Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(page): Decouple the index controller from the executing method #10545

Merged
merged 2 commits into from
Sep 21, 2023
Merged

fix(page): Decouple the index controller from the executing method #10545

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
61775fd
fix(page): Decouple the index controller from the executing method
nickvergessen Aug 3, 2023
2b36f0f
fix(page): Add integration test
nickvergessen Aug 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 18 additions & 5 deletions lib/Controller/PageController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,33 +127,46 @@ public function showCall(string $token): Response {
#[BruteForceProtection(action: 'talkRoomPassword')]
public function authenticatePassword(string $token, string $password = ''): Response {
// This is the entry point from the `/call/{token}` URL which is hardcoded in the server.
return $this->index($token, '', $password);
return $this->pageHandler($token, '', $password);
}

#[NoCSRFRequired]
#[PublicPage]
public function notFound(): Response {
return $this->index();
return $this->pageHandler();
}

#[NoCSRFRequired]
#[PublicPage]
public function duplicateSession(): Response {
return $this->index();
return $this->pageHandler();
}

/**
* @param string $token
* @param string $callUser
* @param string $password
* @return TemplateResponse|RedirectResponse
* @throws HintException
*/
#[NoCSRFRequired]
#[PublicPage]
#[BruteForceProtection(action: 'talkRoomToken')]
#[UseSession]
public function index(string $token = '', string $callUser = '', string $password = ''): Response {
public function index(string $token = '', string $callUser = ''): Response {
if ($callUser !== '') {
$token = '';
}
return $this->pageHandler($token, $callUser);
}

/**
* @param string $token
* @param string $callUser
* @param string $password
* @return TemplateResponse|RedirectResponse
* @throws HintException
*/
protected function pageHandler(string $token = '', string $callUser = '', string $password = ''): Response {
$bruteForceToken = $token;
$user = $this->userSession->getUser();
if (!$user instanceof IUser) {
Expand Down
24 changes: 24 additions & 0 deletions tests/integration/features/bootstrap/FeatureContext.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1088,6 +1088,30 @@ public function userViewsCallURL(string $user, string $identifier, int $statusCo
}
}

/**
* @Then /^user "([^"]*)" views URL "([^"]*)" with query parameters and status code (\d+)$/
*
* @param string $user
* @param string $page
* @param int $statusCode
* @param null|TableNode $formData
*/
public function userViewsURLWithQuery(string $user, string $page, int $statusCode, TableNode $formData = null): void {
$parameters = [];
if ($formData instanceof TableNode) {
foreach ($formData->getRowsHash() as $key => $value) {
$parameters[$key] = $key === 'token' ? (self::$identifierToToken[$value] ?? $value) : $value;
}
}

$this->setCurrentUser($user);
$this->sendFrontpageRequest(
'GET', '/' . $page . '?' . http_build_query($parameters)
);

$this->assertStatusCode($this->response, $statusCode);
}

/**
* @Then /^user "([^"]*)" sets notifications to (default|disabled|mention|all) for room "([^"]*)" \((v4)\)$/
*
Expand Down
18 changes: 17 additions & 1 deletion tests/integration/features/conversation/bruteforce-protection.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,6 @@ Feature: conversation/bruteforce-protection
Then the following brute force attempts are registered
And disable brute force protection

# Note: This test takes quite long …
Scenario: User gets blocked after some attempts
Given enable brute force protection
Then the following brute force attempts are registered
Expand All @@ -81,3 +80,20 @@ Feature: conversation/bruteforce-protection
Then the following brute force attempts are registered
| talkRoomToken | 11 |
And disable brute force protection

Scenario: Prevent brute forcing on an endpoint that is not meant to handle the password
Given enable brute force protection
And user "participant1" creates room "room" (v4)
| roomType | 3 |
| roomName | room |
And user "participant1" sets password "foobar" for room "room" with 200 (v4)
Then the following brute force attempts are registered
And user "participant2" joins room "room" with 403 (v4)
Then the following brute force attempts are registered
| talkRoomPassword | 1 |
When user "participant2" views URL "apps/spreed" with query parameters and status code 200
| token | room |
| password | foobar |
Then the following brute force attempts are registered
| talkRoomPassword | 1 |
And disable brute force protection
Loading