From 993a2c78238acaf622b61ac4b5f6d64b09ad250b Mon Sep 17 00:00:00 2001
From: James Cole <thegrumpydictator@gmail.com>
Date: Tue, 29 Mar 2016 12:23:10 +0200
Subject: [PATCH] New middleware.

---
 app/Http/Kernel.php | 121 +++++++++++++++++++++++++++++++-------------
 app/Http/routes.php |  47 +++++++++--------
 2 files changed, 112 insertions(+), 56 deletions(-)

diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 32fbd669ee..2b00ee5652 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -50,30 +50,39 @@ class Kernel extends HttpKernel
             // does not check login
             // does not check 2fa
             // does not check activation
-            'web'                    => [
+            'web'                                => [
                 EncryptCookies::class,
                 AddQueuedCookiesToResponse::class,
                 StartSession::class,
                 ShareErrorsFromSession::class,
                 VerifyCsrfToken::class,
             ],
-            // must be authenticated
-            // must be 2fa (if enabled)
-            // must be activated account
-            'web-auth'               => [
+            // MUST NOT be logged in. Does not care about 2FA or confirmation.
+            'user-not-logged-in'                 => [
+                EncryptCookies::class,
+                AddQueuedCookiesToResponse::class,
+                StartSession::class,
+                ShareErrorsFromSession::class,
+                VerifyCsrfToken::class,
+                RedirectIfAuthenticated::class,
+            ],
+
+            // MUST be logged in.
+            // MUST NOT have 2FA
+            // don't care about confirmation:
+            'user-logged-in-no-2fa'              => [
                 EncryptCookies::class,
                 AddQueuedCookiesToResponse::class,
                 StartSession::class,
                 ShareErrorsFromSession::class,
                 VerifyCsrfToken::class,
                 Authenticate::class,
-                AuthenticateTwoFactor::class,
-                IsConfirmed::class,
+                RedirectIfTwoFactorAuthenticated::class,
             ],
-            // must be authenticated
-            // must be 2fa (if enabled)
-            // must NOT be activated account
-            'web-auth-no-confirm'    => [
+            // MUST be logged in
+            // MUST have 2FA
+            // MUST NOT have confirmation.
+            'user-logged-in-2fa-no-activation'   => [
                 EncryptCookies::class,
                 AddQueuedCookiesToResponse::class,
                 StartSession::class,
@@ -83,29 +92,11 @@ class Kernel extends HttpKernel
                 AuthenticateTwoFactor::class,
                 IsNotConfirmed::class,
             ],
-            // must be authenticated
-            // does not care about 2fa
-            // must be confirmed.
-            'web-auth-no-two-factor' => [
-                EncryptCookies::class,
-                AddQueuedCookiesToResponse::class,
-                StartSession::class,
-                ShareErrorsFromSession::class,
-                VerifyCsrfToken::class,
-                Authenticate::class,
-                RedirectIfTwoFactorAuthenticated::class,
-                IsConfirmed::class,
-            ],
-            'web-auth-no-two-factor-any-confirm' => [
-                EncryptCookies::class,
-                AddQueuedCookiesToResponse::class,
-                StartSession::class,
-                ShareErrorsFromSession::class,
-                VerifyCsrfToken::class,
-                Authenticate::class,
-                RedirectIfTwoFactorAuthenticated::class,
-            ],
-            'web-auth-range'         => [
+            // MUST be logged in
+            // MUST have 2fa
+            // MUST be confirmed.
+            // (this group includes the other Firefly middleware)
+            'user-full-auth' => [
                 EncryptCookies::class,
                 AddQueuedCookiesToResponse::class,
                 StartSession::class,
@@ -118,6 +109,68 @@ class Kernel extends HttpKernel
                 Binder::class,
             ],
 
