Merge pull request #60 from cesargb/issue_41

access code: more control, if I use the same access code in another magiclink
cesargb · Jan 10, 2022 · bffc832 · bffc832
2 parents ff8dbf7 + e953d5f
commit bffc832
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 5 deletions.
diff --git a/src/AccessCode.php b/src/AccessCode.php
@@ -8,6 +8,10 @@
 
 trait AccessCode
 {
+ abstract protected function getAccessCode();
+
+ abstract protected function getMagikLinkId();
+
  protected $cookieName = 'magic-link-access-code';
 
  public function getResponseAccessCode()
@@ -28,15 +32,15 @@ private function checkAccessCode(?string $accessCode): bool
  return false;
  }
 
- return Hash::check($accessCode, $this->access_code);
+ return Hash::check($accessCode, $this->getAccessCode());
  }
 
  /**
  * The action was protected with an access code.
  */
  private function protectedWithAcessCode(): bool
  {
- return ! is_null($this->access_code ?? null);
+ return ! is_null($this->getAccessCode() ?? null);
  }
 
  private function getResponseAccessCodeFromForm()
@@ -51,7 +55,7 @@ private function getResponseAccessCodeFromForm()
  return redirect(request()->url())->withCookie(
  cookie(
  $this->cookieName,
- encrypt($accessCode),
+ encrypt($this->getMagikLinkId().'|'.$accessCode),
  0,
  '/'
  )
@@ -92,9 +96,14 @@ private function getAccessCodeFromCookie()
  try {
  $cookie = Arr::last((array) $accessCodeCookies);
 
- return decrypt($cookie);
+ [$magiglinkId, $accessCode] = explode('|', decrypt($cookie));
+
+ if ($magiglinkId === $this->getMagikLinkId()) {
+ return $accessCode;
+ }
  } catch (DecryptException $e) {
- return null;
  }
+
+ return null;
  }
 }
diff --git a/src/MagicLink.php b/src/MagicLink.php
@@ -23,6 +23,16 @@ class MagicLink extends Model
 {
  use AccessCode;
 
+ public function getAccessCode()
+ {
+ return $this->access_code ?? null;
+ }
+
+ public function getMagikLinkId()
+ {
+ return $this->getKey();
+ }
+
  public $incrementing = false;
 
  protected $keyType = 'string';

diff --git a/tests/AccessCodeTest.php b/tests/AccessCodeTest.php
@@ -80,4 +80,27 @@ public function test_sucessfull_if_provide_access_code()
  ->assertStatus(200)
  ->assertSeeText('the big secret');
  }
+
+ public function test_forbidden_if_provide_access_code_of_other_link()
+ {
+ $magiclink = MagicLink::create(new ResponseAction(function () {
+ return 'the big secret';
+ }));
+
+ $magiclink->protectWithAccessCode('1234');
+
+ $response = $this->get("{$magiclink->url}?access-code=1234");
+
+ $cookie = $response->headers->getCookies()[0];
+
+ $magiclinkOther = MagicLink::create(new ResponseAction(function () {
+ return 'the other big secret';
+ }));
+
+ $magiclinkOther->protectWithAccessCode('1234');
+
+ $this->disableCookieEncryption()->withCookie($cookie->getName(), $cookie->getvalue())
+ ->get($magiclinkOther->url)
+ ->assertStatus(403);
+ }
 }