmin($request->getAttribute('actor'));
|
||||
$this->assertAdminAndSudo($request);
|
||||
|
||||
$body = $request->getParsedBody();
|
||||
$permission = array_get($body, 'permission');
|
||||
|
||||
@@ -47,7 +47,7 @@ class SetSettingsController implements ControllerInterface
|
||||
*/
|
||||
public function handle(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertAdmin($request->getAttribute('actor'));
|
||||
$this->assertAdminAndSudo($request);
|
||||
|
||||
$settings = $request->getParsedBody();
|
||||
|
||||
|
||||
@@ -10,11 +10,10 @@
|
||||
|
||||
namespace Flarum\Api\Controller;
|
||||
|
||||
use Flarum\Api\Command\GenerateAccessToken;
|
||||
use Flarum\Core\Exception\PermissionDeniedException;
|
||||
use Flarum\Core\Repository\UserRepository;
|
||||
use Flarum\Event\UserEmailChangeWasRequested;
|
||||
use Flarum\Http\Controller\ControllerInterface;
|
||||
use Flarum\Http\Session;
|
||||
use Illuminate\Contracts\Bus\Dispatcher as BusDispatcher;
|
||||
use Illuminate\Contracts\Events\Dispatcher as EventDispatcher;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
@@ -65,19 +64,13 @@ class TokenController implements ControllerInterface
|
||||
throw new PermissionDeniedException;
|
||||
}
|
||||
|
||||
if (! $user->is_activated) {
|
||||
$this->events->fire(new UserEmailChangeWasRequested($user, $user->email));
|
||||
$session = $request->getAttribute('session') ?: Session::generate($user);
|
||||
$session->assign($user)->regenerateId()->renew()->save();
|
||||
|
||||
return new JsonResponse(['emailConfirmationRequired' => $user->email], 401);
|
||||
}
|
||||
|
||||
$token = $this->bus->dispatch(
|
||||
new GenerateAccessToken($user->id)
|
||||
);
|
||||
|
||||
return new JsonResponse([
|
||||
'token' => $token->id,
|
||||
return (new JsonResponse([
|
||||
'token' => $session->id,
|
||||
'userId' => $user->id
|
||||
]);
|
||||
]))
|
||||
->withHeader('X-CSRF-Token', $session->csrf_token);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -33,7 +33,7 @@ class UninstallExtensionController extends AbstractDeleteController
|
||||
|
||||
protected function delete(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertAdmin($request->getAttribute('actor'));
|
||||
$this->assertAdminAndSudo($request);
|
||||
|
||||
$name = array_get($request->getQueryParams(), 'name');
|
||||
|
||||
|
||||
@@ -38,7 +38,7 @@ class UpdateExtensionController implements ControllerInterface
|
||||
*/
|
||||
public function handle(ServerRequestInterface $request)
|
||||
{
|
||||
$this->assertAdmin($request->getAttribute('actor'));
|
||||
$this->assertAdminAndSudo($request);
|
||||
|
||||
$enabled = array_get($request->getParsedBody(), 'enabled');
|
||||
$name = array_get($request->getQueryParams(), 'name');
|
||||
|
||||
@@ -10,6 +10,7 @@
|
||||
|
||||
namespace Flarum\Api\Controller;
|
||||
|
||||
use Flarum\Core\Access\AssertPermissionTrait;
|
||||
use Flarum\Core\Command\EditUser;
|
||||
use Illuminate\Contracts\Bus\Dispatcher;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
@@ -17,6 +18,8 @@ use Tobscure\JsonApi\Document;
|
||||
|
||||
class UpdateUserController extends AbstractResourceController
|
||||
{
|
||||
use AssertPermissionTrait;
|
||||
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
@@ -49,6 +52,8 @@ class UpdateUserController extends AbstractResourceController
|
||||
$actor = $request->getAttribute('actor');
|
||||
$data = array_get($request->getParsedBody(), 'data', []);
|
||||
|
||||
$this->assertSudo($request);
|
||||
|
||||
return $this->bus->dispatch(
|
||||
new EditUser($id, $actor, $data)
|
||||
);
|
||||
|
||||
Reference in New Issue
Block a user