Refactor routes rejection using middlewares

app/Exceptions/Handler.php

@@ -59,10 +59,5 @@ class Handler extends ExceptionHandler
             return response()->json([
                 'message' => $exception->getMessage()], 400);
         });
-
-        $this->renderable(function (UnsupportedWithReverseProxyException $exception, $request) {
-            return response()->json([
-                'message' => __('errors.unsupported_with_reverseproxy')], 400);
-        });
     }
 }

app/Exceptions/UnsupportedWithReverseProxyException.php

@@ -1,14 +0,0 @@
-<?php
-
-namespace App\Exceptions;
-
-use Exception;
-
-/**
- * Class UnsupportedWithReverseProxyException.
- *
- * @codeCoverageIgnore
- */
-class UnsupportedWithReverseProxyException extends Exception
-{
-}

app/Http/Controllers/Auth/ForgotPasswordController.php

@@ -5,7 +5,6 @@ namespace App\Http\Controllers\Auth;
 use Illuminate\Http\Request;
 use App\Http\Controllers\Controller;
 use Illuminate\Foundation\Auth\SendsPasswordResetEmails;
-use App\Exceptions\UnsupportedWithReverseProxyException;
 
 class ForgotPasswordController extends Controller
 {
@@ -23,19 +22,6 @@ class ForgotPasswordController extends Controller
     use SendsPasswordResetEmails;
 
 
-    /**
-     * Create a new controller instance.
-     */
-    public function __construct()
-    {
-        $authGuard = config('auth.defaults.guard');
-
-        if ($authGuard === 'reverse-proxy-guard') {
-            throw new UnsupportedWithReverseProxyException();
-        }
-    }
-
-
     /**
      * Validate the email for the given request.
      *

app/Http/Controllers/Auth/LoginController.php

@@ -10,7 +10,6 @@ use Illuminate\Support\Facades\Lang;
 use App\Http\Requests\LoginRequest;
 use Illuminate\Foundation\Auth\AuthenticatesUsers;
 use Carbon\Carbon;
-use App\Exceptions\UnsupportedWithReverseProxyException;
 
 
 class LoginController extends Controller
@@ -29,19 +28,6 @@ class LoginController extends Controller
     use AuthenticatesUsers;
 
 
-    /**
-     * Create a new controller instance.
-     */
-    public function __construct()
-    {
-        $authGuard = config('auth.defaults.guard');
-
-        if ($authGuard === 'reverse-proxy-guard') {
-            throw new UnsupportedWithReverseProxyException();
-        }
-    }
-
-
     /**
      * Handle a login request to the application.
      *

app/Http/Controllers/Auth/PasswordController.php

@@ -6,25 +6,9 @@ use App\Http\Requests\UserPatchPwdRequest;
 use App\Http\Controllers\Controller;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Hash;
-use App\Exceptions\UnsupportedWithReverseProxyException;
 
 class PasswordController extends Controller
 {
-
-
-    /**
-     * Create a new controller instance.
-     */
-    public function __construct()
-    {
-        $authGuard = config('auth.defaults.guard');
-
-        if ($authGuard === 'reverse-proxy-guard') {
-            throw new UnsupportedWithReverseProxyException();
-        }
-    }
-    
-
     /**
      * Update the user's password.
      *

app/Http/Controllers/Auth/PersonalAccessTokenController.php

@@ -1,29 +0,0 @@
-<?php
-
-namespace App\Http\Controllers\Auth;
-
-use Illuminate\Http\Request;
-use Laravel\Passport\Http\Controllers\PersonalAccessTokenController as PassportPersonalAccessTokenController;
-
-class PersonalAccessTokenController extends PassportPersonalAccessTokenController
-{
-    /**
-     * Get all of the personal access tokens for the authenticated user.
-     *
-     * @param  \Illuminate\Http\Request  $request
-     * @return \Illuminate\Database\Eloquent\Collection
-     */
-    public function forUser(Request $request)
-    {
-        // WebAuthn is useless when authentication is handle by
-        // a reverse proxy so we return a 202 response to tell the
-        // client nothing more will happen
-        if (config('auth.defaults.guard') === 'reverse-proxy-guard') {
-            return response()->json([
-                'message' => 'no personal access token with reverse proxy'], 202);
-        }
-
-        parent::forUser($request);
-    }
-
-}

app/Http/Controllers/Auth/RegisterController.php

@@ -8,7 +8,6 @@ use App\Http\Controllers\Controller;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Auth\Events\Registered;
 use Illuminate\Foundation\Auth\RegistersUsers;
-use App\Exceptions\UnsupportedWithReverseProxyException;
 
 class RegisterController extends Controller
 {
@@ -26,19 +25,6 @@ class RegisterController extends Controller
     use RegistersUsers;
 