+//
+//            // must be authenticated
+//            // must be 2fa (if enabled)
+//            // must be activated account
+//            'web-auth'                           => [
+//                EncryptCookies::class,
+//                AddQueuedCookiesToResponse::class,
+//                StartSession::class,
+//                ShareErrorsFromSession::class,
+//                VerifyCsrfToken::class,
+//                Authenticate::class,
+//                AuthenticateTwoFactor::class,
+//                IsConfirmed::class,
+//            ],
+//            // must be authenticated
+//            // must be 2fa (if enabled)
+//            // must NOT be activated account
+//            'web-auth-no-confirm'                => [
+//                EncryptCookies::class,
+//                AddQueuedCookiesToResponse::class,
+//                StartSession::class,
+//                ShareErrorsFromSession::class,
+//                VerifyCsrfToken::class,
+//                Authenticate::class,
+//                AuthenticateTwoFactor::class,
+//                IsNotConfirmed::class,
+//            ],
+//            // must be authenticated
+//            // does not care about 2fa
+//            // must be confirmed.
+//            'web-auth-no-two-factor'             => [
+//                EncryptCookies::class,
+//                AddQueuedCookiesToResponse::class,
+//                StartSession::class,
+//                ShareErrorsFromSession::class,
+//                VerifyCsrfToken::class,
+//                Authenticate::class,
+//                RedirectIfTwoFactorAuthenticated::class,
+//                IsConfirmed::class,
+//            ],
+//            'web-auth-no-two-factor-any-confirm' => [
+//                EncryptCookies::class,
+//                AddQueuedCookiesToResponse::class,
+//                StartSession::class,
+//                ShareErrorsFromSession::class,
+//                VerifyCsrfToken::class,
+//                Authenticate::class,
+//                RedirectIfTwoFactorAuthenticated::class,
+//            ],
+//            'web-auth-range'                     => [
+//                EncryptCookies::class,
+//                AddQueuedCookiesToResponse::class,
+//                StartSession::class,
+//                ShareErrorsFromSession::class,
+//                VerifyCsrfToken::class,
+//                Authenticate::class,
+//                AuthenticateTwoFactor::class,
+//                IsConfirmed::class,
+//                Range::class,
+//                Binder::class,
+//            ],
+
             'api' => [
                 'throttle:60,1',
             ],
diff --git a/app/Http/routes.php b/app/Http/routes.php
index ce9a2c149c..881ef01056 100644
--- a/app/Http/routes.php
+++ b/app/Http/routes.php
@@ -1,16 +1,22 @@
 <?php
 declare(strict_types = 1);
 
-// does not check login
-// does not check 2fa
-// does not check activation
+
+//Route::get('/logout', 'Auth\AuthController@logout');
+//Route::get('/error', 'HomeController@displayError');
+//Route::get('/logout', ['uses' => 'Auth\AuthController@logout', 'as' => 'logout']);
+//Route::get('/flush', ['uses' => 'HomeController@flush']);
+
+
+/**
+ * These routes only work when the user is NOT logged in.
+ */
 Route::group(
-    ['middleware' => 'web'], function () {
+    ['middleware' => 'user-not-logged-in'], function () {
 
     // Authentication Routes...
     Route::get('/login', 'Auth\AuthController@showLoginForm');
     Route::post('/login', 'Auth\AuthController@login');
-    Route::get('/logout', 'Auth\AuthController@logout');
 
     // Registration Routes...
     Route::get('/register', ['uses' => 'Auth\AuthController@showRegistrationForm', 'as' => 'register']);
@@ -23,30 +29,26 @@ Route::group(
     Route::post('/password/email', 'Auth\PasswordController@sendResetLinkEmail');
     Route::post('/password/reset', 'Auth\PasswordController@reset');
 
-
-    // display error:
-    Route::get('/error', 'HomeController@displayError');
-
-    Route::get('/logout', ['uses' => 'Auth\AuthController@logout', 'as' => 'logout']);
-
-
 }
 );
-// must be authenticated
-// does not care about 2fa
-// does not care about confirmation.
+
+/**
+ * For the two factor routes, the user must be logged in, but not 2FA. Account confirmation does not matter here.
+ */
 Route::group(
-    ['middleware' => 'web-auth-no-two-factor-any-confirm'], function () {
+    ['middleware' => 'user-logged-in-no-2fa'], function () {
     Route::get('/two-factor', ['uses' => 'Auth\TwoFactorController@index', 'as' => 'two-factor']);
     Route::get('/lost-two-factor', ['uses' => 'Auth\TwoFactorController@lostTwoFactor', 'as' => 'lost-two-factor']);
     Route::post('/two-factor', ['uses' => 'Auth\TwoFactorController@postIndex', 'as' => 'two-factor-post']);
-    Route::get('/flush', ['uses' => 'HomeController@flush']);
+
 }
 );
 
-// routes that can only be accessed without having your account confirmed.
+/**
+ * For the confirmation routes, the user must be logged in, also 2FA, but his account must not be confirmed.
+ */
 Route::group(
-    ['middleware' => 'web-auth-no-confirm'], function () {
+    ['middleware' => 'user-logged-in-2fa-no-activation'], function () {
     //
     Route::get('/confirm-your-account', ['uses' => 'Auth\ConfirmationController@confirmationError', 'as' => 'confirmation_error']);
     Route::get('/resend-confirmation', ['uses' => 'Auth\ConfirmationController@resendConfirmation', 'as' => 'resend_confirmation']);
@@ -55,9 +57,11 @@ Route::group(
 }
 );
 
-
+/**
+ * For all other routes, the user must be fully authenticated and have an activated account.
+ */
 Route::group(
-    ['middleware' => ['web-auth-range']], function () {
+    ['middleware' => ['user-full-auth']], function () {
 
     /**
      * Home Controller
@@ -65,7 +69,6 @@ Route::group(
     Route::get('/', ['uses' => 'HomeController@index', 'as' => 'index']);
     Route::get('/home', ['uses' => 'HomeController@index', 'as' => 'home']);
     Route::post('/daterange', ['uses' => 'HomeController@dateRange', 'as' => 'daterange']);
-
     Route::get('/routes', ['uses' => 'HomeController@routes']);
     /**
      * Account Controller