Skip to content

Commit

Permalink
Force logout on routes not watched by the KickOutInactiveUser middleware
Browse files Browse the repository at this point in the history
  • Loading branch information
@Bubka
Bubka committed Oct 26, 2024
1 parent 3ad068d commit 528a3be
Show file tree
Hide file tree
Showing 7 changed files with 60 additions and 35 deletions.
4 changes: 3 additions & 1 deletion app/Http/Kernel.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,12 +73,14 @@ class Kernel extends HttpKernel
protected $middlewareAliases = [
'auth' => \App\Http\Middleware\Authenticate::class,
'admin' => \App\Http\Middleware\AdminOnly::class,
'guest' => \App\Http\Middleware\RejectIfAuthenticated::class,
'rejectIfAuthenticated' => \App\Http\Middleware\RejectIfAuthenticated::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'rejectIfDemoMode' => \App\Http\Middleware\RejectIfDemoMode::class,
'rejectIfReverseProxy' => \App\Http\Middleware\RejectIfReverseProxy::class,
'RejectIfSsoOnlyAndNotForAdmin' => \App\Http\Middleware\RejectIfSsoOnlyAndNotForAdmin::class,
'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
'kickOutInactiveUser' => \App\Http\Middleware\KickOutInactiveUser::class,
'forceLogout' => \App\Http\Middleware\ForceLogout::class,
// 'password.confirm' => \Illuminate\Auth\Middleware\RequirePassword::class,
// 'signed' => \App\Http\Middleware\ValidateSignature::class,
];
Expand Down
25 changes: 25 additions & 0 deletions app/Http/Middleware/ForceLogout.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\Auth;

class ForceLogout
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param string $guards
* @return mixed
*/
public function handle($request, Closure $next, ...$guards)
{
if (Auth::user() != null) {
Auth::guard('web-guard')->logoutCurrentDevice();
}

return $next($request);
}
}
43 changes: 23 additions & 20 deletions app/Listeners/Authentication/LogoutListener.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,27 +43,30 @@ public function handle(mixed $event) : void
* @var \App\Models\User
*/
$user = $event->user;
$ip = config('2fauth.proxy_headers.forIp')
? $this->request->header(config('2fauth.proxy_headers.forIp'), $this->request->ip())
: $this->request->ip();
$userAgent = $this->request->userAgent();
$log = $user->authentications()
->whereIpAddress($ip)
->whereUserAgent($userAgent)
->whereGuard($event->guard)
->orderByDesc('login_at')
->first();

if (! $log) {
$log = new AuthLog([
'ip_address' => $ip,
'user_agent' => $userAgent,
'guard' => $event->guard,
'login_method' => $this->loginMethod(),
]);
}
if ($user != null) {
$ip = config('2fauth.proxy_headers.forIp')
? $this->request->header(config('2fauth.proxy_headers.forIp'), $this->request->ip())
: $this->request->ip();
$userAgent = $this->request->userAgent();
$log = $user->authentications()
->whereIpAddress($ip)
->whereUserAgent($userAgent)
->whereGuard($event->guard)
->orderByDesc('login_at')
->first();

if (! $log) {
$log = new AuthLog([
'ip_address' => $ip,
'user_agent' => $userAgent,
'guard' => $event->guard,
'login_method' => $this->loginMethod(),
]);
}

$log->logout_at = now();
$user->authentications()->save($log);
$log->logout_at = now();
$user->authentications()->save($log);
}
}
}
9 changes: 5 additions & 4 deletions routes/web.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,9 @@

/**
* Routes that only work for unauthenticated user (return an error otherwise)
* 'kickOutInactiveUser',
*/
Route::group(['middleware' => ['guest', 'rejectIfDemoMode', 'RejectIfSsoOnlyAndNotForAdmin']], function () {
Route::group(['middleware' => ['rejectIfDemoMode', 'RejectIfSsoOnlyAndNotForAdmin', 'forceLogout']], function () {
Route::post('user', [RegisterController::class, 'register'])->name('user.register');
Route::post('user/password/lost', [ForgotPasswordController::class, 'sendResetLinkEmail'])->name('user.password.lost');
Route::post('user/password/reset', [ResetPasswordController::class, 'reset'])->name('password.reset');
Expand All @@ -46,15 +47,15 @@
/**
* Routes that can be requested max 10 times per minute by the same IP
*/
Route::group(['middleware' => ['rejectIfDemoMode', 'throttle:10,1', 'RejectIfSsoOnlyAndNotForAdmin']], function () {
Route::group(['middleware' => ['rejectIfDemoMode', 'throttle:10,1', 'RejectIfSsoOnlyAndNotForAdmin', 'forceLogout']], function () {
Route::post('webauthn/recover', [WebAuthnRecoveryController::class, 'recover'])->name('webauthn.recover');
});

/**
* Routes that only work for unauthenticated user (return an error otherwise)
* that can be requested max 10 times per minute by the same IP
* that can be requested max 10 times per minute by the same IP 'kickOutInactiveUser',
*/
Route::group(['middleware' => ['guest', 'throttle:10,1']], function () {
Route::group(['middleware' => ['forceLogout', 'throttle:10,1']], function () {
Route::post('user/login', [LoginController::class, 'login'])->name('user.login')->middleware('RejectIfSsoOnlyAndNotForAdmin');
Route::post('webauthn/login', [WebAuthnLoginController::class, 'login'])->name('webauthn.login')->middleware('RejectIfSsoOnlyAndNotForAdmin');

Expand Down
4 changes: 2 additions & 2 deletions tests/Feature/Http/Auth/ForgotPasswordControllerTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ public function test_submit_email_password_request_in_demo_mode_returns_unauthor
}

#[Test]
public function test_submit_email_password_request_when_authenticated_returns_bad_request()
public function test_submit_email_password_request_when_authenticated_returns_ok()
{
/**
* @var \App\Models\User|\Illuminate\Contracts\Auth\Authenticatable
Expand All @@ -106,7 +106,7 @@ public function test_submit_email_password_request_when_authenticated_returns_ba
->json('POST', '/user/password/lost', [
'email' => $user->email,
])
->assertStatus(400)
->assertStatus(200)
->assertJsonStructure([
'message',
]);
Expand Down
5 changes: 1 addition & 4 deletions tests/Feature/Http/Auth/LoginTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -250,10 +250,7 @@ public function test_user_login_already_authenticated_is_rejected()
'email' => $this->user->email,
'password' => self::PASSWORD,
])
->assertStatus(400)
->assertJsonStructure([
'message',
]);
->assertStatus(200);
}

#[Test]
Expand Down
5 changes: 1 addition & 4 deletions tests/Feature/Http/Auth/WebAuthnLoginControllerTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -275,10 +275,7 @@ public function test_webauthn_login_already_authenticated_is_rejected()
->assertOk();

$this->json('POST', '/webauthn/login', self::ASSERTION_RESPONSE)
->assertStatus(400)
->assertJsonStructure([
'message',
]);
->assertStatus(200);;
}

#[Test]
Expand Down

0 comments on commit 528a3be

Please sign in to comment.