Skip to content

Commit

Permalink
feat: Add password broker handling to auth override
Browse files Browse the repository at this point in the history
  • Loading branch information
ollieread committed Nov 18, 2024
1 parent d3c1f56 commit dab2eaa
Show file tree
Hide file tree
Showing 3 changed files with 287 additions and 1 deletion.
152 changes: 152 additions & 0 deletions src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
<?php
declare(strict_types=1);

namespace Sprout\Overrides\Auth;

use Illuminate\Auth\Passwords\DatabaseTokenRepository;
use Illuminate\Contracts\Auth\CanResetPassword as CanResetPasswordContract;
use Illuminate\Database\Query\Builder;
use Illuminate\Support\Carbon;
use SensitiveParameter;
use Sprout\Exceptions\TenancyMissing;
use Sprout\Exceptions\TenantMissing;
use function Sprout\sprout;

/**
* Tenant Aware Database Token Repository
*
* This is a database token repository that wraps the default
* {@see \Illuminate\Auth\Passwords\DatabaseTokenRepository} to query based on
* the current tenant.
*
* @package Overrides
*/
class TenantAwareDatabaseTokenRepository extends DatabaseTokenRepository
{
/**
* Build the record payload for the table.
*
* @param string $email
* @param string $token
*
* @return array<string, mixed>
*
* @throws \Sprout\Exceptions\TenancyMissing
* @throws \Sprout\Exceptions\TenantMissing
*/
protected function getPayload($email, #[SensitiveParameter] $token): array

Check warning on line 37 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L37

Added line #L37 was not covered by tests
{
$tenancy = sprout()->getCurrentTenancy();

Check warning on line 39 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L39

Added line #L39 was not covered by tests

if ($tenancy === null) {
throw TenancyMissing::make();

Check warning on line 42 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L41-L42

Added lines #L41 - L42 were not covered by tests
}

if (! $tenancy->check()) {
throw TenantMissing::make($tenancy->getName());

Check warning on line 46 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L45-L46

Added lines #L45 - L46 were not covered by tests
}

return [
'tenancy' => $tenancy->getName(),
'tenant_id' => $tenancy->key(),
'email' => $email,
'token' => $this->hasher->make($token),
'created_at' => new Carbon(),
];

Check warning on line 55 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L49-L55

Added lines #L49 - L55 were not covered by tests
}

/**
* Get the tenanted query
*
* @param string $email
*
* @return \Illuminate\Database\Query\Builder
*
* @throws \Sprout\Exceptions\TenancyMissing
* @throws \Sprout\Exceptions\TenantMissing
*/
protected function getTenantedQuery(string $email): Builder

Check warning on line 68 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L68

Added line #L68 was not covered by tests
{
$tenancy = sprout()->getCurrentTenancy();

Check warning on line 70 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L70

Added line #L70 was not covered by tests

if ($tenancy === null) {
throw TenancyMissing::make();

Check warning on line 73 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L72-L73

Added lines #L72 - L73 were not covered by tests
}

if (! $tenancy->check()) {
throw TenantMissing::make($tenancy->getName());

Check warning on line 77 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L76-L77

Added lines #L76 - L77 were not covered by tests
}

return $this->getTable()
->where('tenancy', $tenancy->getName())
->where('tenant_id', $tenancy->key())
->where('email', $email);

Check warning on line 83 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L80-L83

Added lines #L80 - L83 were not covered by tests
}

/**
* Get the record for a user
*
* @param \Illuminate\Contracts\Auth\CanResetPassword $user
*
* @return object|null
*
* @throws \Sprout\Exceptions\TenancyMissing
* @throws \Sprout\Exceptions\TenantMissing
*/
protected function getExistingTenantedRecord(CanResetPasswordContract $user): ?object

Check warning on line 96 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L96

Added line #L96 was not covered by tests
{
return $this->getTenantedQuery($user->getEmailForPasswordReset())->first();

Check warning on line 98 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L98

Added line #L98 was not covered by tests
}

/**
* Delete all existing reset tokens from the database.
*
* @param \Illuminate\Contracts\Auth\CanResetPassword $user
*
* @return int
*
* @throws \Sprout\Exceptions\TenancyMissing
* @throws \Sprout\Exceptions\TenantMissing
*/
protected function deleteExisting(CanResetPasswordContract $user): int