 
-    /**
-     * Create a new controller instance.
-     */
-    public function __construct()
-    {
-        $authGuard = config('auth.defaults.guard');
-
-        if ($authGuard === 'reverse-proxy-guard') {
-            throw new UnsupportedWithReverseProxyException();
-        }
-    }
-
-
     /**
      * Handle a registration request for the application.
      *

app/Http/Controllers/Auth/ResetPasswordController.php

@@ -4,7 +4,6 @@ namespace App\Http\Controllers\Auth;
 
 use App\Http\Controllers\Controller;
 use Illuminate\Foundation\Auth\ResetsPasswords;
-use App\Exceptions\UnsupportedWithReverseProxyException;
 
 class ResetPasswordController extends Controller
 {
@@ -21,17 +20,4 @@ class ResetPasswordController extends Controller
 
     use ResetsPasswords;
 
-
-    /**
-     * Create a new controller instance.
-     */
-    public function __construct()
-    {
-        $authGuard = config('auth.defaults.guard');
-
-        if ($authGuard === 'reverse-proxy-guard') {
-            throw new UnsupportedWithReverseProxyException();
-        }
-    }
-
 }

app/Http/Controllers/Auth/UserController.php

@@ -12,7 +12,6 @@ use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Artisan;
-use App\Exceptions\UnsupportedWithReverseProxyException;
 use Exception;
 
 class UserController extends Controller
@@ -32,11 +31,6 @@ class UserController extends Controller
     public function __construct(TwoFAccountService $twofaccountService)
     {
         $this->twofaccountService = $twofaccountService;
-        $authGuard = config('auth.defaults.guard');
-
-        if ($authGuard === 'reverse-proxy-guard') {
-            throw new UnsupportedWithReverseProxyException();
-        }
     }
 
     

app/Http/Controllers/Auth/WebAuthnConfirmController.php

@@ -5,7 +5,6 @@ namespace App\Http\Controllers\Auth;
 use App\Http\Controllers\Controller;
 use App\Providers\RouteServiceProvider;
 use DarkGhostHunter\Larapass\Http\ConfirmsWebAuthn;
-use App\Exceptions\UnsupportedWithReverseProxyException;
 
 class WebAuthnConfirmController extends Controller
 {
@@ -28,18 +27,4 @@ class WebAuthnConfirmController extends Controller
      * @var string
      */
     protected $redirectTo = RouteServiceProvider::HOME;
-
-    /**
-     * Create a new controller instance.
-     *
-     * @return void
-     */
-    public function __construct()
-    {
-        $authGuard = config('auth.defaults.guard');
-
-        if ($authGuard === 'reverse-proxy-guard') {
-            throw new UnsupportedWithReverseProxyException();
-        }
-    }
 }

app/Http/Controllers/Auth/WebAuthnDeviceLostController.php

@@ -6,7 +6,6 @@ use App\Http\Controllers\Controller;
 use DarkGhostHunter\Larapass\Http\SendsWebAuthnRecoveryEmail;
 use Illuminate\Http\Request;
 use Illuminate\Validation\ValidationException;
-use App\Exceptions\UnsupportedWithReverseProxyException;
 
 class WebAuthnDeviceLostController extends Controller
 {
@@ -23,19 +22,6 @@ class WebAuthnDeviceLostController extends Controller
     |
     */
 
-    /**
-     * Create a new controller instance.
-     */
-    public function __construct()
-    {
-        $authGuard = config('auth.defaults.guard');
-
-        if ($authGuard === 'reverse-proxy-guard') {
-            throw new UnsupportedWithReverseProxyException();
-        }
-    }
-
-
     /**
      * The recovery credentials to retrieve through validation rules.
      *

app/Http/Controllers/Auth/WebAuthnLoginController.php

@@ -6,7 +6,6 @@ use App\Models\User;
 use Illuminate\Http\Request;
 use App\Http\Controllers\Controller;
 use DarkGhostHunter\Larapass\Http\AuthenticatesWebAuthn;
-use App\Exceptions\UnsupportedWithReverseProxyException;
 
 class WebAuthnLoginController extends Controller
 {
@@ -27,18 +26,6 @@ class WebAuthnLoginController extends Controller
     |
     */
 
