CVE-2023-0298: Merge pull request #6850 from firefly-iii/fix-auth-issue · firefly-iii/firefly-iii@db0500d

@@ -87,7 +87,7 @@ public function handle($request, Closure $next, …$guards) */ protected function authenticate($request, array $guards) { // Log::debug(sprintf('Now in %s’, __METHOD__)); Log::debug(sprintf('Now in %s’, __METHOD__)); if (0 === count($guards)) { // Log::debug(‘No guards present.’); // go for default guard: @@ -98,41 +98,56 @@ protected function authenticate($request, array $guards) /** @noinspection PhpUndefinedMethodInspection */ /** @var User $user */ $user = $this->auth->authenticate(); if (null === $user) { Log::warning(‘User is null, throw exception?’); } if (null !== $user) { // Log::debug(get_class($user)); if (1 === (int)$user->blocked) { $message = (string)trans(‘firefly.block_account_logout’); if (‘email_changed’ === $user->blocked_code) { $message = (string)trans(‘firefly.email_changed_logout’); } app(‘session’)->flash('logoutMessage’, $message); $this->auth->logout(); // @phpstan-ignore-line (thinks function is undefined)
throw new AuthenticationException('Blocked account.’, $guards); } } $this->validateBlockedUser($user, $guards); }
return $this->auth->authenticate(); // @phpstan-ignore-line (thinks function returns void) } // Log::debug(‘Guard array is not empty.’);
foreach ($guards as $guard) { // Log::debug(sprintf('Now in guard loop, guard is "%s"’, $guard)); if(‘api’ !== $guard) { Log::debug(sprintf('Now in guard loop, guard is "%s"’, $guard)); if (‘api’ !== $guard) { $this->auth->guard($guard)->authenticate(); } $result = $this->auth->guard($guard)->check(); // Log::debug(sprintf('Result is %s’, var_export($result, true))); Log::debug(sprintf('Result is %s’, var_export($result, true))); if ($result) { $user = $this->auth->guard($guard)->user(); $this->validateBlockedUser($user, $guards); // According to PHPstan the method returns void, but we’ll see. return $this->auth->shouldUse($guard); // @phpstan-ignore-line } }
throw new AuthenticationException('Unauthenticated.’, $guards); }
/** * @param User|null $user * @param array $guards * @return void * @throws AuthenticationException */ private function validateBlockedUser(?User $user, array $guards): void { Log::debug(sprintf('Now in %s’, __METHOD__)); if (null === $user) { Log::warning(‘User is null, throw exception?’); } if (null !== $user) { // Log::debug(get_class($user)); if (1 === (int)$user->blocked) { $message = (string)trans(‘firefly.block_account_logout’); if (‘email_changed’ === $user->blocked_code) { $message = (string)trans(‘firefly.email_changed_logout’); } Log::warning(‘User is blocked, cannot use authentication method.’); app(‘session’)->flash('logoutMessage’, $message); $this->auth->logout(); // @phpstan-ignore-line (thinks function is undefined)
throw new AuthenticationException('Blocked account.’, $guards); } } } }