update

microweber · Sep 9, 2021 · ec8953b · ec8953b
1 parent 5f442fc
commit ec8953b
Show file tree

Hide file tree

Showing 6 changed files with 102 additions and 19 deletions.
diff --git a/src/MicroweberPackages/App/Http/Controllers/FrontendController.php b/src/MicroweberPackages/App/Http/Controllers/FrontendController.php
@@ -2,7 +2,13 @@
 
 namespace MicroweberPackages\App\Http\Controllers;
 
+use Illuminate\Contracts\Http\Kernel as HttpKernel;
+use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
+use Illuminate\Support\Facades\App;
 use Illuminate\Support\Facades\Request;
+use MicroweberPackages\App\Http\Middleware\ApiAuth;
+use MicroweberPackages\App\Http\Middleware\SameSiteRefererMiddleware;
+use MicroweberPackages\App\Managers\Helpers\VerifyCsrfTokenHelper;
 use MicroweberPackages\App\Traits\LiveEditTrait;
 use MicroweberPackages\Option\Models\ModuleOption;
 use MicroweberPackages\Option\Models\Option;
@@ -12,6 +18,7 @@
 use MicroweberPackages\Install\Http\Controllers\InstallController;
 use MicroweberPackages\View\View;
 use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request as SymfonyRequest;
 use Symfony\Component\HttpFoundation\Response;
 use voku\helper\AntiXSS;
 
@@ -265,20 +272,28 @@ public function api($api_function = false, $params = false)
 
         $api_exposed .= 'set_language ';
         $api_exposed .= (api_expose(true));
-
+        $api_auth_exposed = ' ';
         if (mw()->user_manager->is_logged()) {
-            $api_exposed .= (api_expose_user(true));
+            $get_exposed = (api_expose_user(true));
+            $api_exposed .= $get_exposed;
+            $api_auth_exposed .= $get_exposed;
         }
 
         if (is_admin()) {
-            $api_exposed .= (api_expose_admin(true));
+            $get_exposed = (api_expose_admin(true));
+            $api_exposed .= $get_exposed;
+            $api_auth_exposed .= $get_exposed;
         }
 
 
         $api_exposed = explode(' ', $api_exposed);
         $api_exposed = array_unique($api_exposed);
         $api_exposed = array_trim($api_exposed);
 
+        $api_auth_exposed = explode(' ', $api_auth_exposed);
+        $api_auth_exposed = array_unique($api_auth_exposed);
+        $api_auth_exposed = array_trim($api_auth_exposed);
+
         $hooks = api_bind(true);
         if (mw()->user_manager->is_logged()) {
             $hooks_admin = api_bind_user(true);
@@ -492,6 +507,32 @@ public function api($api_function = false, $params = false)
             $err = true;
         }
 
+        if (in_array($api_function, $api_auth_exposed)) {
+            $request = request();
+            $request->merge($_GET);
+            $request->merge($_POST);
+            $ref = $request->headers->get('referer');
+
+            $same_site = app()->make(SameSiteRefererMiddleware::class);
+            $is_same_site = $same_site->isSameSite($ref);
+
+            if (!$is_same_site) {
+                $bearer_token = $request->bearerToken();
+                $is_bearer_token_valid = false;
+                if($bearer_token){
+                    $validator = app()->make(ApiAuth::class);
+                    $is_bearer_token_valid = $validator->validateBearerToken($bearer_token);
+                }
+                if (!$is_bearer_token_valid) {
+                    $validator = app()->make(VerifyCsrfTokenHelper::class);
+                    $is_token_valid = $validator->isValid($request);
+                    if (!$is_token_valid) {
+                        App::abort(403, 'Unauthorized action. Token is invalid for the API function.');
+                    }
+                }
+            }
+        }
+
         if ($err == true) {
             foreach ($api_exposed as $api_exposed_item) {
                 if ($api_exposed_item == $api_function) {
@@ -599,7 +640,12 @@ public function api($api_function = false, $params = false)
         } else {
             $api_function = mw()->format->clean_html($api_function);
             $api_function = mw()->format->clean_xss($api_function);
-            mw_error('The api function ' . $api_function . ' is not defined in the allowed functions list');
+
+            App::abort(403, 'The api function is not defined in the allowed functions list');
+
+
+
+          //  mw_error('The api function ' . $api_function . ' is not defined in the allowed functions list');
         }
 
         if (isset($res)) {

diff --git a/src/MicroweberPackages/App/Http/Middleware/ApiAuth.php b/src/MicroweberPackages/App/Http/Middleware/ApiAuth.php
@@ -20,21 +20,20 @@ class ApiAuth
      */
     public function handle(Request $request, Closure $next, $guard = null)
     {
-        if (Auth::check() &&  Auth::user()->is_admin == 1) {
+        if (Auth::check() && Auth::user()->is_admin == 1) {
             return $next($request);
         }
 
-        $expiration = config('sanctum.expiration');
 
         $token = $request->bearerToken();
-        if (!$token){
+        if (!$token) {
             return $this->_returnError($request);
         }
 
         $model = Sanctum::$personalAccessTokenModel;
         $accessToken = $model::findToken($token);
 
