Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions app/Http/Controllers/App/Settings/AuthenticationController.php
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,16 @@ public function updatePassword(AuthenticationPasswordRequest $request): Redirect
'password' => $request->password,
]);

// Changing the password drops the other sessions (keeps the current
// one): if it was changed over a suspected compromise, nobody else
// stays logged in.
if (config('session.driver') === 'database') {
DB::table(config('session.table', 'sessions'))
->where('user_id', $request->user()->id)
->where('id', '!=', $request->session()->getId())
->delete();
}

return back()->with('flash.success', __('settings.flash.password_updated'));
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ public function __invoke(Request $request): RedirectResponse|Response
? redirect()->intended(route('app.calendar'))
: Inertia::render('auth/VerifyEmail', [
'status' => session('status'),
'email' => $request->user()->email,
]);
}
}
52 changes: 43 additions & 9 deletions app/Http/Controllers/Auth/GitHubController.php
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,10 @@
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Http;
use Laravel\Socialite\Contracts\User as SocialiteUser;
use Laravel\Socialite\Facades\Socialite;
use Throwable;

class GitHubController extends Controller
{
Expand Down Expand Up @@ -42,21 +45,52 @@ public function callback(): RedirectResponse
return $this->connectToCurrentUser(Auth::user(), (string) $githubUser->getId());
}

$user = User::where('github_id', (string) $githubUser->getId())
->when($githubUser->getEmail(), fn ($query, $email) => $query->orWhere('email', $email))
->first();
$user = User::where('github_id', (string) $githubUser->getId())->first();

// Linking an existing account by email (or creating an already-verified
// account) requires GitHub to have confirmed that email — the profile's
// public email arrives without a verification flag, so we check it
// directly against the user's emails API.
if (! $user) {
if (! $githubUser->getEmail()) {
return redirect()->route('login')->withErrors([
'email' => __('auth.github_email_unavailable'),
]);
}

if (! $this->providerEmailIsVerified($githubUser)) {
return redirect()->route('login')
->with('flash.error', __('auth.social_email_unverified', ['provider' => 'GitHub']));
}

$user = User::where('email', $githubUser->getEmail())->first();
}

if ($user) {
return $this->loginExistingUser($user, (string) $githubUser->getId());
}

if (! $githubUser->getEmail()) {
return redirect()->route('login')->withErrors([
'email' => __('auth.github_email_unavailable'),
]);
return $this->registerNewUser($githubUser);
}

private function providerEmailIsVerified(SocialiteUser $githubUser): bool
{
$email = (string) $githubUser->getEmail();

try {
$emails = Http::withToken($githubUser->token)
->acceptJson()
->get(config('services.github.api').'/user/emails')
->throw()
->json();
} catch (Throwable) {
return false;
}

return $this->registerNewUser($githubUser);
return collect($emails)->contains(
fn ($entry): bool => strcasecmp((string) data_get($entry, 'email'), $email) === 0
&& (bool) data_get($entry, 'verified', false),
);
}

private function connectToCurrentUser(User $user, string $githubId): RedirectResponse
Expand Down Expand Up @@ -95,7 +129,7 @@ private function loginExistingUser(User $user, string $githubId): RedirectRespon
return redirect()->route('app.home');
}

private function registerNewUser(\Laravel\Socialite\Contracts\User $githubUser): RedirectResponse
private function registerNewUser(SocialiteUser $githubUser): RedirectResponse
{
$utmParameters = $this->retrieveUtmParameters();

Expand Down
28 changes: 24 additions & 4 deletions app/Http/Controllers/Auth/GoogleController.php
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Laravel\Socialite\Contracts\User as SocialiteUser;
use Laravel\Socialite\Facades\Socialite;

class GoogleController extends Controller
Expand Down Expand Up @@ -40,9 +41,20 @@ public function callback(): RedirectResponse
return $this->connectToCurrentUser(Auth::user(), $googleUser->getId());
}

$user = User::where('google_id', $googleUser->getId())
->orWhere('email', $googleUser->getEmail())
->first();
$user = User::where('google_id', $googleUser->getId())->first();

