diff options
author | Chaoyi Zha <summermontreal@gmail.com> | 2016-02-27 06:00:15 +0300 |
---|---|---|
committer | Chaoyi Zha <summermontreal@gmail.com> | 2016-02-27 06:00:15 +0300 |
commit | 3bbbf54cc926669cda1e43abee3315f061bf4c2f (patch) | |
tree | 576943078a20be80bc493c2d0172c7f5f33783f4 | |
parent | 02ffc89b59db6576cb99cc07f46a5af2722ab26f (diff) |
Use unencrypted cookies rather than session for temporary storage, due to key changes during setup
-rw-r--r-- | app/Http/Controllers/SetupController.php | 42 | ||||
-rw-r--r-- | app/Http/routes.php | 3 | ||||
-rw-r--r-- | resources/views/env.blade.php | 2 |
3 files changed, 36 insertions, 11 deletions
diff --git a/app/Http/Controllers/SetupController.php b/app/Http/Controllers/SetupController.php index 8ab78f6..3f7bb83 100644 --- a/app/Http/Controllers/SetupController.php +++ b/app/Http/Controllers/SetupController.php @@ -51,6 +51,8 @@ class SetupController extends Controller { } $app_key = CryptoHelper::generateRandomHex(16); + $setup_auth_key = CryptoHelper::generateRandomHex(16); + $app_name = $request->input('app:name'); $app_protocol = $request->input('app:protocol'); @@ -151,7 +153,9 @@ class SetupController extends Controller { 'ST_BASE' => $st_base, 'ST_AUTO_API' => $st_auto_api_key, - 'ST_ANON_API' => $st_anon_api + 'ST_ANON_API' => $st_anon_api, + + 'TMP_SETUP_AUTH_KEY' => $setup_auth_key ])->render(); $handle = fopen('../.env', 'w'); @@ -160,20 +164,41 @@ class SetupController extends Controller { 'message' => 'Could not write configuration to disk.' ]); } else { - $response = redirect(route('setup_finish'))->with( - 'acct_username', $acct_username)->with( - 'acct_email', $acct_email)->with( - 'acct_password', $acct_password)->with( - 'setup_transaction', true); + Cache::flush(); + + $setup_finish_arguments = json_encode([ + 'acct_username' => $acct_username, + 'acct_email' => $acct_email, + 'acct_password' => $acct_password, + 'setup_auth_key' => $setup_auth_key + ]); + + $response = redirect(route('setup_finish')); + // set cookie with information needed for finishSetup, expire in 60 seconds + // we use PHP's setcookie rather than Laravel's cookie capabilities because + // our app key changes and Laravel encrypts cookies. + setcookie('setup_arguments', $setup_finish_arguments, time()+60); } fclose($handle); return $response; } + public static function finishSetup(Request $request) { - $transaction_authorised = session('setup_transaction'); + // get data from cookie, decode JSON + if (!isset($_COOKIE['setup_arguments'])) { + abort(404); + } + + $setup_finish_args_raw = $_COOKIE['setup_arguments']; + $setup_finish_args = json_decode($setup_finish_args_raw); + + // unset cookie + setcookie('setup_arguments', '', time()-3600); + + $transaction_authorised = env('TMP_SETUP_AUTH_KEY') == $setup_finish_args->setup_auth_key; if ($transaction_authorised != true) { abort(403, 'Transaction unauthorised.'); @@ -184,10 +209,9 @@ class SetupController extends Controller { return redirect(route('setup'))->with('error', 'Could not create database. Perhaps some credentials were incorrect?'); } - $user = UserFactory::createUser(session('acct_username'), session('acct_email'), session('acct_password'), 1, $request->ip()); + $user = UserFactory::createUser($setup_finish_args->acct_username, $setup_finish_args->acct_email, $setup_finish_args->acct_password, 1, $request->ip()); $user->role = 'admin'; $user->save(); - Cache::flush(); return view('setup_thanks')->with('success', 'Set up completed! Thanks for using Polr!'); } diff --git a/app/Http/routes.php b/app/Http/routes.php index 7bd9f29..535e608 100644 --- a/app/Http/routes.php +++ b/app/Http/routes.php @@ -23,8 +23,7 @@ $app->get('/admin', ['as' => 'admin', 'uses' => 'AdminController@displayAdminPag $app->get('/setup', ['as' => 'setup', 'uses' => 'SetupController@displaySetupPage']); $app->post('/setup', ['as' => 'psetup', 'uses' => 'SetupController@performSetup']); -$app->get('/setup_finish', ['as' => 'setup_finish', 'uses' => 'SetupController@finishSetup']); - +$app->get('/setup/finish', ['as' => 'setup_finish', 'uses' => 'SetupController@finishSetup']); $app->get('/{short_url}', ['uses' => 'LinkController@performRedirect']); $app->get('/{short_url}/{secret_key}', ['uses' => 'LinkController@performRedirect']); diff --git a/resources/views/env.blade.php b/resources/views/env.blade.php index 0f84196..e0309ac 100644 --- a/resources/views/env.blade.php +++ b/resources/views/env.blade.php @@ -94,3 +94,5 @@ POLR_RELDATE={{env('VERSION_RELMONTH')}} {{env('VERSION_RELDAY')}}, {{env('VERSI POLR_VERSION={{env('VERSION')}} POLR_BASE={{$ST_BASE}} POLR_SECRET_BYTES=2 + +TMP_SETUP_AUTH_KEY={{$TMP_SETUP_AUTH_KEY}} |