-        if (! $accessToken || ($expiration && $accessToken->created_at->lte(now()->subMinutes($expiration)))) {
+        if (!$this->validateBearerToken($token)) {
             return $this->_returnError($request);
         }
 
@@ -43,11 +42,25 @@ public function handle(Request $request, Closure $next, $guard = null)
         return $next($request);
     }
 
+    public function validateBearerToken($token)
+    {
+        $expiration = config('sanctum.expiration');
+
+        $model = Sanctum::$personalAccessTokenModel;
+        $accessToken = $model::findToken($token);
 
-    private function _returnError($request){
+        if (!$accessToken || ($expiration && $accessToken->created_at->lte(now()->subMinutes($expiration)))) {
+            return false;
+        }
+
+        return true;
+    }
+
+    private function _returnError($request)
+    {
         if ($request->expectsJson()) {
             return response()->json(['error' => 'Api unauthorized'], 401);
         }
         return abort(403, 'Api unauthorized');
     }
-}
+}
diff --git a/src/MicroweberPackages/App/Http/Middleware/SameSiteRefererMiddleware.php b/src/MicroweberPackages/App/Http/Middleware/SameSiteRefererMiddleware.php
@@ -21,7 +21,7 @@ public function handle(Request $request, Closure $next, $guard = null)
         $full_url = $request->headers->get('referer');
 
         if ($full_url) {
-            $result = Str::startsWith($full_url, site_url());
+            $result = $this->isSameSite($full_url);
             if (!$result) {
                 $error = 'You are not allowed to make requests from this address';
                 return abort(403, $error);
@@ -31,6 +31,11 @@ public function handle(Request $request, Closure $next, $guard = null)
 
     }
 
+    public function isSameSite($url)
+    {
+        return Str::startsWith($url, site_url());
+    }
+
 
 }
 
diff --git a/src/MicroweberPackages/App/Managers/Helpers/VerifyCsrfTokenHelper.php b/src/MicroweberPackages/App/Managers/Helpers/VerifyCsrfTokenHelper.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace MicroweberPackages\App\Managers\Helpers;
+
+use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
+
+class VerifyCsrfTokenHelper extends VerifyCsrfToken
+{
+    public function isValid($request)
+    {
+        return $this->tokensMatch($request);
+    }
+}
diff --git a/src/MicroweberPackages/App/Providers/AppServiceProvider.php b/src/MicroweberPackages/App/Providers/AppServiceProvider.php
@@ -561,6 +561,7 @@ function ($pattern, $data, $delimiter = '~', $modifiers = 'isuS') {
             'xss',
             AuthenticateSessionForUser::class,
         ]);
+
         $router->middlewareGroup('api',[
             'xss',
            // 'throttle:1000,1',

diff --git a/src/MicroweberPackages/App/routes/web.php b/src/MicroweberPackages/App/routes/web.php
@@ -165,13 +165,24 @@ function migrateLanguages()
     Route::any('module/{all}', array('as' => 'module', 'uses' => '\MicroweberPackages\App\Http\Controllers\FrontendController@module'))->where('all', '.*');
 });
 
+Route::group(['middleware' => ['public.web' ], 'namespace' => '\MicroweberPackages\App\Http\Controllers'], function () {
+    Route::any('/api', 'FrontendController@api');
+    Route::any('/api/{slug}', 'FrontendController@api');
+
+    Route::any('api/{all}', array('as' => 'api', 'uses' => 'FrontendController@api'))->where('all', '.*');
+    Route::any('api_html/{all}', array('as' => 'api', 'uses' => 'FrontendController@api_html'))->where('all', '.*');
+    Route::any('/api_html', 'FrontendController@api_html');
+    //
+    Route::any('/editor_tools', 'FrontendController@editor_tools');
+    Route::any('editor_tools/{all}', array('as' => 'editor_tools', 'uses' => 'FrontendController@editor_tools'))->where('all', '.*');
+
+});
 // 'middleware' => 'web',
 Route::group(['middleware' => 'public.web', 'namespace' => '\MicroweberPackages\App\Http\Controllers'], function () {
 
     Route::any('/', 'FrontendController@index');
 
-    Route::any('/api', 'FrontendController@api');
-    Route::any('/api/{slug}', 'FrontendController@api');
+
 
     $custom_admin_url = \Config::get('microweber.admin_url');
     $admin_url = 'admin';
@@ -185,12 +196,6 @@ function migrateLanguages()
     Route::any($admin_url . '/{all}', array('as' => 'admin', 'uses' => 'AdminController@index'))->where('all', '.*');
 
 
-    Route::any('api/{all}', array('as' => 'api', 'uses' => 'FrontendController@api'))->where('all', '.*');
-    Route::any('api_html/{all}', array('as' => 'api', 'uses' => 'FrontendController@api_html'))->where('all', '.*');
-    Route::any('/api_html', 'FrontendController@api_html');
-    //
-    Route::any('/editor_tools', 'FrontendController@editor_tools');
-    Route::any('editor_tools/{all}', array('as' => 'editor_tools', 'uses' => 'FrontendController@editor_tools'))->where('all', '.*');