deon/phpldapadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Change we now store logged in user details in session, instead of cookies.

Browse Source 
This is so when the session expires, the logged in user details are expired as well, which wasnt happening with cookies.
This commit is contained in:
Deon George 2025-04-26 18:01:32 +10:00
parent 21a690c6dd
commit 808934ebfe
7 changed files with 48 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
app/Classes/LDAP/Server.php
View File

@ -8,9 +8,7 @@ use Illuminate\Support\Arr;
use Illuminate\Support\Collection; use Illuminate\Support\Collection;
use Illuminate\Support\Facades\Cache; use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\Config; use Illuminate\Support\Facades\Config;
use Illuminate\Support\Facades\Cookie;
use Illuminate\Support\Facades\Log; use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Session;
use LdapRecord\LdapRecordException; use LdapRecord\LdapRecordException;
use LdapRecord\Models\Model; use LdapRecord\Models\Model;
use LdapRecord\Query\Collection as LDAPCollection; use LdapRecord\Query\Collection as LDAPCollection;
@ -173,16 +171,6 @@ final class Server
} catch (LdapRecordException $e) { } catch (LdapRecordException $e) {
switch ($e->getDetailedError()?->getErrorCode()) { switch ($e->getDetailedError()?->getErrorCode()) {
case 49: case 49:
// Since we failed authentication, we should delete our auth cookie
if (Cookie::has('password_encrypt')) {
Log::alert('Clearing user credentials and logging out');
Cookie::queue(Cookie::forget('password_encrypt'));
Cookie::queue(Cookie::forget('username_encrypt'));
Session::invalidate();
}
abort(401,$e->getDetailedError()->getErrorMessage()); abort(401,$e->getDetailedError()->getErrorMessage());
default: default:
@ -196,8 +184,8 @@ final class Server
/** /**
* @note While we are caching our baseDNs, it seems if we have more than 1, * @note While we are caching our baseDNs, it seems if we have more than 1,
* our caching doesnt generate a hit on a subsequent call to this function (before the cache expires). * our caching doesnt generate a hit on a subsequent call to this function (before the cache expires).
* IE: If we have 5 baseDNs, it takes 5 calls to this function to case them all. * IE: If we have 5 baseDNs, it takes 5 calls to this function to cache them all.
* @todo Possibly a bug wtih ldaprecord, so need to investigate * @todo Possibly a bug with ldaprecord, so need to investigate
*/ */
$result = collect(); $result = collect();
foreach ($base->namingcontexts as $dn) foreach ($base->namingcontexts as $dn)

13
app/Http/Controllers/Auth/LoginController.php
View File

@ -5,7 +5,8 @@ namespace App\Http\Controllers\Auth;
use Illuminate\Foundation\Auth\AuthenticatesUsers; use Illuminate\Foundation\Auth\AuthenticatesUsers;
use Illuminate\Http\JsonResponse; use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Illuminate\Support\Facades\Cookie; use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Log;
use App\Http\Controllers\Controller; use App\Http\Controllers\Controller;
@ -38,7 +39,8 @@ class LoginController extends Controller
*/ */
public function __construct() public function __construct()
{ {
$this->middleware('guest')->except('logout'); $this->middleware('guest')
->except('logout');
} }
protected function credentials(Request $request): array protected function credentials(Request $request): array
@ -58,17 +60,14 @@ class LoginController extends Controller
*/ */
public function logout(Request $request) public function logout(Request $request)
{ {
// Delete our LDAP authentication cookies $user = Auth::user();
Cookie::queue(Cookie::forget('username_encrypt'));
Cookie::queue(Cookie::forget('password_encrypt'));
$this->guard()->logout(); $this->guard()->logout();
$request->session()->invalidate(); $request->session()->invalidate();
$request->session()->regenerateToken(); $request->session()->regenerateToken();
if ($response = $this->loggedOut($request)) { if ($response = $this->loggedOut($request)) {
Log::info(sprintf('Logged out [%s]',$user->dn));
return $response; return $response;
} }

4
app/Http/Middleware/AllowAnonymous.php
View File

@ -4,7 +4,7 @@ namespace App\Http\Middleware;
use Closure; use Closure;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Illuminate\Support\Facades\Cookie; use Illuminate\Support\Facades\Session;
class AllowAnonymous class AllowAnonymous
{ {
@ -19,7 +19,7 @@ class AllowAnonymous
{ {
if ((! config('pla.allow_guest',FALSE)) if ((! config('pla.allow_guest',FALSE))
&& ($request->path() !== 'login') && ($request->path() !== 'login')
&& ((! Cookie::has('username_encrypt')) || (! Cookie::has('password_encrypt')))) && ((! Session::has('username_encrypt')) || (! Session::has('password_encrypt'))))
return redirect() return redirect()
->to('/login'); ->to('/login');

