From 44c28080d00d1f27bdf65bebedad9cfee27f7232 Mon Sep 17 00:00:00 2001 From: gtoriadotnet Date: Wed, 22 Dec 2021 00:22:54 -0500 Subject: [PATCH] i hate cors --- .../Controllers/MaintenanceController.php | 69 +++++++++++++++++++ web/app/Http/Middleware/Cors.php | 6 ++ .../PreventRequestsDuringMaintenance.php | 11 +-- web/app/Providers/RouteServiceProvider.php | 4 +- .../seeders/WebConfigurationSeeder.php | 2 +- web/resources/js/layouts/App.js | 2 + web/resources/js/pages/Games.js | 7 +- web/resources/js/pages/Maintenance.js | 2 +- web/routes/apis.php | 8 +-- 9 files changed, 92 insertions(+), 19 deletions(-) create mode 100644 web/app/Http/Controllers/MaintenanceController.php diff --git a/web/app/Http/Controllers/MaintenanceController.php b/web/app/Http/Controllers/MaintenanceController.php new file mode 100644 index 0000000..e2efe8a --- /dev/null +++ b/web/app/Http/Controllers/MaintenanceController.php @@ -0,0 +1,69 @@ +input('password'); + $buttons = $request->input('buttons'); + + if($password && $buttons) + { + $mtconf = json_decode(WebsiteConfiguration::whereName('MaintenancePassword')->first()->value); + + if($password == $mtconf->password) + { + $btns = array_slice($buttons, -count($mtconf->combination)); + $data = json_decode(file_get_contents(storage_path('framework/down')), true); + + if(isset($data['secret']) && $btns === $mtconf->combination) + { + $trustedHosts = explode(',', env('TRUSTED_HOSTS')); + $origin = parse_url($request->headers->get('origin'), PHP_URL_HOST); + $passCheck = false; + + foreach($trustedHosts as &$host) + { + if(str_ends_with($origin, $host)) + $passCheck = true; + } + + $expiresAt = Carbon::now()->addHours(24); + $bypassCookie = new Cookie('gt_constraint', base64_encode(json_encode([ + 'expires_at' => $expiresAt->getTimestamp(), + 'mac' => hash_hmac('SHA256', $expiresAt->getTimestamp(), $data['secret']), + ])), $expiresAt); + + if($passCheck) + $bypassCookie = $bypassCookie->withDomain('.' . $origin); + + return response('') + ->withCookie($bypassCookie); + } + } + + return response('') + ->setStatusCode(403); + } + else + { + return response('{"errors":[{"code":400,"message":"BadRequest"}]}') + ->setStatusCode(400) + ->header('Cache-Control', 'private') + ->header('Content-Type', 'application/json; charset=utf-8'); + } + } +} diff --git a/web/app/Http/Middleware/Cors.php b/web/app/Http/Middleware/Cors.php index 782c590..298c6d3 100644 --- a/web/app/Http/Middleware/Cors.php +++ b/web/app/Http/Middleware/Cors.php @@ -34,6 +34,8 @@ class Cors ->setStatusCode(204) ->header('Access-Control-Allow-Origin', $allowedOrigin) ->header('Access-Control-Allow-Methods', '*') + ->header('Access-Control-Allow-Headers', '*') + ->header('Access-Control-Allow-Credentials', 'true') ->header('Access-Control-Max-Age', '86400'); } @@ -43,6 +45,10 @@ class Cors { $nextClosure ->header('Access-Control-Allow-Origin', $allowedOrigin) + ->header('Access-Control-Allow-Methods', '*') + ->header('Access-Control-Allow-Headers', '*') + ->header('Access-Control-Allow-Credentials', 'true') + ->header('Access-Control-Max-Age', '86400') ->header('Vary', 'origin'); } diff --git a/web/app/Http/Middleware/PreventRequestsDuringMaintenance.php b/web/app/Http/Middleware/PreventRequestsDuringMaintenance.php index 0eca73c..444821c 100644 --- a/web/app/Http/Middleware/PreventRequestsDuringMaintenance.php +++ b/web/app/Http/Middleware/PreventRequestsDuringMaintenance.php @@ -39,19 +39,14 @@ class PreventRequestsDuringMaintenance * * @param \Illuminate\Http\Request $request * @param \Closure $next - * @param string $group * @return mixed * * @throws \Symfony\Component\HttpKernel\Exception\HttpException */ - public function handle($request, Closure $next, $group = null) + public function handle($request, Closure $next) { if ($this->app->isDownForMaintenance()) { $data = json_decode(file_get_contents($this->app->storagePath().'