feat: remove authentication with login + password for carddav (#3830)

monicahq · Apr 12, 2020 · 9159753 · 9159753
1 parent 8168b54
commit 9159753
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 14 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,13 +7,15 @@
 
 ### Enhancements:
 
+* Remove authentication with login+password for carddav
 * Add new command monica:passport to generate encryption if needed
 * Improve nginx config docker examples
 * Remove u2f support (replaced with WebAuthn)
 * Serialize photo content in VCard photo value
 
 ### Fixes:
 
+* Fix authentication with token on basic auth
 * Fix editing multiple notes at the same time only edits one note
 * Fix countries in fake contact seeder
 * Fix docker rsync exclude rules

diff --git a/app/Http/Middleware/AuthenticateWithTokenOnBasicAuth.php b/app/Http/Middleware/AuthenticateWithTokenOnBasicAuth.php
@@ -3,12 +3,15 @@
 namespace App\Http\Middleware;
 
 use Closure;
+use Illuminate\Http\Request;
 use Illuminate\Auth\AuthManager;
 
 /**
- * Authenticate user with Basic Authentication, with two methods:
- * - Basic auth: login + password
- * - Bearer on basic: login + api token.
+ * Authenticate user with Basic Authentication, with Passport token on password field.
+ *
+ * Examples:
+ *   curl -u "email@example.com:$TOKEN" -X PROPFIND https://localhost/dav/
+ *   curl -u ":$TOKEN" -X PROPFIND https://localhost/dav/
  */
 class AuthenticateWithTokenOnBasicAuth
 {
@@ -57,25 +60,40 @@ private function authenticate($request)
             return;
         }
 
+        $user = $this->tryBearer($request);
+
+        if ($user && (! $request->getUser() || $request->getUser() === $user->email)) {
+            $this->auth->guard()->setUser($user);
+        }
+    }
+
+    /**
+     * Try Bearer authentication, with token in 'password' field on basic auth.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     */
+    private function tryBearer(Request $request)
+    {
         // Try Bearer authentication, with token in 'password' field on basic auth
         if (! $request->bearerToken()) {
             $password = $request->getPassword();
             $request->headers->set('Authorization', 'Bearer '.$password);
         }
 
+        $headerUser = $request->getUser();
         $user = null;
-        $guard = $this->auth->guard('api');
-        if (method_exists($guard, 'setRequest')) {
-            $user = $guard->setRequest($request)->user();
-        }
+        try {
+            $request->headers->set('PHP_AUTH_USER', '');
 
-        if ($user && (! $request->getUser() || (property_exists($user, 'email') && $request->getUser() === $user->email))) {
-            $this->auth->guard()->setUser($user);
-        } else {
-            // Basic authentication
-            /** @var \Illuminate\Contracts\Auth\SupportsBasicAuth */
-            $guard = $this->auth->guard();
-            $guard->onceBasic();
+            $guard = $this->auth->guard('api');
+
+            if (method_exists($guard, 'setRequest')) {
+                $user = $guard->setRequest($request)->user();
+            }
+        } finally {
+            $request->headers->set('PHP_AUTH_USER', $headerUser);
         }
+
+        return $user;
     }
 }