// Linking an existing account by email (or creating an already-verified
// account) requires the PROVIDER to have confirmed that email —
// otherwise a Google account carrying someone else's unconfirmed email
// would become an account takeover.
if (! $user) {
if (! $this->providerEmailIsVerified($googleUser)) {
return redirect()->route('login')
->with('flash.error', __('auth.social_email_unverified', ['provider' => 'Google']));
}

$user = User::where('email', $googleUser->getEmail())->first();
}

if ($user) {
return $this->loginExistingUser($user, $googleUser->getId());
Expand All @@ -51,6 +63,14 @@ public function callback(): RedirectResponse
return $this->registerNewUser($googleUser);
}

/**
* OIDC `email_verified` claim from Google's userinfo; absent = don't trust.
*/
private function providerEmailIsVerified(SocialiteUser $googleUser): bool
{
return (bool) data_get($googleUser->user, 'email_verified', false);
}

private function connectToCurrentUser(User $user, string $googleId): RedirectResponse
{
$existing = User::where('google_id', $googleId)
Expand Down Expand Up @@ -87,7 +107,7 @@ private function loginExistingUser(User $user, string $googleId): RedirectRespon
return redirect()->route('app.home');
}

private function registerNewUser(\Laravel\Socialite\Contracts\User $googleUser): RedirectResponse
private function registerNewUser(SocialiteUser $googleUser): RedirectResponse
{
$utmParameters = $this->retrieveUtmParameters();

Expand Down
12 changes: 11 additions & 1 deletion app/Http/Controllers/Auth/NewPasswordController.php
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
use Illuminate\Auth\Events\PasswordReset;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Password;
use Illuminate\Support\Str;
Expand Down Expand Up @@ -35,7 +36,7 @@ public function store(Request $request): RedirectResponse
{
$request->validate([
'token' => ['required'],
'email' => ['required', 'email'],
'email' => ['required', Rules\Email::default()],
'password' => ['required', 'confirmed', Rules\Password::defaults()],
]);

Expand All @@ -47,6 +48,15 @@ function ($user) use ($request) {
'remember_token' => Str::random(60),
])->save();

// If the reset was triggered by an account compromise, an
// attacker with an open session can't survive it: drop every
// active session (the owner logs back in with the new password).
if (config('session.driver') === 'database') {
DB::table(config('session.table', 'sessions'))
->where('user_id', $user->id)
->delete();
}

event(new PasswordReset($user));
}
);
Expand Down
14 changes: 6 additions & 8 deletions app/Http/Controllers/Auth/PasswordResetLinkController.php
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Password;
use Illuminate\Validation\Rules\Email;
use Inertia\Inertia;
use Inertia\Response;

Expand All @@ -29,16 +30,13 @@ public function create(): Response
public function store(Request $request): RedirectResponse
{
$request->validate([
'email' => ['required', 'email'],
'email' => ['required', Email::default()],
]);

$status = Password::sendResetLink(
$request->only('email')
);
Password::sendResetLink($request->only('email'));

return $status == Password::RESET_LINK_SENT
? back()->with('status', __($status))
: back()->withInput($request->only('email'))
->withErrors(['email' => __($status)]);
// Uniform response whether or not the email exists: a different response
// would let an attacker enumerate which emails have an account.
return back()->with('status', __('passwords.sent_uniform'));
}
}
50 changes: 49 additions & 1 deletion app/Http/Controllers/Auth/RegisteredUserController.php
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,15 @@
use App\Http\Controllers\Auth\Concerns\PreservesUtmParameters;
use App\Http\Controllers\Controller;
use App\Models\User;
use App\Rules\NotDisposableEmail;
use Illuminate\Auth\Events\Registered;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Log;
use Illuminate\Validation\Rules;
use Illuminate\Validation\Rules\Email;
use Illuminate\Validation\ValidationException;
use Inertia\Inertia;
use Inertia\Response;

Expand All @@ -32,12 +36,29 @@ public function create(Request $request): Response

public function store(Request $request): RedirectResponse
{
// Honeypot: a hidden field only bots fill in. The front-end clears it on
// autofill, so a non-empty value here means an automated request. Reply
// with a "success" redirect so the bot isn't told it was detected.
if ($request->filled('contact_time')) {
Log::info('Registration honeypot triggered', ['ip' => $request->ip()]);

return redirect()->route('login');
}

$emailRules = ['required', 'string', 'lowercase', Email::default(), 'max:255', 'unique:'.User::class];

if (config('trypost.security.block_disposable_emails')) {
$emailRules[] = new NotDisposableEmail;
}

