bookstack/app/Auth/Access/RegistrationService.php

<?php

namespace BookStack\Auth\Access;

use BookStack\Actions\ActivityType;
use BookStack\Auth\SocialAccount;
use BookStack\Auth\User;
use BookStack\Auth\UserRepo;
use BookStack\Exceptions\UserRegistrationException;
use BookStack\Facades\Activity;
use BookStack\Facades\Theme;
use BookStack\Theming\ThemeEvents;
use Exception;
use Illuminate\Support\Str;

class RegistrationService
{
    protected $userRepo;
    protected $emailConfirmationService;

    /**
     * RegistrationService constructor.
     */
    public function __construct(UserRepo $userRepo, EmailConfirmationService $emailConfirmationService)
    {
        $this->userRepo = $userRepo;
        $this->emailConfirmationService = $emailConfirmationService;
    }

    /**
     * Check whether or not registrations are allowed in the app settings.
     *
     * @throws UserRegistrationException
     */
    public function ensureRegistrationAllowed()
    {
        if (!$this->registrationAllowed()) {
            throw new UserRegistrationException(trans('auth.registrations_disabled'), '/login');
        }
    }

    /**
     * Check if standard BookStack User registrations are currently allowed.
     * Does not prevent external-auth based registration.
     */
    protected function registrationAllowed(): bool
    {
        $authMethod = config('auth.method');
        $authMethodsWithRegistration = ['standard'];

        return in_array($authMethod, $authMethodsWithRegistration) && setting('registration-enabled');
    }

    /**
     * Attempt to find a user in the system otherwise register them as a new
     * user. For use with external auth systems since password is auto-generated.
     *
     * @throws UserRegistrationException
     */
    public function findOrRegister(string $name, string $email, string $externalId): User
    {
        $user = User::query()
            ->where('external_auth_id', '=', $externalId)
            ->first();

        if (is_null($user)) {
            $userData = [
                'name'             => $name,
                'email'            => $email,
                'password'         => Str::random(32),
                'external_auth_id' => $externalId,
            ];

            $user = $this->registerUser($userData, null, false);
        }

        return $user;
    }

    /**
     * The registrations flow for all users.
     *
     * @throws UserRegistrationException
     */
    public function registerUser(array $userData, ?SocialAccount $socialAccount = null, bool $emailConfirmed = false): User
    {
        $userEmail = $userData['email'];

        // Email restriction
        $this->ensureEmailDomainAllowed($userEmail);

        // Ensure user does not already exist
        $alreadyUser = !is_null($this->userRepo->getByEmail($userEmail));
        if ($alreadyUser) {
            throw new UserRegistrationException(trans('errors.error_user_exists_different_creds', ['email' => $userEmail]), '/login');
        }

        // Create the user
        $newUser = $this->userRepo->createWithoutActivity($userData, $emailConfirmed);
        $newUser->attachDefaultRole();

        // Assign social account if given
        if ($socialAccount) {
            $newUser->socialAccounts()->save($socialAccount);
        }

        Activity::add(ActivityType::AUTH_REGISTER, $socialAccount ?? $newUser);
        Theme::dispatch(ThemeEvents::AUTH_REGISTER, $socialAccount ? $socialAccount->driver : auth()->getDefaultDriver(), $newUser);

        // Start email confirmation flow if required
        if ($this->emailConfirmationService->confirmationRequired() && !$emailConfirmed) {
            $newUser->save();

            try {
                $this->emailConfirmationService->sendConfirmation($newUser);
                session()->flash('sent-email-confirmation', true);
            } catch (Exception $e) {
                $message = trans('auth.email_confirm_send_error');

                throw new UserRegistrationException($message, '/register/confirm');
            }
        }

        return $newUser;
    }

    /**
     * Ensure that the given email meets any active email domain registration restrictions.
     * Throws if restrictions are active and the email does not match an allowed domain.
     *
     * @throws UserRegistrationException
     */
    protected function ensureEmailDomainAllowed(string $userEmail): void
    {
        $registrationRestrict = setting('registration-restrict');

        if (!$registrationRestrict) {
            return;
        }

        $restrictedEmailDomains = explode(',', str_replace(' ', '', $registrationRestrict));
        $userEmailDomain = $domain = mb_substr(mb_strrchr($userEmail, '@'), 1);
        if (!in_array($userEmailDomain, $restrictedEmailDomains)) {
            $redirect = $this->registrationAllowed() ? '/register' : '/login';

            throw new UserRegistrationException(trans('auth.registration_email_domain_invalid'), $redirect);
        }
    }
}
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`<?php`

