Merge pull request #17 from sander3/skip-re-authentication-feature

Re-authentication configuration option
sander3 · Jul 29, 2018 · 9e71bf4 · 9e71bf4
2 parents f27d62e + 6e2bf4d
commit 9e71bf4
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 5 deletions.
diff --git a/config/gdpr.php b/config/gdpr.php
@@ -29,6 +29,18 @@
         'auth',
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Re-authentication
+    |--------------------------------------------------------------------------
+    |
+    | Only authenticated users should be able to download their data.
+    | Re-authentication is recommended to prevent information leakage.
+    |
+    */
+
+    're-authenticate' => true,
+
     /*
     |--------------------------------------------------------------------------
     | Cleanup Strategy

diff --git a/src/Http/Controllers/GdprController.php b/src/Http/Controllers/GdprController.php
@@ -18,7 +18,7 @@ class GdprController extends Controller
      */
     public function download(GdprDownload $request)
     {
-        if (!$this->attemptLogin($request)) {
+        if (!$this->validateRequest($request)) {
             return $this->sendFailedLoginResponse();
         }
 
@@ -38,19 +38,34 @@ public function download(GdprDownload $request)
     }
 
     /**
-     * Attempt to log the user into the application.
+     * Validate the request.
      *
      * @param  \Illuminate\Foundation\Http\FormRequest  $request
      * @return bool
      */
-    protected function attemptLogin(FormRequest $request)
+    protected function validateRequest(FormRequest $request)
+    {
+        if (config('gdpr.re-authenticate', true)) {
+            return $this->hasValidCredentials($request);
+        }
+
+        return Auth::check();
+    }
+
+    /**
+     * Validate a user's credentials.
+     *
+     * @param  \Illuminate\Foundation\Http\FormRequest  $request
+     * @return bool
+     */
+    protected function hasValidCredentials(FormRequest $request)
     {
         $credentials = [
             $request->user()->getAuthIdentifierName() => $request->user()->getAuthIdentifier(),
             'password'                                => $request->input('password'),
         ];
 
-        return Auth::attempt($credentials);
+        return Auth::validate($credentials);
     }
 
     /**

diff --git a/src/Http/Requests/GdprDownload.php b/src/Http/Requests/GdprDownload.php
@@ -24,7 +24,7 @@ public function authorize()
     public function rules()
     {
         return [
-            'password' => 'required|string',
+            'password' => 'string',
         ];
     }
 }