i hate cors

2021-12-22 00:22:54 -05:00 · 2021-12-22 00:22:54 -05:00 · 44c28080d0
parent 4723884800
commit 44c28080d0
9 changed files with 92 additions and 19 deletions
--- a/web/app/Http/Controllers/MaintenanceController.php
+++ b/web/app/Http/Controllers/MaintenanceController.php
@ -0,0 +1,69 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Models\WebsiteConfiguration;
+
+use Illuminate\Http\Request;
+use Illuminate\Support\Carbon;
+use Symfony\Component\HttpFoundation\Cookie;
+
+class MaintenanceController extends Controller
+{
+	/**
+     * Handles the maintenance bypass request.
+     *
+     * @return Response
+     */
+	public function bypass(Request $request)
+	{
+		$password = $request->input('password');
+		$buttons = $request->input('buttons');
+		
+		if($password && $buttons)
+		{
+			$mtconf = json_decode(WebsiteConfiguration::whereName('MaintenancePassword')->first()->value);
+			
+			if($password == $mtconf->password)
+			{
+				$btns = array_slice($buttons, -count($mtconf->combination));
+				$data = json_decode(file_get_contents(storage_path('framework/down')), true);
+				
+				if(isset($data['secret']) && $btns === $mtconf->combination)
+				{
+					$trustedHosts = explode(',', env('TRUSTED_HOSTS'));
+					$origin = parse_url($request->headers->get('origin'),  PHP_URL_HOST);
+					$passCheck = false;
+					
+					foreach($trustedHosts as &$host)
+					{
+						if(str_ends_with($origin, $host))
+							$passCheck = true;
+					}
+					
+					$expiresAt = Carbon::now()->addHours(24);
+					$bypassCookie = new Cookie('gt_constraint', base64_encode(json_encode([
+						'expires_at' => $expiresAt->getTimestamp(),
+						'mac' => hash_hmac('SHA256', $expiresAt->getTimestamp(), $data['secret']),
+					])), $expiresAt);
+					
+					if($passCheck)
+						$bypassCookie = $bypassCookie->withDomain('.' . $origin);
+					
+					return response('')
+							->withCookie($bypassCookie);
+				}
+			}
+			
+			return response('')
+					->setStatusCode(403);
+		}
+		else
+		{
+			return response('{"errors":[{"code":400,"message":"BadRequest"}]}')
+					->setStatusCode(400)
+					->header('Cache-Control', 'private')
+					->header('Content-Type', 'application/json; charset=utf-8');
+		}
+	}
+}
--- a/web/app/Http/Middleware/Cors.php
+++ b/web/app/Http/Middleware/Cors.php
@ -34,6 +34,8 @@ class Cors
 					->setStatusCode(204)
 					->header('Access-Control-Allow-Origin', $allowedOrigin)
 					->header('Access-Control-Allow-Methods', '*')
+					->header('Access-Control-Allow-Headers', '*')
+					->header('Access-Control-Allow-Credentials', 'true')
 					->header('Access-Control-Max-Age', '86400');
 		}
 		
@ -43,6 +45,10 @@ class Cors
 		{
 			$nextClosure
 				->header('Access-Control-Allow-Origin', $allowedOrigin)
+				->header('Access-Control-Allow-Methods', '*')
+				->header('Access-Control-Allow-Headers', '*')
+				->header('Access-Control-Allow-Credentials', 'true')
+				->header('Access-Control-Max-Age', '86400')
 				->header('Vary', 'origin');
 		}
 		