			`namespace BookStack\Auth\Access;`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00
Implemented remainder of activity types Also fixed audit log to work for non-entity items. 2020-11-21 03:33:11 +08:00			`use BookStack\Actions\ActivityType;`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00			`use BookStack\Auth\SocialAccount;`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`use BookStack\Auth\User;`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00			`use BookStack\Auth\UserRepo;`
			`use BookStack\Exceptions\UserRegistrationException;`
Implemented remainder of activity types Also fixed audit log to work for non-entity items. 2020-11-21 03:33:11 +08:00			`use BookStack\Facades\Activity;`
Added login/register theme events 2021-03-20 05:54:50 +08:00			`use BookStack\Facades\Theme;`
			`use BookStack\Theming\ThemeEvents;`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00			`use Exception;`
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-07 06:05:26 +08:00			`use Illuminate\Support\Str;`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00
			`class RegistrationService`
			`{`
			`protected $userRepo;`
			`protected $emailConfirmationService;`

			`/**`
			`* RegistrationService constructor.`
			`*/`
			`public function __construct(UserRepo $userRepo, EmailConfirmationService $emailConfirmationService)`
			`{`
			`$this->userRepo = $userRepo;`
			`$this->emailConfirmationService = $emailConfirmationService;`
			`}`

			`/**`
			`* Check whether or not registrations are allowed in the app settings.`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`*`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00			`* @throws UserRegistrationException`
			`*/`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`public function ensureRegistrationAllowed()`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00			`{`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`if (!$this->registrationAllowed()) {`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00			`throw new UserRegistrationException(trans('auth.registrations_disabled'), '/login');`
			`}`
			`}`

Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`/**`
			`* Check if standard BookStack User registrations are currently allowed.`
			`* Does not prevent external-auth based registration.`
			`*/`
			`protected function registrationAllowed(): bool`
			`{`
			`$authMethod = config('auth.method');`
			`$authMethodsWithRegistration = ['standard'];`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`return in_array($authMethod, $authMethodsWithRegistration) && setting('registration-enabled');`
			`}`

Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-07 06:05:26 +08:00			`/**`
			`* Attempt to find a user in the system otherwise register them as a new`
			`* user. For use with external auth systems since password is auto-generated.`
Applied latest styles changes from style CI 2021-10-16 23:01:59 +08:00			`*`
Continued review of #2169 - Removed uneeded custom refresh or logout actions for OIDC. - Restructured how the services and guards are setup for external auth systems. SAML2 and OIDC now directly share a lot more logic. - Renamed any OpenId references to OIDC or OpenIdConnect - Removed non-required CSRF excemption for OIDC Not tested, Come to roadblock due to lack of PHP8 support in upstream dependancies. Certificate was deemed to be non-valid on every test attempt due to changes in PHP8. 2021-10-07 06:05:26 +08:00			`* @throws UserRegistrationException`
			`*/`
			`public function findOrRegister(string $name, string $email, string $externalId): User`
			`{`
			`$user = User::query()`
			`->where('external_auth_id', '=', $externalId)`
			`->first();`

			`if (is_null($user)) {`
			`$userData = [`
			`'name' => $name,`
			`'email' => $email,`
			`'password' => Str::random(32),`
			`'external_auth_id' => $externalId,`
			`];`

			`$user = $this->registerUser($userData, null, false);`
			`}`

			`return $user;`
			`}`

Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00			`/**`
			`* The registrations flow for all users.`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`*`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00			`* @throws UserRegistrationException`
			`*/`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`public function registerUser(array $userData, ?SocialAccount $socialAccount = null, bool $emailConfirmed = false): User`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00			`{`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`$userEmail = $userData['email'];`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`// Email restriction`
			`$this->ensureEmailDomainAllowed($userEmail);`