Check warning on line 111 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L111

Added line #L111 was not covered by tests
{
return $this->getTenantedQuery($user->getEmailForPasswordReset())->delete();

Check warning on line 113 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L113

Added line #L113 was not covered by tests
}

/**
* Determine if a token record exists and is valid.
*
* @param \Illuminate\Contracts\Auth\CanResetPassword $user
* @param string $token
*
* @return bool
*
* @throws \Sprout\Exceptions\TenancyMissing
* @throws \Sprout\Exceptions\TenantMissing
*/
public function exists(CanResetPasswordContract $user, #[SensitiveParameter] $token): bool

Check warning on line 127 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L127

Added line #L127 was not covered by tests
{
$record = (array)$this->getExistingTenantedRecord($user);

Check warning on line 129 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L129

Added line #L129 was not covered by tests

return $record &&
! $this->tokenExpired($record['created_at']) &&
$this->hasher->check($token, $record['token']);

Check warning on line 133 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L131-L133

Added lines #L131 - L133 were not covered by tests
}

/**
* Determine if the given user recently created a password reset token.
*
* @param \Illuminate\Contracts\Auth\CanResetPassword $user
*
* @return bool
*
* @throws \Sprout\Exceptions\TenancyMissing
* @throws \Sprout\Exceptions\TenantMissing
*/
public function recentlyCreatedToken(CanResetPasswordContract $user): bool

Check warning on line 146 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L146

Added line #L146 was not covered by tests
{
$record = (array)$this->getExistingTenantedRecord($user);

Check warning on line 148 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L148

Added line #L148 was not covered by tests

return $record && $this->tokenRecentlyCreated($record['created_at']);

Check warning on line 150 in src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwareDatabaseTokenRepository.php#L150

Added line #L150 was not covered by tests
}
}
73 changes: 73 additions & 0 deletions src/Overrides/Auth/TenantAwarePasswordBrokerManager.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
<?php
declare(strict_types=1);

namespace Sprout\Overrides\Auth;

use Illuminate\Auth\Passwords\CacheTokenRepository;
use Illuminate\Auth\Passwords\PasswordBrokerManager;
use Illuminate\Auth\Passwords\TokenRepositoryInterface;

/**
* Tenant Aware Password Broker Manager
*
* This is an override of the default password broker manager to make it
* create a tenant-aware {@see \Illuminate\Auth\Passwords\TokenRepositoryInterface}.
*
* This is an unfortunate necessity as there's no other way to control the
* token repository that is created.
*
* @package Overrides
*/
class TenantAwarePasswordBrokerManager extends PasswordBrokerManager
{
/**
* Create a token repository instance based on the current configuration.
*
* @param array<string, mixed> $config
*
* @return \Illuminate\Auth\Passwords\TokenRepositoryInterface
*/
protected function createTokenRepository(array $config): TokenRepositoryInterface

Check warning on line 30 in src/Overrides/Auth/TenantAwarePasswordBrokerManager.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwarePasswordBrokerManager.php#L30

Added line #L30 was not covered by tests
{
// @phpstan-ignore-next-line
$key = $this->app['config']['app.key'];

Check warning on line 33 in src/Overrides/Auth/TenantAwarePasswordBrokerManager.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwarePasswordBrokerManager.php#L33

Added line #L33 was not covered by tests

if (str_starts_with($key, 'base64:')) {
$key = base64_decode(substr($key, 7));

Check warning on line 36 in src/Overrides/Auth/TenantAwarePasswordBrokerManager.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwarePasswordBrokerManager.php#L35-L36

Added lines #L35 - L36 were not covered by tests
}

if (isset($config['driver']) && $config['driver'] === 'cache') {
return new CacheTokenRepository(
$this->app['cache']->store($config['store'] ?? null), // @phpstan-ignore-line
$this->app['hash'], // @phpstan-ignore-line
$key,
($config['expire'] ?? 60) * 60,
$config['throttle'] ?? 0, // @phpstan-ignore-line
$config['prefix'] ?? '', // @phpstan-ignore-line
);

Check warning on line 47 in src/Overrides/Auth/TenantAwarePasswordBrokerManager.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwarePasswordBrokerManager.php#L39-L47

Added lines #L39 - L47 were not covered by tests
}

$connection = $config['connection'] ?? null;

