diff --git a/config/config.php b/config/config.php index b8b2d7a3..350f7b32 100644 --- a/config/config.php +++ b/config/config.php @@ -18,13 +18,13 @@ use Monolog\Level; return (function () { $inContainer = inContainer(); - $progressTimeCheck = fn (int $v, int $d): int => 0 === $v || $v >= 180 ? $v : $d; + $progressTimeCheck = fn(int $v, int $d): int => 0 === $v || $v >= 180 ? $v : $d; $config = [ 'name' => 'WatchState', 'version' => '$(version_via_ci)', 'tz' => env('WS_TZ', env('TZ', 'UTC')), - 'path' => fixPath(env('WS_DATA_PATH', fn () => $inContainer ? '/config' : __DIR__ . '/../var')), + 'path' => fixPath(env('WS_DATA_PATH', fn() => $inContainer ? '/config' : __DIR__ . '/../var')), 'logs' => [ 'context' => (bool)env('WS_LOGS_CONTEXT', false), 'prune' => [ @@ -44,7 +44,7 @@ return (function () { 'encode' => JSON_INVALID_UTF8_IGNORE | JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE, 'headers' => [ 'Content-Type' => 'application/json', - 'X-Application-Version' => fn () => getAppVersion(), + 'X-Application-Version' => fn() => getAppVersion(), 'Access-Control-Allow-Origin' => '*', ], ], @@ -71,7 +71,7 @@ return (function () { 'proxy' => (bool)env('WS_TRUST_PROXY', false), 'header' => (string)env('WS_TRUST_HEADER', 'X-Forwarded-For'), 'local' => (bool)env('WS_TRUST_LOCAL', false), - 'localnet' => [ + 'local_net' => [ '192.168.0.0/16', // RFC-1918 A-block. '127.0.0.1/32', // localhost IPv4 '10.0.0.0/8', // RFC-1918 C-block. @@ -162,14 +162,14 @@ return (function () { $config['profiler'] = [ 'save' => (bool)env('WS_PROFILER_SAVE', true), - 'path' => env('WS_PROFILER_PATH', fn () => ag($config, 'tmpDir') . '/profiler'), + 'path' => env('WS_PROFILER_PATH', fn() => ag($config, 'tmpDir') . '/profiler'), 'collector' => env('WS_PROFILER_COLLECTOR', null), ]; $config['cache'] = [ 'prefix' => env('WS_CACHE_PREFIX', null), 'url' => env('WS_CACHE_URL', 'redis://127.0.0.1:6379'), - 'path' => env('WS_CACHE_PATH', fn () => ag($config, 'tmpDir') . '/cache'), + 'path' => env('WS_CACHE_PATH', fn() => ag($config, 'tmpDir') . '/cache'), ]; $config['logger'] = [ diff --git a/config/env.spec.php b/config/env.spec.php index b11d0240..b21a0b68 100644 --- a/config/env.spec.php +++ b/config/env.spec.php @@ -67,7 +67,7 @@ return (function () { ], [ 'key' => 'WS_TRUST_LOCAL', - 'description' => 'Bypass the authentication layer for local IP Addresses for WebUI.', + 'description' => 'Bypass the WebUI authentication layer for local IP addresses.', 'type' => 'bool', 'danger' => true, ], @@ -276,20 +276,22 @@ return (function () { return $value; } - $hash = password_hash($value, Config::get('password.algo'), Config::get('password.options', [])); - - if (false === $hash) { - throw new ValidationException('Invalid password. Password hashing failed.'); + try { + return $prefix . password_hash( + $value, + Config::get('password.algo'), + Config::get('password.options', []) + ); + } catch (ValueError $e) { + throw new ValidationException('Invalid password. Password hashing failed.', $e); } - - return $prefix . $hash; }, 'mask' => true, 'protected' => true, ], - [ + [ 'key' => 'WS_SYSTEM_SECRET', - 'description' => 'The secret key which is used to sign sucessful auth requests.', + 'description' => 'The secret key which is used to sign successful auth requests.', 'type' => 'string', 'validate' => function (mixed $value): string { if (empty($value)) { diff --git a/src/API/System/Auth.php b/src/API/System/Auth.php index c02202e4..9acdf21e 100644 --- a/src/API/System/Auth.php +++ b/src/API/System/Auth.php @@ -12,10 +12,10 @@ use App\Libs\Config; use App\Libs\DataUtil; use App\Libs\Enums\Http\Method; use App\Libs\Enums\Http\Status; +use App\Libs\IpUtils; use App\Libs\Middlewares\AuthorizationMiddleware; use App\Libs\TokenUtil; use App\Libs\Traits\APITraits; -use App\Libs\IpUtils; use Psr\Http\Message\ResponseInterface as iResponse; use Psr\Http\Message\ServerRequestInterface as iRequest; use Throwable; @@ -42,13 +42,14 @@ final class Auth return api_response(Status::NO_CONTENT); } - if (false === Config::get('trust.local', false)) { + $localNet = Config::get('trust.local_net', []); + if (true !== (bool)Config::get('trust.local', false) || count($localNet) < 1) { return api_response(Status::OK); } $localAddress = getClientIp($request); - if (false === IpUtils::checkIp($localAddress, Config::get('trust.localnet', []))) { + if (false === IpUtils::checkIp($localAddress, $localNet)) { return api_response(Status::OK); } @@ -123,8 +124,8 @@ final class Auth try { $payload = json_decode($payload, true, flags: JSON_THROW_ON_ERROR); - $tokenUser = ag($payload, 'username', fn () => TokenUtil::generateSecret()); - $systemUser = Config::get('system.user', fn () => TokenUtil::generateSecret()); + $tokenUser = ag($payload, 'username', fn() => TokenUtil::generateSecret()); + $systemUser = Config::get('system.user', fn() => TokenUtil::generateSecret()); if (false === hash_equals($systemUser, $tokenUser)) { return api_error('Invalid token.', Status::UNAUTHORIZED); @@ -254,8 +255,8 @@ final class Auth return api_error('Invalid current password.', Status::UNAUTHORIZED); } - $repsonse = APIRequest(Method::POST, '/system/env/WS_SYSTEM_PASSWORD', ['value' => $new_password]); - if (Status::OK !== $repsonse->status) { + $response = APIRequest(Method::POST, '/system/env/WS_SYSTEM_PASSWORD', ['value' => $new_password]); + if (Status::OK !== $response->status) { return api_error('Failed to set new password.', Status::INTERNAL_SERVER_ERROR); }