mirror of
https://github.com/flarum/core.git
synced 2025-10-12 15:34:26 +02:00
08ba2599d7
- Make session token-based instead of user-based - Clear current session access tokens on logout - Introduce increment ID so we can show tokens to moderators in the future without exposing secrets - Switch to type classes to manage the different token types. New implementation fixes #2075 - Drop ability to customize lifetime per-token - Add developer access keys that don't expire. These must be created from the database for now - Add title in preparation for the developer token UI - Add IP and user agent logging - Delete all non-remember tokens in migration
91 lines
2.7 KiB
PHP
91 lines
2.7 KiB
PHP
<?php
|
|
|
|
/*
|
|
* This file is part of Flarum.
|
|
*
|
|
* For detailed copyright and license information, please view the
|
|
* LICENSE file that was distributed with this source code.
|
|
*/
|
|
|
|
namespace Flarum\Api\Controller;
|
|
|
|
use Flarum\Http\RememberAccessToken;
|
|
use Flarum\Http\SessionAccessToken;
|
|
use Flarum\User\Exception\NotAuthenticatedException;
|
|
use Flarum\User\UserRepository;
|
|
use Illuminate\Contracts\Bus\Dispatcher as BusDispatcher;
|
|
use Illuminate\Contracts\Events\Dispatcher as EventDispatcher;
|
|
use Illuminate\Support\Arr;
|
|
use Laminas\Diactoros\Response\JsonResponse;
|
|
use Psr\Http\Message\ResponseInterface;
|
|
use Psr\Http\Message\ServerRequestInterface;
|
|
use Psr\Http\Server\RequestHandlerInterface;
|
|
|
|
class CreateTokenController implements RequestHandlerInterface
|
|
{
|
|
/**
|
|
* @var \Flarum\User\UserRepository
|
|
*/
|
|
protected $users;
|
|
|
|
/**
|
|
* @var BusDispatcher
|
|
*/
|
|
protected $bus;
|
|
|
|
/**
|
|
* @var EventDispatcher
|
|
*/
|
|
protected $events;
|
|
|
|
/**
|
|
* @param UserRepository $users
|
|
* @param BusDispatcher $bus
|
|
* @param EventDispatcher $events
|
|
*/
|
|
public function __construct(UserRepository $users, BusDispatcher $bus, EventDispatcher $events)
|
|
{
|
|
$this->users = $users;
|
|
$this->bus = $bus;
|
|
$this->events = $events;
|
|
}
|
|
|
|
/**
|
|
* {@inheritdoc}
|
|
*/
|
|
public function handle(ServerRequestInterface $request): ResponseInterface
|
|
{
|
|
$body = $request->getParsedBody();
|
|
|
|
$identification = Arr::get($body, 'identification');
|
|
$password = Arr::get($body, 'password');
|
|
$lifetime = Arr::get($body, 'lifetime', 3600);
|
|
|
|
$user = $this->users->findByIdentification($identification);
|
|
|
|
if (! $user || ! $user->checkPassword($password)) {
|
|
throw new NotAuthenticatedException;
|
|
}
|
|
|
|
// Use of lifetime attribute is deprecated in beta 16, removed in beta 17
|
|
// For backward compatibility with custom integrations, longer lifetimes will be interpreted as remember tokens
|
|
if ($lifetime > 3600 || Arr::get($body, 'remember')) {
|
|
if ($lifetime > 3600) {
|
|
trigger_error('Use of parameter lifetime is deprecated in beta 16, will be removed in beta 17. Use remember parameter to start a remember session', E_USER_DEPRECATED);
|
|
}
|
|
|
|
$token = RememberAccessToken::generate($user->id);
|
|
} else {
|
|
$token = SessionAccessToken::generate($user->id);
|
|
}
|
|
|
|
// We do a first update here to log the IP/agent of the token creator, even if the token is never used afterwards
|
|
$token->touch($request);
|
|
|
|
return new JsonResponse([
|
|
'token' => $token->token,
|
|
'userId' => $user->id
|
|
]);
|
|
}
|
|
}
|