Merge pull request #391 from kenjis/fix-auth-actions

fix: Session auth action checks

Author: kenjis

src/Authentication/Authenticators/Session.php

@@ -35,14 +35,17 @@ class Session implements AuthenticatorInterface
      */
     public const ID_TYPE_USERNAME = 'username';
 
+    // Identity types
     public const ID_TYPE_EMAIL_PASSWORD = 'email_password';
     public const ID_TYPE_MAGIC_LINK     = 'magic-link';
     public const ID_TYPE_EMAIL_2FA      = 'email_2fa';
     public const ID_TYPE_EMAIL_ACTIVATE = 'email_activate';
-    private const STATE_UNKNOWN         = 0;
-    private const STATE_ANONYMOUS       = 1;
-    private const STATE_PENDING         = 2;
-    private const STATE_LOGGED_IN       = 3;
+
+    // User states
+    private const STATE_UNKNOWN   = 0; // Not checked yet.
+    private const STATE_ANONYMOUS = 1;
+    private const STATE_PENDING   = 2; // 2FA or Activation required.
+    private const STATE_LOGGED_IN = 3;
 
     /**
      * The persistence engine
@@ -149,6 +152,9 @@ public function attempt(array $credentials): Result
         // Update the user's last used date on their password identity.
         $user->touchIdentity($user->getEmailIdentity());
 
+        // Check ID_TYPE_EMAIL_ACTIVATE identity
+        $hasEmailActivate = $this->setAuthActionEmailActivate();
+
         // If an action has been defined for login, start it up.
         $hasAction = $this->startUpAction('login', $user);
 
@@ -158,7 +164,7 @@ public function attempt(array $credentials): Result
 
         $this->issueRememberMeToken();
 
-        if (! $hasAction) {
+        if (! $hasAction && ! $hasEmailActivate) {
             $this->completeLogin($user);
         }
 
@@ -405,16 +411,52 @@ private function checkUserState(): void
         $this->userState = self::STATE_ANONYMOUS;
     }
 
+    /**
+     * Has Auth Action?
+     */
+    public function hasAction(): bool
+    {
+        // Check the Session
+        if ($this->getSessionKey('auth_action')) {
+            return true;
+        }
+
+        // Check the database
+        return $this->setAuthAction();
+    }
+
     /**
      * Gets identities for action from database, and set session.
+     *
+     * @return bool true if the action is set in the session.
      */
-    private function setAuthAction(): void
+    private function setAuthAction(): bool
     {
-        // Get identities for action
-        $identities = $this->getIdentitiesForAction();
+        if ($this->user === null) {
+            return false;
+        }
+
+        // First, check ID_TYPE_EMAIL_ACTIVATE identity
+        $hasAction = $this->setAuthActionEmailActivate();
+        if ($hasAction) {
+            return true;
+        }
+
+        // Next, check ID_TYPE_EMAIL_2FA identity
+        return $this->setAuthActionEmail2FA();
+    }
 
-        // Having an action?
-        foreach ($identities as $identity) {
+    /**
+     * @return bool true if the action is set in the session.
+     */
+    private function setAuthActionEmailActivate(): bool
+    {
+        $identity = $this->userIdentityModel->getIdentityByType(
+            $this->user,
+            self::ID_TYPE_EMAIL_ACTIVATE
+        );
+
+        if ($identity) {
             $actionClass = setting('Auth.actions')[$identity->name];
 
             if ($actionClass) {
@@ -423,9 +465,37 @@ private function setAuthAction(): void
                 $this->setSessionKey('auth_action', $actionClass);
                 $this->setSessionKey('auth_action_message', $identity->extra);
 
-                return;
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * @return bool true if the action is set in the session.
+     */
+    private function setAuthActionEmail2FA(): bool
+    {
+        $identity = $this->userIdentityModel->getIdentityByType(
+            $this->user,
+            self::ID_TYPE_EMAIL_2FA
+        );
+
+        if ($identity) {
+            $actionClass = setting('Auth.actions')[$identity->name];
+
+            if ($actionClass) {
+                $this->userState = self::STATE_PENDING;
+
+                $this->setSessionKey('auth_action', $actionClass);
+                $this->setSessionKey('auth_action_message', $identity->extra);
+
+                return true;
             }
         }
+
+        return false;
     }
 
     /**

src/Controllers/LoginController.php

@@ -23,6 +23,14 @@ public function loginView()
             return redirect()->to(config('Auth')->loginRedirect());
         }
 
