Updated API auth handling of email confirmations

author Dan Brown <redacted>

Thu, 5 Aug 2021 21:07:08 +0000 (22:07 +0100)

committer Dan Brown <redacted>

Thu, 5 Aug 2021 21:07:08 +0000 (22:07 +0100)
author Dan Brown <redacted>
Thu, 5 Aug 2021 21:07:08 +0000 (22:07 +0100)
committer Dan Brown <redacted>
Thu, 5 Aug 2021 21:07:08 +0000 (22:07 +0100)
diff --git a/app/Api/ApiTokenGuard.php b/app/Api/ApiTokenGuard.php

index 75ed5cb3567b041afaf599b4dc17c20735e2207a..8b9cbc8e1b44ebff4ed2586336bc74b19aed600d 100644 (file)
--- a/app/Api/ApiTokenGuard.php
+++ b/app/Api/ApiTokenGuard.php
@@ -2,6 +2,7 @@
  
  namespace BookStack\Api;
  
+use BookStack\Auth\Access\LoginService;
  use BookStack\Exceptions\ApiAuthException;
  use Illuminate\Auth\GuardHelpers;
  use Illuminate\Contracts\Auth\Authenticatable;
@@ -19,6 +20,11 @@ class ApiTokenGuard implements Guard
       */
      protected $request;
  
+    /**
+     * @var LoginService
+     */
+    protected $loginService;
+
      /**
       * The last auth exception thrown in this request.
       *
@@ -29,9 +35,10 @@ class ApiTokenGuard implements Guard
      /**
       * ApiTokenGuard constructor.
       */
-    public function __construct(Request $request)
+    public function __construct(Request $request, LoginService $loginService)
      {
          $this->request = $request;
+        $this->loginService = $loginService;
      }
  
      /**
@@ -95,6 +102,10 @@ class ApiTokenGuard implements Guard
  
          $this->validateToken($token, $secret);
  
+        if ($this->loginService->awaitingEmailConfirmation($token->user)) {
+            throw new ApiAuthException(trans('errors.email_confirmation_awaiting'));
+        }
+
          return $token->user;
      }
  
diff --git a/app/Http/Middleware/ApiAuthenticate.php b/app/Http/Middleware/ApiAuthenticate.php

index 21d69810faaf5e685a6303f59c2f02476dd006a8..73192b0cfb768e8d3a6dcc535f8385d61856f4f4 100644 (file)
--- a/app/Http/Middleware/ApiAuthenticate.php
+++ b/app/Http/Middleware/ApiAuthenticate.php
@@ -9,7 +9,6 @@ use Illuminate\Http\Request;
  
  class ApiAuthenticate
  {
-    use ChecksForEmailConfirmation;
  
      /**
       * Handle an incoming request.
@@ -37,7 +36,6 @@ class ApiAuthenticate
          // Return if the user is already found to be signed in via session-based auth.
          // This is to make it easy to browser the API via browser after just logging into the system.
          if (signedInUser() || session()->isStarted()) {
-            $this->ensureEmailConfirmedIfRequested();
              if (!user()->can('access-api')) {
                  throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
              }
@@ -50,7 +48,6 @@ class ApiAuthenticate
  
          // Validate the token and it's users API access
          auth()->authenticate();
-        $this->ensureEmailConfirmedIfRequested();
      }
  
      /**
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php

index 1a78214dc8937ff039d86d8e69bdcdb20c2dffd9..71b7ab016200bb085c5383584463313c673c1eb6 100644 (file)
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -8,6 +8,7 @@ use BookStack\Auth\Access\ExternalBaseUserProvider;
  use BookStack\Auth\Access\Guards\LdapSessionGuard;
  use BookStack\Auth\Access\Guards\Saml2SessionGuard;
  use BookStack\Auth\Access\LdapService;
+use BookStack\Auth\Access\LoginService;
  use BookStack\Auth\Access\RegistrationService;
  use Illuminate\Support\ServiceProvider;
  
@@ -21,7 +22,7 @@ class AuthServiceProvider extends ServiceProvider
      public function boot()
      {
          Auth::extend('api-token', function ($app, $name, array $config) {
-            return new ApiTokenGuard($app['request']);
+            return new ApiTokenGuard($app['request'], $app->make(LoginService::class));
          });
  
          Auth::extend('ldap-session', function ($app, $name, array $config) {
@@ -30,7 +31,7 @@ class AuthServiceProvider extends ServiceProvider
              return new LdapSessionGuard(
                  $name,
                  $provider,
-                $this->app['session.store'],
+                $app['session.store'],
                  $app[LdapService::class],
                  $app[RegistrationService::class]
              );
@@ -42,7 +43,7 @@ class AuthServiceProvider extends ServiceProvider
              return new Saml2SessionGuard(
                  $name,
                  $provider,
-                $this->app['session.store'],
+                $app['session.store'],
                  $app[RegistrationService::class]
              );
          });
author	Dan Brown <redacted>
	Thu, 5 Aug 2021 21:07:08 +0000 (22:07 +0100)
committer	Dan Brown <redacted>
	Thu, 5 Aug 2021 21:07:08 +0000 (22:07 +0100)
app/Api/ApiTokenGuard.php		patch \| blob \| history
app/Http/Middleware/ApiAuthenticate.php		patch \| blob \| history
app/Providers/AuthServiceProvider.php		patch \| blob \| history