Merge pull request #39 from rabol/master

cesargb · web-flow · commit 14b14a6d3b00 · 2021-03-20T11:08:24.000+01:00
Add access_code feature
diff --git a/.DS_Store b/.DS_Store
diff --git a/README.md b/README.md
@@ -160,6 +160,20 @@ $urlToCustomFunction = MagicLink::create(
 )->url;
 ```
 
+## Protect with an access code
+
+Optionally you can protect the resources with an access code.
+You can set the access code with method `protectWithAccessCode`
+which accepts an argument with the access code.
+
+```php
+$magiclink = MagicLink::create(new DownloadFileAction('private_document.pdf'));
+
+$magiclink->protectWithAccessCode('secret');
+
+$urlToSend = $magiclink->url;
+```
+
 ## MagicLink link lifetime
 
 By default a link will be available for 72 hours after your creation. We can
diff --git a/databases/.DS_Store b/databases/.DS_Store
diff --git a/databases/migrations/2021_03_06_211907_add_access_code_to_magic_links_table.php b/databases/migrations/2021_03_06_211907_add_access_code_to_magic_links_table.php
@@ -0,0 +1,34 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+class AddAccessCodeToMagicLinksTable extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::table('magic_links', function (Blueprint $table) {
+            $table->string('access_code')->nullable();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        if (Schema::hasColumn('magic_links', 'access_code')) {
+            Schema::table('magic_links', function (Blueprint $table) {
+                $table->dropColumn('access_code');
+            });
+        }
+    }
+}
diff --git a/resources/views/ask-for-access-code-form.blade.php b/resources/views/ask-for-access-code-form.blade.php
@@ -0,0 +1,75 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Password protected</title>
+
+    <link href="https://fonts.googleapis.com/css?family=Lato:100" rel="stylesheet" type="text/css">
+
+    <style>
+        html, body {
+            height: 100%;
+        }
+
+        body {
+            margin: 0;
+            padding: 0;
+            width: 100%;
+            display: table;
+            font-weight: 100;
+            font-family: 'Lato';
+        }
+
+        .container {
+            text-align: center;
+            display: table-cell;
+            vertical-align: middle;
+        }
+
+        .content {
+            text-align: center;
+            display: inline-block;
+        }
+
+        .title {
+            font-size: 36px;
+        }
+
+        .form-control {
+            border: 1px solid #ccc;
+            padding: 10px 20px;
+        }
+
+        .hidden {
+            display: none;
+        }
+
+        .text-danger {
+            color: #d9534f;
+        }
+    </style>
+</head>
+<body>
+<div class="container">
+    <div class="content">
+        <div class="title">Enter access code</div>
+
+        <form method="GET">
+            {{ csrf_field() }}
+
+            <div class="form-group">
+
+                <input type="password" name="access-code" placeholder="Please enter access code" class="form-control" tabindex="1" autofocus />
+                @if (Request::get('access-code'))
+                    <div class="text-danger">Access code is wrong</div>
+                @else
+                    <div class="small help-block">And press enter</div>
+                @endif
+            </div>
+
+            <input type="submit" class="hidden" />
+
+        </form>
+    </div>
+</div>
+</body>
+</html>
diff --git a/src/.DS_Store b/src/.DS_Store
diff --git a/src/MagicLink.php b/src/MagicLink.php
@@ -6,6 +6,7 @@
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\QueryException;
 use Illuminate\Support\Facades\Event;
+use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Str;
 use MagicLink\Actions\ActionInterface;
 use MagicLink\Events\MagicLinkWasCreated;
@@ -87,6 +88,46 @@ public static function create(ActionInterface $action, ?int $lifetime = 4320, ?i
         return $magiclink;
     }
 
+    /**
+     * Protect the Action with an access code.
+     *
+     * @param string $accessCode
+     * @return self
+     */
+    public function protectWithAccessCode(string $accessCode): self
+    {
+        $this->access_code = Hash::make($accessCode);
+
+        $this->save();
+
+        return $this;
+    }
+
+    /**
+     * Check if access code is right.
+     *
+     * @param string|null $accessCode
+     * @return bool
+     */
+    public function checkAccessCode(?string $accessCode): bool
+    {
+        if ($accessCode === null) {
+            return false;
+        }
+
+        return Hash::check($accessCode, $this->access_code);
+    }
+
+    /**
+     * The action was protected with an access code.
+     *
+     * @return bool
+     */
+    public function protectedWithAcessCode(): bool
+    {
+        return ! is_null($this->access_code ?? null);
+    }
+
     /**
      * Execute Action.