/framework/down'), true); - - if (isset($data['secret']) && $request->path() === $data['secret']) { - return $this->bypassResponse($data['secret']); - } if ($this->hasValidBypassCookie($request, $data) || $this->inExceptArray($request)) { @@ -76,9 +71,9 @@ class PreventRequestsDuringMaintenance protected function hasValidBypassCookie($request, array $data) { return isset($data['secret']) && - $request->cookie('laravel_maintenance') && + $request->cookie('gt_constraint') && MaintenanceModeBypassCookie::isValid( - $request->cookie('laravel_maintenance'), + $request->cookie('gt_constraint'), $data['secret'] ); } diff --git a/web/app/Providers/RouteServiceProvider.php b/web/app/Providers/RouteServiceProvider.php index f0029e0..e8d0f79 100644 --- a/web/app/Providers/RouteServiceProvider.php +++ b/web/app/Providers/RouteServiceProvider.php @@ -18,7 +18,9 @@ class RouteServiceProvider extends ServiceProvider * @var string */ public const HOME = '/home'; - + + protected $namespace = 'App\Http\Controllers'; + /** * The controller namespace for the application. * diff --git a/web/database/seeders/WebConfigurationSeeder.php b/web/database/seeders/WebConfigurationSeeder.php index cbc907f..d3021d7 100644 --- a/web/database/seeders/WebConfigurationSeeder.php +++ b/web/database/seeders/WebConfigurationSeeder.php @@ -19,7 +19,7 @@ class WebConfigurationSeeder extends Seeder 'name' => 'MaintenancePassword', 'value' => json_encode( [ - 'combination' => ['g','t','o','r','i','a'], + 'combination' => [0,7,8,9,10,11], 'password' => '@bs0lut3lyM@55!v3P@55w0rd' ]) ]); // please please please please please please please change the default password diff --git a/web/resources/js/layouts/App.js b/web/resources/js/layouts/App.js index f35b0b6..1b134af 100644 --- a/web/resources/js/layouts/App.js +++ b/web/resources/js/layouts/App.js @@ -25,6 +25,8 @@ import { Copyright } from '../Pages/Legal/Copyright.js'; import { Privacy } from '../Pages/Legal/Privacy.js'; import { Terms } from '../Pages/Legal/Terms.js'; +axios.defaults.withCredentials = true + var url = Config.BaseUrl.replace('http://', ''); var protocol = Config.Protocol; diff --git a/web/resources/js/pages/Games.js b/web/resources/js/pages/Games.js index c95b540..82ef459 100644 --- a/web/resources/js/pages/Games.js +++ b/web/resources/js/pages/Games.js @@ -31,9 +31,10 @@ class Games extends React.Component { SetTitle('Games'); - axios.get(protocol + 'apis.' + url + '/games/metadata').then((response) => { - app.setState({loading: !(response.data.available == false), offline: !response.data.available}); - }); + axios.get(protocol + 'apis.' + url + '/games/metadata') + .then((response) => { + app.setState({loading: !(response.data.available == false), offline: !response.data.available}); + }); } render() diff --git a/web/resources/js/pages/Maintenance.js b/web/resources/js/pages/Maintenance.js index ce5ea11..e14211d 100644 --- a/web/resources/js/pages/Maintenance.js +++ b/web/resources/js/pages/Maintenance.js @@ -43,7 +43,7 @@ function DoButton(position, state) 'buttons': ButtonHistory }) .then((response) => { - console.log(response); + window.location.reload(); }); } diff --git a/web/routes/apis.php b/web/routes/apis.php index 83b699b..5d7fc17 100644 --- a/web/routes/apis.php +++ b/web/routes/apis.php @@ -20,13 +20,11 @@ Route::get('/', function(){ return 'API OK'; }); -Route::get('/banners/data', [BannerController::class, 'getBanners']); +Route::get('/banners/data', 'BannerController@getBanners'); -Route::get('/games/metadata', [GamesController::class, 'isAvailable']); +Route::get('/games/metadata', 'GamesController@isAvailable'); -Route::post('/maintenance/bypass', function(){ - return 'test'; -}); +Route::post('/maintenance/bypass', 'MaintenanceController@bypass'); Route::fallback(function(){ return response('{"errors":[{"code":404,"message":"NotFound"}]}', 404)