Merge pull request #626 from beyondcode/fix/check-app-key

rennokki · web-flow · commit e9b9cc40029a · 2021-01-23T16:46:10.000+02:00
[fix] Check for key app on authorization
diff --git a/src/Statistics/Http/Middleware/Authorize.php b/src/Statistics/Http/Middleware/Authorize.php
@@ -8,6 +8,10 @@ class Authorize
 {
     public function handle($request, $next)
     {
-        return is_null(App::findBySecret($request->secret)) ? abort(403) : $next($request);
+        $app = App::findByKey($request->key);
+
+        return is_null($app) || $app->secret !== $request->secret
+            ? abort(403)
+            : $next($request);
     }
 }
diff --git a/tests/Statistics/Controllers/WebSocketsStatisticsControllerTest.php b/tests/Statistics/Controllers/WebSocketsStatisticsControllerTest.php
@@ -14,6 +14,7 @@ public function it_can_store_statistics()
         $this->post(
             action([WebSocketStatisticsEntriesController::class, 'store']),
             array_merge($this->payload(), [
+                'key' => config('websockets.apps.0.key'),
                 'secret' => config('websockets.apps.0.secret'),
             ])
         );

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,10 @@ class Authorize`
`8`	`8`	`{`
`9`	`9`	`public function handle($request, $next)`
`10`	`10`	`{`
`11`		`- return is_null(App::findBySecret($request->secret)) ? abort(403) : $next($request);`
	`11`	`+ $app = App::findByKey($request->key);`
	`12`	`+`
	`13`	`+ return is_null($app) \|\| $app->secret !== $request->secret`
	`14`	`+ ? abort(403)`
	`15`	`+ : $next($request);`
`12`	`16`	`}`
`13`	`17`	`}`