Expand authentication validation in API.

2025-02-25 18:45:27 -06:00 · 2023-01-14 07:53:00 +01:00 · 2023-01-14 07:53:00 +01:00 · 23bbebb80e
commit 23bbebb80e
parent 4ccdd8f322
3 changed files with 44 additions and 22 deletions
--- a/app/Api/V1/Controllers/System/UserController.php
+++ b/app/Api/V1/Controllers/System/UserController.php
@ -33,6 +33,7 @@ use FireflyIII\Transformers\UserTransformer;
 use FireflyIII\User;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Pagination\LengthAwarePaginator;
+use Illuminate\Support\Facades\Log;
 use League\Fractal\Pagination\IlluminatePaginatorAdapter;
 use League\Fractal\Resource\Collection as FractalCollection;
 use League\Fractal\Resource\Item;
@ -191,6 +192,13 @@ class UserController extends Controller
    public function update(UserUpdateRequest $request, User $user): JsonResponse
    {
        $data    = $request->getAll();
+
+        // can only update 'blocked' when user is admin.
+        if(!$this->repository->hasRole(auth()->user(), 'owner')) {
+            Log::debug('Quietly drop fields "blocked" and "blocked_code" from request.');
+            unset($data['blocked'], $data['blocked_code']);
+        }
+
        $user    = $this->repository->update($user, $data);
        $manager = $this->getManager();
        // make resource
--- a/app/Http/Middleware/Authenticate.php
+++ b/app/Http/Middleware/Authenticate.php
@ -87,7 +87,7 @@ class Authenticate
     */
    protected function authenticate($request, array $guards)
    {
-        // Log::debug(sprintf('Now in %s', __METHOD__));
+        Log::debug(sprintf('Now in %s', __METHOD__));
        if (0 === count($guards)) {
            // Log::debug('No guards present.');
            // go for default guard:
@ -98,22 +98,7 @@ class Authenticate
                /** @noinspection PhpUndefinedMethodInspection */
                /** @var User $user */
                $user = $this->auth->authenticate();
-                if (null === $user) {
-                    Log::warning('User is null, throw exception?');
-                }
-                if (null !== $user) {
-                    // Log::debug(get_class($user));
-                    if (1 === (int)$user->blocked) {
-                        $message = (string)trans('firefly.block_account_logout');
-                        if ('email_changed' === $user->blocked_code) {
-                            $message = (string)trans('firefly.email_changed_logout');
-                        }
-                        app('session')->flash('logoutMessage', $message);
-                        $this->auth->logout(); // @phpstan-ignore-line (thinks function is undefined)
-
-                        throw new AuthenticationException('Blocked account.', $guards);
-                    }
-                }
+                $this->validateBlockedUser($user, $guards);
            }

            return $this->auth->authenticate(); // @phpstan-ignore-line (thinks function returns void)
@ -121,13 +106,15 @@ class Authenticate
        // Log::debug('Guard array is not empty.');

        foreach ($guards as $guard) {
-            // Log::debug(sprintf('Now in guard loop, guard is "%s"', $guard));
-            if('api' !== $guard) {
+            Log::debug(sprintf('Now in guard loop, guard is "%s"', $guard));
+            if ('api' !== $guard) {
                $this->auth->guard($guard)->authenticate();
            }
            $result = $this->auth->guard($guard)->check();
-            // Log::debug(sprintf('Result is %s', var_export($result, true)));
+            Log::debug(sprintf('Result is %s', var_export($result, true)));
            if ($result) {
+                $user = $this->auth->guard($guard)->user();
+                $this->validateBlockedUser($user, $guards);
                // According to PHPstan the method returns void, but we'll see.
                return $this->auth->shouldUse($guard); // @phpstan-ignore-line
            }
@ -135,4 +122,32 @@ class Authenticate

        throw new AuthenticationException('Unauthenticated.', $guards);
    }
+
+    /**
+     * @param  User|null  $user
+     * @param  array  $guards
+     * @return void
+     * @throws AuthenticationException
+     */
+    private function validateBlockedUser(?User $user, array $guards): void
+    {
+        Log::debug(sprintf('Now in %s', __METHOD__));
+        if (null === $user) {
+            Log::warning('User is null, throw exception?');
+        }
+        if (null !== $user) {
+            // Log::debug(get_class($user));
+            if (1 === (int)$user->blocked) {
+                $message = (string)trans('firefly.block_account_logout');
+                if ('email_changed' === $user->blocked_code) {
+                    $message = (string)trans('firefly.email_changed_logout');
+                }
+                Log::warning('User is blocked, cannot use authentication method.');
+                app('session')->flash('logoutMessage', $message);
+                $this->auth->logout(); // @phpstan-ignore-line (thinks function is undefined)
+
+                throw new AuthenticationException('Blocked account.', $guards);
+            }
+        }
+    }
 }
--- a/changelog.md
+++ b/changelog.md
@ -6,8 +6,7 @@ Alpha 2


 - Data import: when you submit a transaction but give the ID of an account of the wrong type, Firefly III will try to create an account of the right type. For example: you submit a deposit but the source account is an expense account: Firefly III will try to create a revenue account instead. 
-
-
+- Security: blocked users can access API, users can unblock themselves using the API.

 ## 5.8.0-alpha.1 - 2023-01-08