-    /**
-     * Create a new controller instance.
-     */
-    public function __construct()
-    {
-        $authGuard = config('auth.defaults.guard');
-
-        if ($authGuard === 'reverse-proxy-guard') {
-            throw new UnsupportedWithReverseProxyException();
-        }
-    }
-
 
 	public function options(Request $request)
 	{

app/Http/Controllers/Auth/WebAuthnManageController.php

@@ -6,12 +6,9 @@ use App\Http\Controllers\Controller;
 use Illuminate\Http\Request;
 use App\Http\Requests\WebauthnRenameRequest;
 use DarkGhostHunter\Larapass\Eloquent\WebAuthnCredential;
-use App\Exceptions\UnsupportedWithReverseProxyException;
 
 class WebAuthnManageController extends Controller
 {
-    // use RecoversWebAuthn;
-
     /*
     |--------------------------------------------------------------------------
     | WebAuthn Manage Controller
@@ -33,14 +30,6 @@ class WebAuthnManageController extends Controller
      */
     public function index(Request $request)
     {
-        // WebAuthn is useless when authentication is handle by
-        // a reverse proxy so we return a 202 response to tell the
-        // client nothing more will happen
-        if (config('auth.defaults.guard') === 'reverse-proxy-guard') {
-            return response()->json([
-                'message' => 'no webauthn with reverse proxy'], 202);
-        }
-
         $user = $request->user();
         $allUserCredentials = $user->webAuthnCredentials()
                                     ->enabled()
@@ -72,6 +61,9 @@ class WebAuthnManageController extends Controller
 
     /**
      * Remove the specified credential from storage.
+     * 
+     * @param  \Illuminate\Http\Request  $request
+     * @param  string|array  $credential
      *
      * @return \Illuminate\Http\JsonResponse
      */

app/Http/Controllers/Auth/WebAuthnRecoveryController.php

@@ -9,7 +9,6 @@ use DarkGhostHunter\Larapass\Facades\WebAuthn;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Validation\ValidationException;
-use App\Exceptions\UnsupportedWithReverseProxyException;
 
 class WebAuthnRecoveryController extends Controller
 {
@@ -32,19 +31,7 @@ class WebAuthnRecoveryController extends Controller
      * @var string
      */
     protected $redirectTo = RouteServiceProvider::HOME;
-
     
-    /**
-     * Create a new controller instance.
-     */
-    public function __construct()
-    {
-        $authGuard = config('auth.defaults.guard');
-
-        if ($authGuard === 'reverse-proxy-guard') {
-            throw new UnsupportedWithReverseProxyException();
-        }
-    }
 
     /**
      * Returns the credential creation options to the user.

app/Http/Controllers/Auth/WebAuthnRegisterController.php

@@ -4,7 +4,6 @@ namespace App\Http\Controllers\Auth;
 
 use App\Http\Controllers\Controller;
 use DarkGhostHunter\Larapass\Http\RegistersWebAuthn;
-use App\Exceptions\UnsupportedWithReverseProxyException;
 
 class WebAuthnRegisterController extends Controller
 {
@@ -20,16 +19,4 @@ class WebAuthnRegisterController extends Controller
     | persisted into the application, otherwise it will signal failure.
     |
     */
-
-    /**
-     * Create a new controller instance.
-     */
-    public function __construct()
-    {
-        $authGuard = config('auth.defaults.guard');
-
-        if ($authGuard === 'reverse-proxy-guard') {
-            throw new UnsupportedWithReverseProxyException();
-        }
-    }
 }

app/Http/Kernel.php

@@ -71,7 +71,9 @@ class Kernel extends HttpKernel
         'auth' => \App\Http\Middleware\Authenticate::class,
         'guest' => \App\Http\Middleware\RejectIfAuthenticated::class,
         'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
-        'disableInDemoMode' => \App\Http\Middleware\DisableInDemoMode::class,
+        'rejectIfDemoMode' => \App\Http\Middleware\RejectIfDemoMode::class,
+        'rejectIfReverseProxy' => \App\Http\Middleware\RejectIfReverseProxy::class,
+        
     ];
 
     /**

app/Http/Middleware/DisableInDemoMode.php → app/Http/Middleware/RejectIfDemoMode.php

@@ -6,7 +6,7 @@ use Closure;
 use Illuminate\Http\Response;
 use Illuminate\Support\Facades\Log;
 
-class DisableInDemoMode
+class RejectIfDemoMode
 {
     /**
      * Handle an incoming request.
@@ -19,7 +19,7 @@ class DisableInDemoMode
     {
 
         if( config('2fauth.config.isDemoApp') ) {
-            Log::notice('Cannot request a password reset in Demo mode');
+            Log::notice('Cannot request this action in Demo mode');
 
             return response()->json(['message' => __('auth.forms.disabled_in_demo')], Response::HTTP_UNAUTHORIZED);
         }

app/Http/Middleware/RejectIfReverseProxy.php

@@ -0,0 +1,28 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Support\Facades\Log;
+
+class RejectIfReverseProxy
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        if (config('auth.defaults.guard') === 'reverse-proxy-guard') {
+            Log::notice('Cannot request this action in Demo mode');
+
+            return response()->json([
+                'message' => __('errors.unsupported_with_reverseproxy')], 400);
+        }
+
+        return $next($request);
+    }
+}