+        /** @var Session $authenticator */
+        $authenticator = auth('session')->getAuthenticator();
+
+        // If an action has been defined, start it up.
+        if ($authenticator->hasAction()) {
+            return redirect()->route('auth-action-show');
+        }
+
         return view(setting('Auth.views')['login']);
     }
 
@@ -44,20 +52,20 @@ public function loginAction(): RedirectResponse
         $credentials['password'] = $this->request->getPost('password');
         $remember                = (bool) $this->request->getPost('remember');
 
+        /** @var Session $authenticator */
+        $authenticator = auth('session')->getAuthenticator();
+
         // Attempt to login
-        $result = auth('session')->remember($remember)->attempt($credentials);
+        $result = $authenticator->remember($remember)->attempt($credentials);
         if (! $result->isOK()) {
             return redirect()->route('login')->withInput()->with('error', $result->reason());
         }
 
-        // custom bit of information
-        $user = $result->extraInfo();
         /** @var Session $authenticator */
         $authenticator = auth('session')->getAuthenticator();
 
         // If an action has been defined for login, start it up.
-        $hasAction = $authenticator->startUpAction('login', $user);
-        if ($hasAction) {
+        if ($authenticator->hasAction()) {
             return redirect()->route('auth-action-show')->withCookies();
         }
 

src/Controllers/RegisterController.php

@@ -39,6 +39,14 @@ public function registerView()
                 ->with('error', lang('Auth.registerDisabled'));
         }
 
+        /** @var Session $authenticator */
+        $authenticator = auth('session')->getAuthenticator();
+
+        // If an action has been defined, start it up.
+        if ($authenticator->hasAction()) {
+            return redirect()->route('auth-action-show');
+        }
+
         return view(setting('Auth.views')['register']);
     }
 

tests/Controllers/RegisterTest.php

@@ -147,6 +147,83 @@ public function testRegisterRedirectsToActionIfDefined(): void
         ]);
     }
 
+    public function testRegisteredButNotActivatedAndLogin(): void
+    {
+        // Ensure our action is defined
+        $config                      = config('Auth');
+        $config->actions['register'] = EmailActivator::class;
+        Factories::injectMock('config', 'Auth', $config);
+
+        $result = $this->post('/register', [
+            'email'            => 'foo@example.com',
+            'username'         => 'foo',
+            'password'         => 'abkdhflkjsdflkjasd;lkjf',
+            'password_confirm' => 'abkdhflkjsdflkjasd;lkjf',
+        ]);
+
+        // Should have been redirected to the action's page.
+        $result->assertRedirectTo('/auth/a/show');
+
+        // Not activated yet, but login again.
+        $result = $this->withSession()->get('/login');
+
+        // Should have been redirected to the action's page.
+        $result->assertRedirectTo('/auth/a/show');
+    }
+
+    public function testRegisteredButNotActivatedAndRegisterAgain(): void
+    {
+        // Ensure our action is defined
+        $config                      = config('Auth');
+        $config->actions['register'] = EmailActivator::class;
+        Factories::injectMock('config', 'Auth', $config);
+
+        $password = 'abkdhflkjsdflkjasd;lkjf';
+
+        $result = $this->post('/register', [
+            'email'            => 'foo@example.com',
+            'username'         => 'foo',
+            'password'         => $password,
+            'password_confirm' => $password,
+        ]);
+
+        // Should have been redirected to the action's page.
+        $result->assertRedirectTo('/auth/a/show');
+
+        // Not activated yet, but register again.
+        $result = $this->withSession()->get('/register');
+
+        // Should have been redirected to the action's page.
+        $result->assertRedirectTo('/auth/a/show');
+    }
+
+    public function testRegisteredAndSessionExpiredAndLogin(): void
+    {
+        // Ensure our action is defined
+        $config                      = config('Auth');
+        $config->actions['register'] = EmailActivator::class;
+        Factories::injectMock('config', 'Auth', $config);
+
+        $result = $this->post('/register', [
+            'email'            => 'foo@example.com',
+            'username'         => 'foo',
+            'password'         => 'abkdhflkjsdflkjasd;lkjf',
+            'password_confirm' => 'abkdhflkjsdflkjasd;lkjf',
+        ]);
+
+        // Should have been redirected to the action's page.
+        $result->assertRedirectTo('/auth/a/show');
+
+        // Not activated yet, and do not set Session (= the session is expired) and login again.
+        $result = $this->post('/login', [
+            'email'    => 'foo@example.com',
+            'password' => 'abkdhflkjsdflkjasd;lkjf',
+        ]);
+
+        // Should have been redirected to the action's page.
+        $result->assertRedirectTo('/auth/a/show');
+    }
+
     public function testRegisterRedirectsIfLoggedIn(): void
     {
         // log them in