BookStack Code Mirror - bookstack/blobdiff - app/Access/LoginService.php

index cc48e0f9babed3777b713f6fdf551f70e8603090..6607969afae76c7214922d2cf1f29c58cc07142e 100644 (file)

--- a/app/Access/LoginService.php

+++ b/app/Access/LoginService.php

@@ -5,6 +5,7 @@ namespace BookStack\Access;

use BookStack\Access\Mfa\MfaSession;

use BookStack\Activity\ActivityType;

use BookStack\Exceptions\LoginAttemptException;

use BookStack\Access\Mfa\MfaSession;

use BookStack\Activity\ActivityType;

use BookStack\Exceptions\LoginAttemptException;

+use BookStack\Exceptions\LoginAttemptInvalidUserException;

use BookStack\Exceptions\StoppedAuthenticationException;

use BookStack\Facades\Activity;

use BookStack\Facades\Theme;

use BookStack\Exceptions\StoppedAuthenticationException;

use BookStack\Facades\Activity;

use BookStack\Facades\Theme;

@@ -29,10 +30,14 @@ class LoginService

* a reason to (MFA or Unconfirmed Email).

* Returns a boolean to indicate the current login result.

* a reason to (MFA or Unconfirmed Email).

* Returns a boolean to indicate the current login result.

- * @throws StoppedAuthenticationException

+ * @throws StoppedAuthenticationException|LoginAttemptInvalidUserException

public function login(User $user, string $method, bool $remember = false): void

{

public function login(User $user, string $method, bool $remember = false): void

{

+ if ($user->isGuest()) {

+ throw new LoginAttemptInvalidUserException('Login not allowed for guest user');

+ }

if ($this->awaitingEmailConfirmation($user) || $this->needsMfaVerification($user)) {

$this->setLastLoginAttemptedForUser($user, $method, $remember);

if ($this->awaitingEmailConfirmation($user) || $this->needsMfaVerification($user)) {

$this->setLastLoginAttemptedForUser($user, $method, $remember);

@@ -58,7 +63,7 @@ class LoginService

* @throws Exception

- public function reattemptLoginFor(User $user)

+ public function reattemptLoginFor(User $user): void

{

if ($user->id !== ($this->getLastLoginAttemptUser()->id ?? null)) {

throw new Exception('Login reattempt user does align with current session state');

{

if ($user->id !== ($this->getLastLoginAttemptUser()->id ?? null)) {

throw new Exception('Login reattempt user does align with current session state');

@@ -152,16 +157,40 @@ class LoginService

public function attempt(array $credentials, string $method, bool $remember = false): bool

{

public function attempt(array $credentials, string $method, bool $remember = false): bool

{

+ if ($this->areCredentialsForGuest($credentials)) {

+ return false;

+ }

$result = auth()->attempt($credentials, $remember);

if ($result) {

$user = auth()->user();

auth()->logout();

$result = auth()->attempt($credentials, $remember);

if ($result) {

$user = auth()->user();

auth()->logout();

- $this->login($user, $method, $remember);

+ try {

+ $this->login($user, $method, $remember);

+ } catch (LoginAttemptInvalidUserException $e) {

+ // Catch and return false for non-login accounts

+ // so it looks like a normal invalid login.

+ return false;

+ }

}

return $result;

}

return $result;

}

+ /**

+ * Check if the given credentials are likely for the system guest account.

+ */

+ protected function areCredentialsForGuest(array $credentials): bool

+ {

+ if (isset($credentials['email'])) {

+ return User::query()->where('email', '=', $credentials['email'])

+ ->where('system_name', '=', 'public')

+ ->exists();

+ }

+ return false;

+ }

/**

* Logs the current user out of the application.

* Returns an app post-redirect path.

/**

* Logs the current user out of the application.

* Returns an app post-redirect path.