Check warning on line 50 in src/Overrides/Auth/TenantAwarePasswordBrokerManager.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwarePasswordBrokerManager.php#L50

Added line #L50 was not covered by tests

return new TenantAwareDatabaseTokenRepository(
$this->app['db']->connection($connection), // @phpstan-ignore-line
$this->app['hash'], // @phpstan-ignore-line
$config['table'], // @phpstan-ignore-line
$key,
$config['expire'],// @phpstan-ignore-line
$config['throttle'] ?? 0// @phpstan-ignore-line
);

Check warning on line 59 in src/Overrides/Auth/TenantAwarePasswordBrokerManager.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/Auth/TenantAwarePasswordBrokerManager.php#L52-L59

Added lines #L52 - L59 were not covered by tests
}

/**
* Flush the resolved brokers
*
* @return $this
*/
public function flush(): self
{
$this->brokers = [];

return $this;
}
}
63 changes: 62 additions & 1 deletion src/Overrides/AuthOverride.php
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,14 @@
namespace Sprout\Overrides;

use Illuminate\Auth\AuthManager;
use Illuminate\Contracts\Foundation\Application;
use Sprout\Contracts\BootableServiceOverride;
use Sprout\Contracts\DeferrableServiceOverride;
use Sprout\Contracts\ServiceOverride;
use Sprout\Contracts\Tenancy;
use Sprout\Contracts\Tenant;
use Sprout\Overrides\Auth\TenantAwarePasswordBrokerManager;
use Sprout\Sprout;

/**
* Auth Override
Expand All @@ -16,7 +21,7 @@
*
* @package Overrides
*/
final class AuthOverride implements ServiceOverride
final class AuthOverride implements ServiceOverride, BootableServiceOverride, DeferrableServiceOverride
{
/**
* @var \Illuminate\Auth\AuthManager
Expand All @@ -33,6 +38,44 @@ public function __construct(AuthManager $authManager)
$this->authManager = $authManager;
}

/**
* Get the service to watch for before overriding
*
* @return string
*/
public static function service(): string
{
return AuthManager::class;
}

/**
* Boot a service override
*
* This method should perform any initial steps required for the service
* override that take place during the booting of the framework.
*
* @param \Illuminate\Contracts\Foundation\Application&\Illuminate\Foundation\Application $app
* @param \Sprout\Sprout $sprout
*
* @return void
*/
public function boot(Application $app, Sprout $sprout): void
{
// Although this isn't strictly necessary, this is here to tidy up
// the list of deferred services, just in case there's some weird gotcha
// somewhere that causes the provider to be loaded anyway.
// We'll remove the two services we're about to bind against.
$app->removeDeferredServices(['auth.password', 'auth.password.broker']);

// This is the actual thing we need.
$app->singleton('auth.password', function ($app) {
return new TenantAwarePasswordBrokerManager($app);
});

// I would ideally also like to mark the password reset service provider
// as loaded here, but that method is protected.
}

/**
* Set up the service override
*
Expand All @@ -48,6 +91,7 @@ public function __construct(AuthManager $authManager)
public function setup(Tenancy $tenancy, Tenant $tenant): void
{
$this->forgetGuards();
$this->flushPasswordBrokers();
}

/**
Expand All @@ -69,6 +113,7 @@ public function setup(Tenancy $tenancy, Tenant $tenant): void
public function cleanup(Tenancy $tenancy, Tenant $tenant): void
{
$this->forgetGuards();
$this->flushPasswordBrokers();

Check warning on line 116 in src/Overrides/AuthOverride.php

View check run for this annotation

Codecov / codecov/patch

src/Overrides/AuthOverride.php#L116

Added line #L116 was not covered by tests
}

/**
Expand All @@ -82,4 +127,20 @@ private function forgetGuards(): void
$this->authManager->forgetGuards();
}
}

/**
* Flush all password brokers
*
* @return void
*/
private function flushPasswordBrokers(): void
{
/** @var \Illuminate\Auth\Passwords\PasswordBrokerManager $passwordBroker */
$passwordBroker = app('auth.password');

// The flush method only exists on our custom implementation
if ($passwordBroker instanceof TenantAwarePasswordBrokerManager) {
$passwordBroker->flush();
}
}
}

0 comments on commit dab2eaa

Please sign in to comment.