$request->validate([
'name' => ['required', 'string', 'max:255'],
'email' => ['required', 'string', 'lowercase', 'email', 'max:255', 'unique:'.User::class],
'email' => $emailRules,
'password' => ['required', Rules\Password::defaults()],
]);

$this->ensureIpRegistrationQuota($request);

$isInviteRegistration = str_contains($request->input('redirect', ''), '/invites/');

$utmParameters = $this->retrieveUtmParameters();
Expand Down Expand Up @@ -66,4 +87,31 @@ public function store(Request $request): RedirectResponse

return redirect()->route('register.success', $utmParameters);
}

/**
* A free trial hands out AI credits, so N accounts from the same IP in one
* day is the classic farming pattern. The error is intentionally generic on
* the email field: it doesn't confirm to the attacker which limit was hit.
*/
private function ensureIpRegistrationQuota(Request $request): void
{
$limit = (int) config('trypost.security.max_registrations_per_ip_per_day', 0);

if ($limit <= 0) {
return;
}

$recent = User::query()
->where('registration_ip', $request->ip())
->where('created_at', '>=', now()->subDay())
->count();

if ($recent >= $limit) {
Log::warning('Registration per-IP quota reached', ['ip' => $request->ip(), 'count' => $recent]);

throw ValidationException::withMessages([
'email' => __('auth.register.quota_reached'),
]);
}
}
}
52 changes: 52 additions & 0 deletions app/Http/Controllers/Auth/UpdateUnverifiedEmailController.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
<?php

declare(strict_types=1);

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use App\Models\User;
use App\Rules\NotDisposableEmail;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Validation\Rule;
use Illuminate\Validation\Rules\Email;

class UpdateUnverifiedEmailController extends Controller
{
/**
* Fix the email before verifying: a user who mistypes their address at
* signup is stuck (the account exists, the link never arrives). This only
* works while the email is unverified; a verified account changes its email
* through the settings flow, with re-authentication.
*/
public function update(Request $request): RedirectResponse
{
$user = $request->user();

if ($user->hasVerifiedEmail()) {
return redirect()->intended(route('app.calendar'));
}

$rules = [
'email' => [
'required', 'string', 'lowercase', Email::default(), 'max:255',
Rule::unique(User::class)->ignore($user->id),
],
];

if (config('trypost.security.block_disposable_emails')) {
$rules['email'][] = new NotDisposableEmail;
}

$validated = $request->validate($rules);

if ($validated['email'] !== $user->email) {
$user->forceFill(['email' => $validated['email']])->save();
}

$user->sendEmailVerificationNotification();

return back()->with('status', 'verification-link-sent');
}
}
26 changes: 19 additions & 7 deletions app/Http/Controllers/Auth/VerifyEmailController.php
Original file line number Diff line number Diff line change
Expand Up @@ -5,23 +5,35 @@
namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use App\Models\User;
use Illuminate\Auth\Events\Verified;
use Illuminate\Foundation\Auth\EmailVerificationRequest;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Str;

class VerifyEmailController extends Controller
{
/**
* Mark the authenticated user's email address as verified.
* Confirm the email from the signed link and double as a magic link: the
* signed URL proves ownership of the email, so it also authenticates a user
* who arrives logged out (email opened in another browser or device).
*/
public function __invoke(EmailVerificationRequest $request): RedirectResponse
public function __invoke(Request $request, string $id, string $hash): RedirectResponse
{
if ($request->user()->hasVerifiedEmail()) {
return redirect()->intended(route('app.calendar').'?verified=1');
abort_unless(Str::isUuid($id), 404);

$user = User::findOrFail($id);

abort_unless(hash_equals(sha1($user->getEmailForVerification()), $hash), 403);

if (! $user->hasVerifiedEmail() && $user->markEmailAsVerified()) {
event(new Verified($user));
}

if ($request->user()->markEmailAsVerified()) {
event(new Verified($request->user()));
if (! $request->user()?->is($user)) {
Auth::login($user);
$request->session()->regenerate();
}

return redirect()->intended(route('app.calendar').'?verified=1');
Expand Down
Loading
Loading