From 7c006e96251ae1d32e1a015b361a7bfbb815c028 Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Tue, 7 Nov 2023 16:25:28 -0600
Subject: [PATCH] Disable GET login by default (#15558)

* Disable GET login by default
GET login allows users to put username and password in the url, this is helpful for displays where you cannot login interactively.
Unfortunately, the plaintext password will be in the access logs.
GET login also allows brute force attacks against your install.

* Apply fixes from StyleCI

---------

Co-authored-by: StyleCI Bot <bot@styleci.io>
---
 app/Http/Middleware/LegacyExternalAuth.php | 7 +++++--
 lang/en/settings.php                       | 4 ++++
 misc/config_definitions.json               | 7 +++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/app/Http/Middleware/LegacyExternalAuth.php b/app/Http/Middleware/LegacyExternalAuth.php
index 56a17b1213..ce070b7948 100644
--- a/app/Http/Middleware/LegacyExternalAuth.php
+++ b/app/Http/Middleware/LegacyExternalAuth.php
@@ -6,6 +6,7 @@ use Closure;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
 use LibreNMS\Authentication\LegacyAuth;
+use LibreNMS\Config;
 use Symfony\Component\HttpFoundation\Response;
 
 class LegacyExternalAuth
@@ -20,8 +21,10 @@ class LegacyExternalAuth
     {
         if (! Auth::guard($guard)->check()) {
             // check for get variables
-            if ($request->isMethod('get') && $request->has(['username', 'password'])) {
-                Auth::attempt($request->only(['username', 'password']));
+            if (Config::get('auth.allow_get_login')) {
+                if ($request->isMethod('get') && $request->has(['username', 'password'])) {
+                    Auth::attempt($request->only(['username', 'password']));
+                }
             }
 
             if (LegacyAuth::get()->authIsExternal()) {
diff --git a/lang/en/settings.php b/lang/en/settings.php
index 0563421a18..0cc2c13a3c 100644
--- a/lang/en/settings.php
+++ b/lang/en/settings.php
@@ -266,6 +266,10 @@ return [
             'description' => 'Key to hold cache of autonomous systems descriptions',
         ],
         'auth' => [
+            'allow_get_login' => [
+                'description' => 'Allow get login (Insecure)',
+                'help' => 'Allow login by putting username and password variables in the url get request, useful for display systems where you cannot interactively log in. This is considered insecure because the password will be shown in logs and logins are not rate limited so it could open you up to brute force attacks.',
+            ],
             'socialite' => [
                 'redirect' => [
                     'description' => 'Redirect Login page',
diff --git a/misc/config_definitions.json b/misc/config_definitions.json
index 2d3fc45722..90295461d4 100644
--- a/misc/config_definitions.json
+++ b/misc/config_definitions.json
@@ -391,6 +391,13 @@
             },
             "type": "array"
         },
+        "auth.allow_get_login": {
+            "group": "auth",
+            "section": "general",
+            "order": 24,
+            "type": "boolean",
+            "default": false
+        },
         "auth.socialite.redirect": {
             "group": "auth",
             "section": "socialite",