--- a/web/app/Http/Middleware/PreventRequestsDuringMaintenance.php
+++ b/web/app/Http/Middleware/PreventRequestsDuringMaintenance.php
@ -39,19 +39,14 @@ class PreventRequestsDuringMaintenance
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
-     * @param  string  $group
     * @return mixed
     *
     * @throws \Symfony\Component\HttpKernel\Exception\HttpException
     */
-    public function handle($request, Closure $next, $group = null)
+    public function handle($request, Closure $next)
    {
        if ($this->app->isDownForMaintenance()) {
            $data = json_decode(file_get_contents($this->app->storagePath().'/framework/down'), true);
-
-            if (isset($data['secret']) && $request->path() === $data['secret']) {
-                return $this->bypassResponse($data['secret']);
-            }
 			
            if ($this->hasValidBypassCookie($request, $data) ||
                $this->inExceptArray($request)) {
@ -76,9 +71,9 @@ class PreventRequestsDuringMaintenance
    protected function hasValidBypassCookie($request, array $data)
    {
        return isset($data['secret']) &&
-                $request->cookie('laravel_maintenance') &&
+                $request->cookie('gt_constraint') &&
                MaintenanceModeBypassCookie::isValid(
-                    $request->cookie('laravel_maintenance'),
+                    $request->cookie('gt_constraint'),
                    $data['secret']
                );
    }
--- a/web/app/Providers/RouteServiceProvider.php
+++ b/web/app/Providers/RouteServiceProvider.php
@ -18,7 +18,9 @@ class RouteServiceProvider extends ServiceProvider
     * @var string
     */
    public const HOME = '/home';
-
+	
+	protected $namespace = 'App\Http\Controllers';
+	
    /**
     * The controller namespace for the application.
     *
--- a/web/database/seeders/WebConfigurationSeeder.php
+++ b/web/database/seeders/WebConfigurationSeeder.php
@ -19,7 +19,7 @@ class WebConfigurationSeeder extends Seeder
 			'name' => 'MaintenancePassword',
 			'value' => json_encode(
 				[
-					'combination' => ['g','t','o','r','i','a'],
+					'combination' => [0,7,8,9,10,11],
 					'password' => '@bs0lut3lyM@55!v3P@55w0rd'
 				])
 		]); // please please please please please please please change the default password
--- a/web/resources/js/layouts/App.js
+++ b/web/resources/js/layouts/App.js
@ -25,6 +25,8 @@ import { Copyright } from '../Pages/Legal/Copyright.js';
 import { Privacy } from '../Pages/Legal/Privacy.js';
 import { Terms } from '../Pages/Legal/Terms.js';

+axios.defaults.withCredentials = true
+
 var url = Config.BaseUrl.replace('http://', '');
 var protocol = Config.Protocol;

--- a/web/resources/js/pages/Games.js
+++ b/web/resources/js/pages/Games.js
@ -31,9 +31,10 @@ class Games extends React.Component {
 		
 		SetTitle('Games');

-		axios.get(protocol + 'apis.' + url + '/games/metadata').then((response) => {
-			app.setState({loading: !(response.data.available == false), offline: !response.data.available});
-		});
+		axios.get(protocol + 'apis.' + url + '/games/metadata')
+			.then((response) => {
+				app.setState({loading: !(response.data.available == false), offline: !response.data.available});
+			});
 	}
 	
 	render()
--- a/web/resources/js/pages/Maintenance.js
+++ b/web/resources/js/pages/Maintenance.js
@ -43,7 +43,7 @@ function DoButton(position, state)
 			'buttons': ButtonHistory
 		})
 		.then((response) => {
-			console.log(response);
+			window.location.reload();
 		});
 }

--- a/web/routes/apis.php
+++ b/web/routes/apis.php
@ -20,13 +20,11 @@ Route::get('/', function(){
 	return 'API OK';
 });

-Route::get('/banners/data', [BannerController::class, 'getBanners']);
+Route::get('/banners/data', 'BannerController@getBanners');

-Route::get('/games/metadata', [GamesController::class, 'isAvailable']);
+Route::get('/games/metadata', 'GamesController@isAvailable');

-Route::post('/maintenance/bypass', function(){
-	return 'test';
-});
+Route::post('/maintenance/bypass', 'MaintenanceController@bypass');

 Route::fallback(function(){
 	return response('{"errors":[{"code":404,"message":"NotFound"}]}', 404)