resources/js/views/settings/OAuth.vue

@@ -84,12 +84,8 @@
 
                 this.isFetching = true
 
-                await this.axios.get('/oauth/personal-access-tokens').then(response => {
-                    if (response.status === 202) {
-                        this.isRemoteUser = true
-                        return
-                    }
-
+                await this.axios.get('/oauth/personal-access-tokens')
+                .then(response => {
                     const tokens = []
 
                     response.data.forEach((data) => {
@@ -104,6 +100,16 @@
 
                     this.tokens = tokens
                 })
+                .catch(error => {
+                    if( error.response.status === 400 ) {
+
+                        this.isRemoteUser = true
+                    }
+                    else {
+
+                        this.$router.push({ name: 'genericError', params: { err: error.response } });
+                    }
+                })
 
                 this.isFetching = false
             },

resources/js/views/settings/WebAuthn.vue

@@ -101,11 +101,19 @@
 
                 this.isFetching = true
 
-                await this.axios.get('/webauthn/credentials').then(response => {
-                    if (response.status === 202) {
+                await this.axios.get('/webauthn/credentials', {returnError: true})
+                .then(response => {
+                    this.credentials = response.data
+                })
+                .catch(error => {
+                    if( error.response.status === 400 ) {
+
                         this.isRemoteUser = true
                     }
-                    else this.credentials = response.data
+                    else {
+
+                        this.$router.push({ name: 'genericError', params: { err: error.response } });
+                    }
                 })
 
                 this.isFetching = false

routes/web.php

@@ -16,7 +16,7 @@ use App\Http\Controllers\Auth\WebAuthnRecoveryController;
 /**
  * Routes that only work for unauthenticated user (return an error otherwise)
  */
-Route::group(['middleware' => ['guest', 'disableInDemoMode']], function () {
+Route::group(['middleware' => ['guest', 'rejectIfDemoMode']], function () {
     Route::post('user', 'Auth\RegisterController@register')->name('user.register');
     Route::post('user/password/lost', 'Auth\ForgotPasswordController@sendResetLinkEmail')->name('user.password.lost');;
     Route::post('user/password/reset', 'Auth\ResetPasswordController@reset')->name('user.password.reset');
@@ -36,17 +36,17 @@ Route::group(['middleware' => ['guest', 'throttle:10,1']], function () {
 });
 
 /**
- * Routes protected by an authentication guard
+ * Routes protected by an authentication guard but rejected when reverse-proxy guard is enabled
  */
-Route::group(['middleware' => 'behind-auth'], function () {
+Route::group(['middleware' => ['behind-auth', 'rejectIfReverseProxy']], function () {
     Route::put('user', 'Auth\UserController@update')->name('user.update');
-    Route::patch('user/password', 'Auth\PasswordController@update')->name('user.password.update')->middleware('disableInDemoMode');
+    Route::patch('user/password', 'Auth\PasswordController@update')->name('user.password.update')->middleware('rejectIfDemoMode');
     Route::get('user/logout', 'Auth\LoginController@logout')->name('user.logout');
-    Route::delete('user', 'Auth\UserController@delete')->name('user.delete')->middleware('disableInDemoMode');
+    Route::delete('user', 'Auth\UserController@delete')->name('user.delete')->middleware('rejectIfDemoMode');
 
-    Route::get('oauth/personal-access-tokens', 'Auth\PersonalAccessTokenController@forUser')->name('passport.personal.tokens.index');
-    Route::post('oauth/personal-access-tokens', 'Auth\PersonalAccessTokenController@store')->name('passport.personal.tokens.store');
-    Route::delete('oauth/personal-access-tokens/{token_id}', 'Auth\PersonalAccessTokenController@destroy')->name('passport.personal.tokens.destroy');
+    Route::get('oauth/personal-access-tokens', 'Laravel\Passport\Http\Controllers\PersonalAccessTokenController@forUser')->name('passport.personal.tokens.index');
+    Route::post('oauth/personal-access-tokens', 'Laravel\Passport\Http\Controllers\PersonalAccessTokenController@store')->name('passport.personal.tokens.store');
+    Route::delete('oauth/personal-access-tokens/{token_id}', 'Laravel\Passport\Http\Controllers\PersonalAccessTokenController@destroy')->name('passport.personal.tokens.destroy');
     
     Route::post('webauthn/register/options', [WebAuthnRegisterController::class, 'options'])->name('webauthn.register.options');
     Route::post('webauthn/register', [WebAuthnRegisterController::class, 'register'])->name('webauthn.register');