Auth middleware refinement (#11767)

* auth middleware group * dummy page for legacy php scripts instead of recursively calling init.php * Test and fix routing scenarios * fix api auth * disable unused auth routes
2024-10-07 16:52:45 +00:00 · 2020-06-05 11:50:58 -05:00
parent 6da2f43e6b
commit 5c6c8844e8
5 changed files with 51 additions and 14 deletions
--- a/LibreNMS/Util/Laravel.php
+++ b/LibreNMS/Util/Laravel.php
@@ -29,6 +29,7 @@ use App;
 use Illuminate\Database\Events\QueryExecuted;
 use LibreNMS\DB\Eloquent;
 use Log;
+use Symfony\Component\HttpFoundation\HeaderBag;

 class Laravel
 {
@@ -46,7 +47,12 @@ class Laravel
        $kernel->bootstrap();
    }

-    public static function bootWeb()
+    /**
+     * Boot Laravel in a non-Laravel web script
+     *
+     * @param bool $authenticate Use session+db to authenticate user (does not authorize)
+     */
+    public static function bootWeb($authenticate = false)
    {
        // this is not a substitute for the normal Laravel boot, just a way to make auth work for external php
        if (self::isBooted()) {
@@ -59,8 +65,9 @@ class Laravel
        $kernel = $app->make(\Illuminate\Contracts\Http\Kernel::class);

        $request = \Illuminate\Http\Request::capture();
-        // strip .php to make the url helper in non-laravel pages
-        $request->server->set('REQUEST_URI', str_replace('.php', '', $_SERVER['REQUEST_URI']));
+
+        self::rewriteDummyHeaders($request, $authenticate);
+
        $response = $kernel->handle($request);

 //        $response->send(); // don't send response, legacy code will
@@ -118,4 +125,22 @@ class Laravel
            Log::setDefaultDriver('logfile');
        }
    }
+
+    /**
+     * Add prefix and strip .php to make the url helper work in non-laravel php scripts
+     *
+     * @param $request
+     * @param $auth
+     */
+    private static function rewriteDummyHeaders($request, $auth)
+    {
+        // set dummy path allows url helper to work and prevents full init again
+        $new_uri = ($auth ? '/dummy_legacy_auth' : '/dummy_legacy_unauth');
+        $request->server->set('REQUEST_URI', $new_uri);
+
+        // set json type to prevent redirects in the dummy page
+        $request->server->set('HTTP_ACCEPT', 'dummy/json');
+
+        $request->headers = new HeaderBag($request->server->getHeaders());
+    }
 }
--- a/app/Http/Controllers/LegacyController.php
+++ b/app/Http/Controllers/LegacyController.php
@@ -80,4 +80,9 @@ class LegacyController extends Controller
            'refresh' => $no_refresh ? 0 : Config::get('page_refresh'),
        ]);
    }
+
+    public function dummy()
+    {
+        return 'Dummy page';
+    }
 }
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -34,13 +34,18 @@ class Kernel extends HttpKernel
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\StartSession::class,
            // \Illuminate\Session\Middleware\AuthenticateSession::class,
-            \App\Http\Middleware\LoadUserPreferences::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \App\Http\Middleware\VerifyCsrfToken::class,
-            \App\Http\Middleware\LegacyExternalAuth::class,
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],

+        'auth.web' => [
+            \App\Http\Middleware\LegacyExternalAuth::class,
+            'auth',
+            \App\Http\Middleware\VerifyTwoFactor::class,
+            \App\Http\Middleware\LoadUserPreferences::class,
+        ],
+
        'minimal' => [
            \App\Http\Middleware\EncryptCookies::class,
            \Illuminate\Session\Middleware\StartSession::class,
@@ -62,7 +67,6 @@ class Kernel extends HttpKernel
     */
    protected $routeMiddleware = [
        'auth' => \App\Http\Middleware\Authenticate::class,
-        '2fa' => \App\Http\Middleware\VerifyTwoFactor::class,
        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
        'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
        'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
--- a/includes/init.php
+++ b/includes/init.php
@@ -86,8 +86,8 @@ if (module_selected('alerts', $init_modules)) {
 }

 // Boot Laravel
-if (module_selected('auth', $init_modules)) {
-    \LibreNMS\Util\Laravel::bootWeb();
+if (module_selected('web', $init_modules)) {
+    \LibreNMS\Util\Laravel::bootWeb(module_selected('auth', $init_modules));
 } else {
    \LibreNMS\Util\Laravel::bootCli();
 }
--- a/routes/web.php
+++ b/routes/web.php
@@ -12,10 +12,10 @@
 */

 // Auth
-Auth::routes();
+Auth::routes(['register' => false, 'reset' => false, 'verify' => false]);

 // WebUI
-Route::group(['middleware' => ['auth', '2fa'], 'guard' => 'auth'], function () {
+Route::group(['middleware' => ['auth.web'], 'guard' => 'auth'], function () {

    // pages
    Route::resource('device-groups', 'DeviceGroupController');
@@ -141,8 +141,11 @@ Route::group(['middleware' => ['auth', '2fa'], 'guard' => 'auth'], function () {

    // demo helper
    Route::permanentRedirect('demo', '/');
-
-    // Legacy routes
-    Route::any('/{path?}', 'LegacyController@index')
-        ->where('path', '^((?!_debugbar).)*');
 });
+
+// Legacy routes
+Route::any('/dummy_legacy_auth/{path?}', 'LegacyController@dummy')->middleware('auth.web');
+Route::any('/dummy_legacy_unauth/{path?}', 'LegacyController@dummy');
+Route::any('/{path?}', 'LegacyController@index')
+    ->where('path', '^((?!_debugbar).)*')
+    ->middleware('auth.web');