From d9b0f83e5d67d8d76ccc3de5703ccc97ee927f20 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Jaussoin?=
 <timothee.jaussoin@belledonne-communications.com>
Date: Mon, 29 Sep 2025 09:44:47 +0200
Subject: [PATCH] Fix FLEXIAPI-394 Apply SpaceCheck on all the pages and URLs,
 backport from 2.1

---
 CHANGELOG.md                                          |  1 +
 flexiapi/app/Http/Kernel.php                          |  4 +++-
 flexiapi/app/Http/Middleware/SpaceCheck.php           |  4 ++--
 flexiapi/routes/api.php                               |  2 +-
 flexiapi/routes/web.php                               | 10 ++++------
 flexiapi/tests/Feature/ApiSpaceWithMiddlewareTest.php | 10 ++++------
 flexiapi/tests/Feature/ApiStatisticsTest.php          |  6 +++---
 7 files changed, 18 insertions(+), 19 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c429987..f9361ec 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -78,6 +78,7 @@ v2.0
 - Fix FLEXIAPI-385 Use domains and not hosts in the EmailServer endpoints as defined in the API documentation
 - Fix FLEXIAPI-391 Add missing account view attribute in the actions.delete view
 - Fix FLEXIAPI-392 Fix the recover_by_code view and use the account space object
+- Fix FLEXIAPI-394 Apply SpaceCheck on all the pages and URLs, backport from 2.1
 
 v1.6
 ----
diff --git a/flexiapi/app/Http/Kernel.php b/flexiapi/app/Http/Kernel.php
index 8bee932..196581d 100644
--- a/flexiapi/app/Http/Kernel.php
+++ b/flexiapi/app/Http/Kernel.php
@@ -52,13 +52,15 @@ class Kernel extends HttpKernel
             \App\Http\Middleware\VerifyCsrfToken::class,
             \Illuminate\Routing\Middleware\SubstituteBindings::class,
             \App\Http\Middleware\Localization::class,
+            'space.check',
         ],
 
         'api' => [
             'throttle:600,1', // move to 600 instead of 60
             'bindings',
             'validate_json',
-            'localization'
+            'localization',
+            'space.check',
         ],
     ];
 
diff --git a/flexiapi/app/Http/Middleware/SpaceCheck.php b/flexiapi/app/Http/Middleware/SpaceCheck.php
index ed959d7..2d28a34 100644
--- a/flexiapi/app/Http/Middleware/SpaceCheck.php
+++ b/flexiapi/app/Http/Middleware/SpaceCheck.php
@@ -15,7 +15,7 @@ class SpaceCheck
             return abort(503, 'APP_ROOT_HOST is not configured');
         }
 
-        $space = space();
+        $space = space(reload: true);
 
         if ($space != null) {
             if (!str_ends_with($space->host, config('app.root_host'))) {
@@ -25,7 +25,7 @@ class SpaceCheck
             Config::set('app.url', '://' . $space->host);
             Config::set('app.sip_domain', $space->domain);
 
-            if ($request->user() && !$request->user()->superAdmin && $space?->isExpired()) {
+            if ($space->isExpired()) {
                 abort($request->expectsJson() ? 403 : 490, 'The related Space has expired');
             }
 
diff --git a/flexiapi/routes/api.php b/flexiapi/routes/api.php
index ec4b468..91e3c7f 100644
--- a/flexiapi/routes/api.php
+++ b/flexiapi/routes/api.php
@@ -54,7 +54,7 @@ Route::get('accounts/me/api_key/{auth_token}', 'Api\Account\ApiKeyController@gen
 
 Route::get('phone_countries', 'Api\PhoneCountryController@index');
 
-Route::group(['middleware' => ['auth.jwt', 'auth.digest_or_key', 'auth.check_blocked', 'space.check']], function () {
+Route::group(['middleware' => ['auth.jwt', 'auth.digest_or_key', 'auth.check_blocked']], function () {
     Route::get('accounts/auth_token/{auth_token}/attach', 'Api\Account\AuthTokenController@attach');
     Route::post('account_creation_tokens/consume', 'Api\Account\CreationTokenController@consume');
 
diff --git a/flexiapi/routes/web.php b/flexiapi/routes/web.php
index 8416181..37076c6 100644
--- a/flexiapi/routes/web.php
+++ b/flexiapi/routes/web.php
@@ -48,12 +48,10 @@ use App\Http\Controllers\Admin\SpaceController;
 use App\Http\Controllers\Admin\StatisticsController;
 use Illuminate\Support\Facades\Route;
 
