<?php namespace App\Http\Controllers\Api\Auth; use App\Models\User\User; use Illuminate\Http\Request; use function Safe\json_decode; use Illuminate\Http\JsonResponse; use Illuminate\Support\Facades\App; use App\Http\Controllers\Controller; use Illuminate\Support\Facades\Auth; use App\Traits\JsonRespondController; use Illuminate\Contracts\Http\Kernel; use Illuminate\Support\Facades\Route; use Illuminate\Support\Facades\Redirect; use Barryvdh\Debugbar\Facade as Debugbar; use Illuminate\Support\Facades\Validator; use Illuminate\Contracts\Encryption\Encrypter; use Symfony\Component\HttpFoundation\Response; class OAuthController extends Controller { use JsonRespondController; /** * The encrypter implementation. * * @var \Illuminate\Contracts\Encryption\Encrypter */ protected $encrypter; /** * Create a new controller instance. * * @param \Illuminate\Contracts\Encryption\Encrypter $encrypter * @return void */ public function __construct(Encrypter $encrypter) { $this->encrypter = $encrypter; if (config('app.debug')) { Debugbar::disable(); } } /** * Display a log in form for oauth accessToken. * * @param Request $request * @return \Illuminate\View\View */ public function index(Request $request) { $request->session()->flush(); return view('auth.oauthlogin'); } /** * Log in a user and returns an accessToken. * * @param Request $request * @return \Symfony\Component\HttpFoundation\Response|null */ public function login(Request $request): ?Response { $isvalid = $this->validateRequest($request); if ($isvalid !== true) { return $isvalid; } $email = $request->input('email'); $password = $request->input('password'); if (Auth::attempt(['email' => $email, 'password' => $password])) { // The user is active, not suspended, and exists. $request->session()->put('oauth', true); $request->session()->put('email', $email); $request->session()->put('password', $this->encrypter->encrypt($password)); $this->fixRequest($request); // add intendedUrl for WebAuthn Redirect::setIntendedUrl(route('oauth.verify')); return Route::respondWithRoute('oauth.verify'); } return null; } /** * Fix request parameters. * * @param Request $request * @return void */ private function fixRequest(Request $request) { $request->setMethod('GET'); $cookie = $request->cookies->get(config('session.cookie')); $request->cookies->set(config('session.cookie'), $this->encrypter->encrypt($cookie)); } /** * Validate the request. * * @param Request $request * @return \Illuminate\Http\JsonResponse|true */ private function validateRequest(Request $request) { $validator = Validator::make($request->all(), [ 'email' => 'email|required', 'password' => 'required', ]); if ($validator->fails()) { return $this->respondValidatorFailed($validator); } // Check if email exists. If not respond with an Unauthorized, this way a hacker // doesn't know if the login email exist or not, or if the password is wrong $count = User::where('email', $request->input('email'))->count(); if ($count === 0) { return $this->respondUnauthorized(); } return true; } /** * Log in a user and returns an accessToken. * * @param Request $request * @return \Illuminate\Http\JsonResponse */ public function verify(Request $request): JsonResponse { $response = $this->handleVerify($request); Auth::logout(); $request->session()->flush(); return $response ?: $this->respondUnauthorized(); } /** * Handle the verify request. * * @param Request $request * @return \Illuminate\Http\JsonResponse|null */ private function handleVerify(Request $request): ?JsonResponse { if (! $request->session()->has('email') || ! $request->session()->has('password')) { return null; } $request->query->set('email', $request->session()->pull('email')); $request->query->set('password', $this->encrypter->decrypt($request->session()->pull('password'))); $isvalid = $this->validateRequest($request); if ($isvalid !== true) { return $isvalid; } try { $token = $this->proxy([ 'username' => $request->input('email'), 'password' => $request->input('password'), 'grantType' => 'password', ]); return $this->respond($token); } catch (\Exception $e) { return null; } } /** * Proxy a request to the OAuth server. * * @param array $data the data to send to the server * * @return array * @throws \Safe\Exceptions\JsonException */ private function proxy(array $data = []): array { $url = App::runningUnitTests() ? config('app.url').'/oauth/token' : route('passport.token'); /** @var \Illuminate\Http\Response */ $response = app(Kernel::class)->handle(Request::create($url, 'POST', [ 'grant_type' => $data['grantType'], 'client_id' => config('passport.personal_access_client.id'), 'client_secret' => config('passport.personal_access_client.secret'), 'username' => $data['username'], 'password' => $data['password'], 'scope' => '', ])); $data = json_decode($response->content()); return [ 'access_token' => $data->access_token, 'expires_in' => $data->expires_in, ]; } }