15
app/Http/Middleware/SwapinAuthUser.php
View File

@ -5,8 +5,9 @@ namespace App\Http\Middleware;
use Closure; use Closure;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Illuminate\Support\Facades\Config; use Illuminate\Support\Facades\Config;
use Illuminate\Support\Facades\Cookie; use Illuminate\Support\Facades\Crypt;
use Illuminate\Support\Facades\Log; use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Session;
use LdapRecord\Container; use LdapRecord\Container;
use App\Ldap\Connection; use App\Ldap\Connection;
@ -28,21 +29,11 @@ class SwapinAuthUser
if (! array_key_exists($key,config('ldap.connections'))) if (! array_key_exists($key,config('ldap.connections')))
abort(599,sprintf('LDAP default server [%s] configuration doesnt exist?',$key)); abort(599,sprintf('LDAP default server [%s] configuration doesnt exist?',$key));
/*
// Rebuild our connection with the authenticated user.
if (Session::has('username_encrypt') && Session::has('password_encrypt')) { if (Session::has('username_encrypt') && Session::has('password_encrypt')) {
Config::set('ldap.connections.'.$key.'.username',Crypt::decryptString(Session::get('username_encrypt'))); Config::set('ldap.connections.'.$key.'.username',Crypt::decryptString(Session::get('username_encrypt')));
Config::set('ldap.connections.'.$key.'.password',Crypt::decryptString(Session::get('password_encrypt'))); Config::set('ldap.connections.'.$key.'.password',Crypt::decryptString(Session::get('password_encrypt')));
} else Log::debug('Swapping out configured LDAP credentials with the user\'s session.',['key'=>$key]);
*/
// @todo it seems sometimes we have cookies that show the logged in user, but Auth::user() has expired?
if (Cookie::has('username_encrypt') && Cookie::has('password_encrypt')) {
Config::set('ldap.connections.'.$key.'.username',Cookie::get('username_encrypt'));
Config::set('ldap.connections.'.$key.'.password',Cookie::get('password_encrypt'));
Log::debug('Swapping out configured LDAP credentials with the user\'s cookie.',['key'=>$key,'user'=>Cookie::get('username_encrypt')]);
} }
// We need to override our Connection object so that we can store and retrieve the logged in user and swap out the credentials to use them. // We need to override our Connection object so that we can store and retrieve the logged in user and swap out the credentials to use them.

20
app/Ldap/Guard.php
View File

@ -2,26 +2,20 @@
namespace App\Ldap; namespace App\Ldap;
use Illuminate\Support\Facades\Cookie; use Illuminate\Support\Facades\Crypt;
// use Illuminate\Support\Facades\Crypt; use Illuminate\Support\Facades\Log;
use LdapRecord\Auth\Guard as GuardBase; use LdapRecord\Auth\Guard as GuardBase;
class Guard extends GuardBase class Guard extends GuardBase
{ {
public function attempt(string $username, string $password, bool $stayBound = false): bool public function attempt(string $username, string $password, bool $stayBound = false): bool
{ {
if ($result = parent::attempt($username,$password,$stayBound)) { Log::info(sprintf('Attempting login for [%s] with password [%s]',$username,($password ? str_repeat('*',16) : str_repeat('?',16))));
/*
* We can either use our session or cookies to store this. If using session, then Http/Kernel needs to be
* updated to start a session for API calls.
// We need to store our password so that we can swap in the user in during SwapinAuthUser::class middleware
request()->session()->put('username_encrypt',Crypt::encryptString($username));
request()->session()->put('password_encrypt',Crypt::encryptString($password));
*/
// For our API calls, we store the cookie - which our cookies are already encrypted if ($result = parent::attempt($username,$password,$stayBound)) {
Cookie::queue('username_encrypt',$username); // Store user details so we can swap in auth details in SwapinAuthUser
Cookie::queue('password_encrypt',$password); session()->put('username_encrypt',Crypt::encryptString($username));
session()->put('password_encrypt',Crypt::encryptString($password));
} }
return $result; return $result;

2
config/logging.php
View File

@ -68,7 +68,7 @@ return [
'daily' => [ 'daily' => [
'driver' => 'daily', 'driver' => 'daily',
'path' => storage_path('logs/laravel.log'), 'path' => storage_path('logs/laravel.log'),
'level' => env('LOG_LEVEL', 'debug'), 'level' => env('LOG_LEVEL', 'info'),
'days' => env('LOG_DAILY_DAYS', 14), 'days' => env('LOG_DAILY_DAYS', 14),
'replace_placeholders' => true, 'replace_placeholders' => true,
], ],