-Route::middleware(['space.check'])->group(function () {
-    Route::redirect('/', 'login')->name('account.home');
-    Route::get('about', 'AboutController@about')->name('about');
-});
+Route::redirect('/', 'login')->name('account.home');
+Route::get('about', 'AboutController@about')->name('about');
 
-Route::middleware(['web_panel_enabled', 'space.check'])->group(function () {
+Route::middleware(['web_panel_enabled'])->group(function () {
     Route::get('wizard/{provisioning_token}', 'Account\ProvisioningController@wizard')->name('provisioning.wizard');
 
     Route::get('login', 'Account\AuthenticateController@login')->name('account.login');
@@ -90,7 +88,7 @@ Route::name('provisioning.')->prefix('provisioning')->controller(ProvisioningCon
     Route::get('/', 'show')->name('show');
 });
 
-Route::middleware(['web_panel_enabled', 'space.check'])->group(function () {
+Route::middleware(['web_panel_enabled'])->group(function () {
     Route::middleware(['public_registration'])->group(function () {
         Route::redirect('register', 'register/email')->name('account.register');
 
diff --git a/flexiapi/tests/Feature/ApiSpaceWithMiddlewareTest.php b/flexiapi/tests/Feature/ApiSpaceWithMiddlewareTest.php
index bda973b..233a610 100644
--- a/flexiapi/tests/Feature/ApiSpaceWithMiddlewareTest.php
+++ b/flexiapi/tests/Feature/ApiSpaceWithMiddlewareTest.php
@@ -42,9 +42,7 @@ class ApiSpaceWithMiddlewareTest extends TestCaseWithSpaceMiddleware
 
         // Try to create a new user as an admin
         $admin->generateUserApiKey();
-        config()->set('app.root_host', $admin->domain);
-
-        space(reload: true);
+        config()->set('app.root_host', $superAdmin->space->host);
 
         $this->keyAuthenticated($admin)
             ->json($this->method, 'http://' . $admin->domain .  $this->accountRoute, [
@@ -55,19 +53,19 @@ class ApiSpaceWithMiddlewareTest extends TestCaseWithSpaceMiddleware
 
         // Unexpire the space and try again
         $space = $this->keyAuthenticated($superAdmin)
-            ->get($this->route . '/' . $admin->domain)
+            ->get('http://' . $superAdmin->domain .  $this->route . '/' . $admin->domain)
             ->json();
 
         $space['expire_at'] = Carbon::tomorrow()->toDateTimeString();
 
         $this->keyAuthenticated($superAdmin)
-            ->json('PUT', $this->route . '/' . $admin->domain, $space)
+            ->json('PUT', 'http://' . $superAdmin->domain .  $this->route . '/' . $admin->domain, $space)
             ->assertStatus(200);
 
         space(reload: true);
 
         $this->keyAuthenticated($admin)
-            ->json($this->method, $this->accountRoute, [
+            ->json($this->method, 'http://' . $admin->domain .  $this->accountRoute, [
                 'username' => 'new',
                 'algorithm' => 'SHA-256',
                 'password' => '123456',
diff --git a/flexiapi/tests/Feature/ApiStatisticsTest.php b/flexiapi/tests/Feature/ApiStatisticsTest.php
index c988006..92e0512 100644
--- a/flexiapi/tests/Feature/ApiStatisticsTest.php
+++ b/flexiapi/tests/Feature/ApiStatisticsTest.php
@@ -39,7 +39,7 @@ class ApiStatisticsTest extends TestCase
 
         $id = '1234';
         $fromUsername = 'username';
-        $fromDomain = 'domain.com';
+        $fromDomain = $admin->domain;
 
         $account = Account::factory()->create([
             'username' => $fromUsername,
@@ -132,9 +132,9 @@ class ApiStatisticsTest extends TestCase
 
         $id = '1234';
         $fromUsername = 'username';
-        $fromDomain = 'domain.com';
+        $fromDomain = $admin->domain;
         $toUsername = 'usernameto';
-        $toDomain = 'domainto.com';
+        $toDomain = $admin->domain;
 
         $account = Account::factory()->create([
             'username' => $fromUsername,