			`// Ensure user does not already exist`
			`$alreadyUser = !is_null($this->userRepo->getByEmail($userEmail));`
			`if ($alreadyUser) {`
Fixed issue where SAML login not notifiy on existing user Added testing to cover Fixes #2263 2020-09-26 23:43:06 +08:00			`throw new UserRegistrationException(trans('errors.error_user_exists_different_creds', ['email' => $userEmail]), '/login');`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00			`}`

Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`// Create the user`
Added user-create API endpoint - Required extracting logic into repo. - Changed some existing creation paths to standardise behaviour. - Added test to cover new endpoint. - Added extra test for user delete to test migration. - Changed how permission errors are thrown to ensure the right status code can be reported when handled in API. 2022-02-04 08:26:19 +08:00			`$newUser = $this->userRepo->createWithoutActivity($userData, $emailConfirmed);`
			`$newUser->attachDefaultRole();`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`// Assign social account if given`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00			`if ($socialAccount) {`
			`$newUser->socialAccounts()->save($socialAccount);`
			`}`

Implemented remainder of activity types Also fixed audit log to work for non-entity items. 2020-11-21 03:33:11 +08:00			`Activity::add(ActivityType::AUTH_REGISTER, $socialAccount ?? $newUser);`
Added login/register theme events 2021-03-20 05:54:50 +08:00			`Theme::dispatch(ThemeEvents::AUTH_REGISTER, $socialAccount ? $socialAccount->driver : auth()->getDefaultDriver(), $newUser);`
Implemented remainder of activity types Also fixed audit log to work for non-entity items. 2020-11-21 03:33:11 +08:00
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`// Start email confirmation flow if required`
			`if ($this->emailConfirmationService->confirmationRequired() && !$emailConfirmed) {`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00			`$newUser->save();`

			`try {`
			`$this->emailConfirmationService->sendConfirmation($newUser);`
Updated flow to ensure /register/confirm route is used where needed Was accidentally skipped during previous updates. Will now be used on saml, ldap & standard registration where required. Uses session to know if the email was just sent and, if so, show the confirmation route. 2020-09-06 00:26:48 +08:00			`session()->flash('sent-email-confirmation', true);`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00			`} catch (Exception $e) {`
			`$message = trans('auth.email_confirm_send_error');`
Apply fixes from StyleCI 2021-08-21 22:49:40 +08:00
Prevented email confirmation exception throw on registration Was preventing any other registration actions from taking place such as LDAP/SAML group sync. Email confirmation should be actioned by middleware on post-registration redirect. Added testing to cover. Tested for LDAP, SAML and normal registration with email confirmation required to ensure flows work as expected. Fixes #2082 2020-08-05 00:54:50 +08:00			`throw new UserRegistrationException($message, '/register/confirm');`
Moved socal auth routes to their own controller Also cleaned some phpdocs and extracted register actions to their own service. 2020-01-26 22:42:50 +08:00			`}`
			`}`

Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`return $newUser;`
			`}`

			`/**`
			`* Ensure that the given email meets any active email domain registration restrictions.`
			`* Throws if restrictions are active and the email does not match an allowed domain.`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`*`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`* @throws UserRegistrationException`
			`*/`
			`protected function ensureEmailDomainAllowed(string $userEmail): void`
			`{`
			`$registrationRestrict = setting('registration-restrict');`

			`if (!$registrationRestrict) {`
			`return;`
			`}`

			`$restrictedEmailDomains = explode(',', str_replace(' ', '', $registrationRestrict));`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`$userEmailDomain = $domain = mb_substr(mb_strrchr($userEmail, '@'), 1);`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`if (!in_array($userEmailDomain, $restrictedEmailDomains)) {`
			`$redirect = $this->registrationAllowed() ? '/register' : '/login';`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`throw new UserRegistrationException(trans('auth.registration_email_domain_invalid'), $redirect);`
			`}`
			`}`
Ran phpcbf and updated phpcs.xml 2021-03-08 06:24:05 +08:00			`}`