      *
diff --git a/src/MagicLinkServiceProvider.php b/src/MagicLinkServiceProvider.php
@@ -22,6 +22,13 @@ public function boot()
         if ($this->mustLoadRoute()) {
             $this->loadRoutesFrom(__DIR__.'/routes.php');
         }
+
+        // Views
+        $sourceViewsPath = __DIR__.'/../resources/views';
+        $this->loadViewsFrom($sourceViewsPath, 'magiclink');
+        $this->publishes([
+            $sourceViewsPath => resource_path('views/vendor/magiclink'),
+        ], 'views');
     }
 
     protected function mustLoadRoute()
diff --git a/src/Middlewares/MagiclinkMiddleware.php b/src/Middlewares/MagiclinkMiddleware.php
@@ -3,7 +3,9 @@
 namespace MagicLink\Middlewares;
 
 use Closure;
+use Illuminate\Contracts\Encryption\DecryptException;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Hash;
 use MagicLink\MagicLink;
 use MagicLink\Responses\Response;
 
@@ -15,16 +17,56 @@ public function handle(Request $request, Closure $next)
 
         $magicLink = MagicLink::getValidMagicLinkByToken($token);
 
-        if ($magicLink) {
-            $magicLink->visited();
+        if (! $magicLink) {
+            return $this->badResponse();
+        }
+
+        if ($magicLink->protectedWithAcessCode()) {
+            if ($magicLink->checkAccessCode($request->get('access-code'))) {
+                // access code is valid
+                return redirect($request->url())->withCookie(
+                    cookie(
+                        'magic-link-access-code',
+                        encrypt($request->get('access-code')),
+                        0,
+                        '/'
+                    )
+                );
+            }
+
+            try {
+                $accessCode = decrypt($request->cookie('magic-link-access-code'));
+
+                // Validate access_code
+                if ($magicLink->checkAccessCode($accessCode)) {
+                    $magicLink->visited();
+
+                    return $next($request);
+                }
+            } catch (DecryptException $e) {
+                // empty value in cookie
+            }
 
-            return $next($request);
+            return response(view('magiclink::ask-for-access-code-form'), 403);
         }
 
-        return $this->response();
+        $magicLink->visited();
+
+        return $next($request);
     }
 
-    protected function response()
+    // private function isAccessCodeValid(string $token, ?string $accessCode): bool
+    // {
+    //     if ($accessCode === null) {
+    //         return false;
+    //     }
+
+    //     $magicLink = MagicLink::getValidMagicLinkByToken($token);
+
+    //     return Hash::check($accessCode, $magicLink->access_code);
+    // }
+
+    protected function badResponse()
     {
         $responseClass = config('magiclink.invalid_response.class', Response::class);
 
diff --git a/src/routes.php b/src/routes.php
@@ -3,9 +3,17 @@
 use Illuminate\Support\Facades\Route;
 use MagicLink\Middlewares\MagiclinkMiddleware;
 
-Route::group(['middleware' => [MagiclinkMiddleware::class, 'web']], function () {
-    Route::get(
-        config('magiclink.url.validate_path', 'magiclink').'/{token}',
-        'MagicLink\Controllers\MagicLinkController@access'
-    );
-});
+Route::group(
+    [
+        'middleware' => [
+            MagiclinkMiddleware::class,
+            'web',
+        ],
+    ],
+    function () {
+        Route::get(
+            config('magiclink.url.validate_path', 'magiclink').'/{token}',
+            'MagicLink\Controllers\MagicLinkController@access'
+        );
+    }
+);
diff --git a/tests/AccessCodeTest.php b/tests/AccessCodeTest.php
@@ -0,0 +1,83 @@
+<?php
+
+namespace MagicLink\Test;
+
+use MagicLink\Actions\ResponseAction;
+use MagicLink\MagicLink;
+
+class AccessCodeTest extends TestCase
+{
+    public function test_sucessfull_if_not_protected_with_access_code()
+    {
+        $magiclink = MagicLink::create(new ResponseAction(function () {
+            return 'the big secret';
+        }));
+
+        $this->get($magiclink->url)
+                ->assertStatus(200)
+                ->assertSeeText('the big secret');
+    }
+
+    public function test_forbidden_if_protected_with_access_code()
+    {
+        $magiclink = MagicLink::create(new ResponseAction(function () {
+            return 'the big secret';
+        }));
+
+        $magiclink->protectWithAccessCode('1234');
+
+        $this->get($magiclink->url)
+                ->assertStatus(403)
+                ->assertViewIs('magiclink::ask-for-access-code-form');
+    }
+
+    public function test_forbidden_if_protected_with_access_code_and_send_bad()
+    {
+        $magiclink = MagicLink::create(new ResponseAction(function () {
+            return 'the big secret';
+        }));
+
+        $magiclink->protectWithAccessCode('1234');
+
+        $response = $this->get("{$magiclink->url}?access-code=123")
+                ->assertStatus(403)
+                ->assertViewIs('magiclink::ask-for-access-code-form');
+
+        $this->assertEquals(0, count($response->headers->getCookies()));
+    }
+
+    public function test_forbidden_if_protected_with_access_code_and_send_null()
+    {
+        $magiclink = MagicLink::create(new ResponseAction(function () {
+            return 'the big secret';
+        }));
+
+        $magiclink->protectWithAccessCode('1234');
+
+        $response = $this->get("{$magiclink->url}")
+                ->assertStatus(403)
+                ->assertViewIs('magiclink::ask-for-access-code-form');
+
+        $this->assertEquals(0, count($response->headers->getCookies()));
+    }
+
+    public function test_sucessfull_if_provide_access_code()
+    {
+        $magiclink = MagicLink::create(new ResponseAction(function () {
+            return 'the big secret';
+        }));
+
+        $magiclink->protectWithAccessCode('1234');
+
+        $response = $this->get("{$magiclink->url}?access-code=1234")
+            ->assertStatus(302)
+            ->assertRedirect($magiclink->url);
+
+        $cookie = $response->headers->getCookies()[0];
+
+        $this->disableCookieEncryption()->withCookie($cookie->getName(), $cookie->getvalue())
+            ->get($magiclink->url)
+            ->assertStatus(200)
+            ->assertSeeText('the big secret');
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,13 @@ public function boot()`
`22`	`22`	`if ($this->mustLoadRoute()) {`
`23`	`23`	`$this->loadRoutesFrom(__DIR__.'/routes.php');`
`24`	`24`	`}`
	`25`	`+`
	`26`	`+ // Views`
	`27`	`+ $sourceViewsPath = __DIR__.'/../resources/views';`
	`28`	`+ $this->loadViewsFrom($sourceViewsPath, 'magiclink');`
	`29`	`+ $this->publishes([`
	`30`	`+ $sourceViewsPath => resource_path('views/vendor/magiclink'),`
	`31`	`+ ], 'views');`
`25`	`32`	`}`
`26`	`33`
`27`	`34`	`protected function mustLoadRoute()`