bookstack/app/Access/Controllers/ConfirmEmailController.php

<?php

namespace BookStack\Access\Controllers;

use BookStack\Access\EmailConfirmationService;
use BookStack\Access\LoginService;
use BookStack\Exceptions\ConfirmationEmailException;
use BookStack\Exceptions\UserTokenExpiredException;
use BookStack\Exceptions\UserTokenNotFoundException;
use BookStack\Http\Controller;
use BookStack\Users\UserRepo;
use Exception;
use Illuminate\Http\Request;

class ConfirmEmailController extends Controller
{
    public function __construct(
        protected EmailConfirmationService $emailConfirmationService,
        protected LoginService $loginService,
        protected UserRepo $userRepo
    ) {
    }

    /**
     * Show the page to tell the user to check their email
     * and confirm their address.
     */
    public function show()
    {
        return view('auth.register-confirm');
    }

    /**
     * Shows a notice that a user's email address has not been confirmed,
     * Also has the option to re-send the confirmation email.
     */
    public function showAwaiting()
    {
        $user = $this->loginService->getLastLoginAttemptUser();

        return view('auth.user-unconfirmed', ['user' => $user]);
    }

    /**
     * Show the form for a user to provide their positive confirmation of their email.
     */
    public function showAcceptForm(string $token)
    {
        return view('auth.register-confirm-accept', ['token' => $token]);
    }

    /**
     * Confirms an email via a token and logs the user into the system.
     *
     * @throws ConfirmationEmailException
     * @throws Exception
     */
    public function confirm(Request $request)
    {
        $validated = $this->validate($request, [
            'token' => ['required', 'string']
        ]);

        $token = $validated['token'];

        try {
            $userId = $this->emailConfirmationService->checkTokenAndGetUserId($token);
        } catch (UserTokenNotFoundException $exception) {
            $this->showErrorNotification(trans('errors.email_confirmation_invalid'));

            return redirect('/register');
        } catch (UserTokenExpiredException $exception) {
            $user = $this->userRepo->getById($exception->userId);
            $this->emailConfirmationService->sendConfirmation($user);
            $this->showErrorNotification(trans('errors.email_confirmation_expired'));

            return redirect('/register/confirm');
        }

        $user = $this->userRepo->getById($userId);
        $user->email_confirmed = true;
        $user->save();

        $this->emailConfirmationService->deleteByUser($user);
        $this->showSuccessNotification(trans('auth.email_confirm_success'));

        return redirect('/login');
    }

    /**
     * Resend the confirmation email.
     */
    public function resend(Request $request)
    {
        $this->validate($request, [
            'email' => ['required', 'email', 'exists:users,email'],
        ]);
        $user = $this->userRepo->getByEmail($request->get('email'));

        try {
            $this->emailConfirmationService->sendConfirmation($user);
        } catch (Exception $e) {
            $this->showErrorNotification(trans('auth.email_confirm_send_error'));

            return redirect('/register/confirm');
        }

        $this->showSuccessNotification(trans('auth.email_confirm_resent'));

        return redirect('/register/confirm');
    }
}
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`<?php`

Played around with a new app structure 2023-05-18 00:56:55 +08:00			`namespace BookStack\Access\Controllers;`
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00
Played around with a new app structure 2023-05-18 00:56:55 +08:00			`use BookStack\Access\EmailConfirmationService;`
			`use BookStack\Access\LoginService;`
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`use BookStack\Exceptions\ConfirmationEmailException;`
			`use BookStack\Exceptions\UserTokenExpiredException;`
			`use BookStack\Exceptions\UserTokenNotFoundException;`
Cleaned up namespacing in routes Also moved home controller and moved controllers up a level in http. 2023-05-19 03:53:39 +08:00			`use BookStack\Http\Controller;`
Played around with a new app structure 2023-05-18 00:56:55 +08:00			`use BookStack\Users\UserRepo;`
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`use Exception;`
			`use Illuminate\Http\Request;`

			`class ConfirmEmailController extends Controller`
			`{`
Updated all login events to route through single service 2021-07-18 00:45:00 +08:00			`public function __construct(`
Cleaned up old token services 2023-04-04 17:44:38 +08:00			`protected EmailConfirmationService $emailConfirmationService,`
			`protected LoginService $loginService,`
			`protected UserRepo $userRepo`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00			`) {`
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`}`

			`/**`
			`* Show the page to tell the user to check their email`
			`* and confirm their address.`
			`*/`
			`public function show()`
			`{`
			`return view('auth.register-confirm');`
			`}`

			`/**`
			`* Shows a notice that a user's email address has not been confirmed,`
			`* Also has the option to re-send the confirmation email.`
			`*/`
			`public function showAwaiting()`
			`{`
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`$user = $this->loginService->getLastLoginAttemptUser();`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00
Added login redirect system to confirm/mfa Also continued a bit on the MFA verification system. Moved some MFA routes to public space using updated login service to get the current user that is either logged in or last attempted login (With correct creds). 2021-07-18 23:52:31 +08:00			`return view('auth.user-unconfirmed', ['user' => $user]);`
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`}`

Updated email confirmation flow so confirmation is done via POST To avoid non-user GET requests (Such as those from email scanners) auto-triggering the confirm submission. Made auto-submit the form via JavaScript in this extra added step with user-link backup to keep existing user flow experience. Closes #3797 2022-11-12 23:10:14 +08:00			`/**`
			`* Show the form for a user to provide their positive confirmation of their email.`
			`*/`
			`public function showAcceptForm(string $token)`
			`{`
			`return view('auth.register-confirm-accept', ['token' => $token]);`
			`}`

Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`/**`
			`* Confirms an email via a token and logs the user into the system.`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`*`
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`* @throws ConfirmationEmailException`
			`* @throws Exception`
			`*/`
Updated email confirmation flow so confirmation is done via POST To avoid non-user GET requests (Such as those from email scanners) auto-triggering the confirm submission. Made auto-submit the form via JavaScript in this extra added step with user-link backup to keep existing user flow experience. Closes #3797 2022-11-12 23:10:14 +08:00			`public function confirm(Request $request)`
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`{`
Updated email confirmation flow so confirmation is done via POST To avoid non-user GET requests (Such as those from email scanners) auto-triggering the confirm submission. Made auto-submit the form via JavaScript in this extra added step with user-link backup to keep existing user flow experience. Closes #3797 2022-11-12 23:10:14 +08:00			`$validated = $this->validate($request, [`
			`'token' => ['required', 'string']`
			`]);`

			`$token = $validated['token'];`

Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`try {`
			`$userId = $this->emailConfirmationService->checkTokenAndGetUserId($token);`
Done a round of phpstan fixes 2021-11-06 08:32:01 +08:00			`} catch (UserTokenNotFoundException $exception) {`
			`$this->showErrorNotification(trans('errors.email_confirmation_invalid'));`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00
Done a round of phpstan fixes 2021-11-06 08:32:01 +08:00			`return redirect('/register');`
			`} catch (UserTokenExpiredException $exception) {`
			`$user = $this->userRepo->getById($exception->userId);`
			`$this->emailConfirmationService->sendConfirmation($user);`
			`$this->showErrorNotification(trans('errors.email_confirmation_expired'));`
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00
Done a round of phpstan fixes 2021-11-06 08:32:01 +08:00			`return redirect('/register/confirm');`
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`}`

			`$user = $this->userRepo->getById($userId);`
			`$user->email_confirmed = true;`
			`$user->save();`

			`$this->emailConfirmationService->deleteByUser($user);`
Started moving MFA and email confirmation to new login flow Instead of being soley middleware based. 2021-07-18 01:24:50 +08:00			`$this->showSuccessNotification(trans('auth.email_confirm_success'));`
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00
Prevented auto-login from direct email confirmation actions Was done for convenience but could potentially be exploited by an attacker using signing up via one of these routes, then forwarding an email confirmation to another user so they unknowingly utilise an account someone else controls. Tweaks the flow of confirming email, and the user invite flow. For #3050 2021-11-15 18:50:28 +08:00			`return redirect('/login');`
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`}`

			`/**`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`* Resend the confirmation email.`
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`*/`
			`public function resend(Request $request)`
			`{`
			`$this->validate($request, [`
Standardised laravel validation to be array based Converted from string-only-based validation. Array based validation works nicer once you have validation classess or advanced validation options. 2021-11-05 08:26:55 +08:00			`'email' => ['required', 'email', 'exists:users,email'],`
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`]);`
			`$user = $this->userRepo->getByEmail($request->get('email'));`

			`try {`
			`$this->emailConfirmationService->sendConfirmation($user);`
			`} catch (Exception $e) {`
Entity Repo & Controller Refactor (#1690) * Started mass-refactoring of the current entity repos * Rewrote book tree logic - Now does two simple queries instead of one really complex one. - Extracted logic into its own class. - Remove model-level akward union field listing. - Logic now more readable than being large separate query and compilation functions. * Extracted and split book sort logic * Finished up Book controller/repo organisation * Refactored bookshelves controllers and repo parts * Fixed issues found via phpunit * Refactored Chapter controller * Updated Chapter export controller * Started Page controller/repo refactor * Refactored another chunk of PageController * Completed initial pagecontroller refactor pass * Fixed tests and continued reduction of old repos * Removed old page remove and further reduced entity repo * Removed old entity repo, split out page controller * Ran phpcbf and split out some page content methods * Tidied up some EntityProvider elements * Fixed issued caused by viewservice change 2019-10-05 19:55:01 +08:00			`$this->showErrorNotification(trans('auth.email_confirm_send_error'));`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`return redirect('/register/confirm');`
			`}`

Entity Repo & Controller Refactor (#1690) * Started mass-refactoring of the current entity repos * Rewrote book tree logic - Now does two simple queries instead of one really complex one. - Extracted logic into its own class. - Remove model-level akward union field listing. - Logic now more readable than being large separate query and compilation functions. * Extracted and split book sort logic * Finished up Book controller/repo organisation * Refactored bookshelves controllers and repo parts * Fixed issues found via phpunit * Refactored Chapter controller * Updated Chapter export controller * Started Page controller/repo refactor * Refactored another chunk of PageController * Completed initial pagecontroller refactor pass * Fixed tests and continued reduction of old repos * Removed old page remove and further reduced entity repo * Removed old entity repo, split out page controller * Ran phpcbf and split out some page content methods * Tidied up some EntityProvider elements * Fixed issued caused by viewservice change 2019-10-05 19:55:01 +08:00			`$this->showSuccessNotification(trans('auth.email_confirm_resent'));`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00
Refactored confirm actions to their own controller 2019-08-18 17:47:59 +08:00			`return redirect('/register/confirm');`
			`}`
			`}`