Bring back the confirmation_key in Account but only in Admin endpoints (for security reason)

Authenticate on the resolvedRealm and not the configured domain Bump package
2026-01-18 02:18:06 +00:00 · 2021-02-11 17:59:41 +01:00 · 2021-02-11 17:59:41 +01:00 · 3fdedda515
commit 3fdedda515
parent 4fc6aaa824
5 changed files with 12 additions and 5 deletions
--- a/flexiapi/app/Http/Controllers/Account/AuthenticateController.php
+++ b/flexiapi/app/Http/Controllers/Account/AuthenticateController.php
@ -59,7 +59,7 @@ class AuthenticateController extends Controller
        foreach ($account->passwords as $password) {
            if (hash_equals(
                $password->password,
-                Utils::bchash($request->get('username'), config('app.sip_domain'), $request->get('password'), $password->algorithm)
+                Utils::bchash($request->get('username'), $account->resolvedRealm, $request->get('password'), $password->algorithm)
            )) {
                Auth::login($account);
                return redirect()->route('account.panel');
--- a/flexiapi/app/Http/Controllers/Api/Admin/AccountController.php
+++ b/flexiapi/app/Http/Controllers/Api/Admin/AccountController.php
@ -40,7 +40,7 @@ class AccountController extends Controller

    public function show(Request $request, $id)
    {
-        return Account::without(['passwords', 'admin'])->findOrFail($id);
+        return Account::without(['passwords', 'admin'])->findOrFail($id)->makeVisible(['confirmation_key']);
    }

    public function destroy(Request $request, $id)
@ -111,6 +111,6 @@ class AccountController extends Controller
        $password->algorithm = $request->get('algorithm');
        $password->save();

-        return response()->json($account);
+        return response()->json($account->makeVisible(['confirmation_key']));
    }
 }
--- a/flexiapi/app/Http/Middleware/AuthenticateDigestOrKey.php
+++ b/flexiapi/app/Http/Middleware/AuthenticateDigestOrKey.php
@ -51,7 +51,8 @@ class AuthenticateDigestOrKey
        $from = $this->extractFromHeader($request->header('From'));
        list($username, $domain) = explode('@', $from);

-        $account = Account::where('username', $username)
+        $account = Account::withoutGlobalScopes()
+                          ->where('username', $username)
                          ->where('domain', $domain)
                          ->firstOrFail();

--- a/flexiapi/tests/Feature/AccountApiTest.php
+++ b/flexiapi/tests/Feature/AccountApiTest.php
@ -106,6 +106,8 @@ class AccountApiTest extends TestCase
                'domain' => $domain,
                'activated' => false
            ]);
+
+        $this->assertFalse(empty($response1['confirmation_key']));
    }

    public function testUsernameNoDomain()
@ -174,6 +176,8 @@ class AccountApiTest extends TestCase
                'domain' => config('app.sip_domain'),
                'activated' => true,
            ]);
+
+        $this->assertTrue(empty($response1['confirmation_key']));
    }

    public function testNotActivated()
@ -201,6 +205,8 @@ class AccountApiTest extends TestCase
                'domain' => config('app.sip_domain'),
                'activated' => false,
            ]);
+
+        $this->assertFalse(empty($response1['confirmation_key']));
    }

    public function testSimpleAccount()
--- a/flexisip-account-manager.spec
+++ b/flexisip-account-manager.spec
@ -8,7 +8,7 @@
 #%define _datadir           %{_datarootdir}
 #%define _docdir            %{_datadir}/doc

-%define build_number 49
+%define build_number 50
 %define var_dir /var/opt/belledonne-communications
 %define opt_dir /opt/belledonne-communications/share/flexisip-account-manager
 %define env_file "$RPM_BUILD_ROOT/etc/flexisip-account-manager/flexiapi.env"