From 006eb97f670116fc4345e069d79522fb38a15468 Mon Sep 17 00:00:00 2001
From: Matteo Gheza <matteo.gheza07@gmail.com>
Date: Mon, 4 Sep 2023 14:00:49 +0200
Subject: [PATCH] Improve auth process

---
 .../app/Http/Controllers/AuthController.php   |  59 +++---
 backend/config/app.php                        |   2 +-
 backend/lang/en/auth.php                      |  20 ++
 backend/lang/en/pagination.php                |  19 ++
 backend/lang/en/validation.php                | 185 ++++++++++++++++++
 backend/lang/it/auth.php                      |   7 +
 backend/lang/it/validation.php                |   8 +
 frontend/src/app/_services/auth.service.ts    |   5 +-
 8 files changed, 275 insertions(+), 30 deletions(-)
 create mode 100644 backend/lang/en/auth.php
 create mode 100644 backend/lang/en/pagination.php
 create mode 100644 backend/lang/en/validation.php
 create mode 100644 backend/lang/it/auth.php
 create mode 100644 backend/lang/it/validation.php

diff --git a/backend/app/Http/Controllers/AuthController.php b/backend/app/Http/Controllers/AuthController.php
index ee0a1a4..d2d7fe2 100644
--- a/backend/app/Http/Controllers/AuthController.php
+++ b/backend/app/Http/Controllers/AuthController.php
@@ -5,6 +5,7 @@ namespace App\Http\Controllers;
 use App\Models\User;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Hash;
+use Illuminate\Validation\ValidationException;
 use Illuminate\Http\Request;
 use App\Utils\Logger;
 
@@ -39,21 +40,35 @@ class AuthController extends Controller
 
     public function login(Request $request)
     {
-        if (!Auth::attempt($request->only('username', 'password'))) {
-            return response()->json([
-                'message' => 'Invalid login details'
-            ], 401);
-        }
+        $request->validate([
+			'username' => 'required|string|exists:users,username|max:255',
+			'password' => 'required',
+		]);
+
+		$user = User::where('username', $request->username)->first();
+
+		if (! $user || ! Hash::check($request->password, $user->password)) {
+			throw ValidationException::withMessages([
+				'username' => ['Credenziali inserite non valide.'],
+			]);
+		}
 
         $user = User::where('username', $request['username'])->firstOrFail();
 
-        $token = $user->createToken('auth_token')->plainTextToken;
+        if($request->input('use_sessions', false)) {
+            $request->session()->regenerate();
+            auth()->guard('api')->login($user);
+            $token = null;
+        } else {
+            $token = $user->createToken('auth_token')->plainTextToken;
+        }
 
         Logger::log("Login", $user, $user);
 
         return response()->json([
             'access_token' => $token,
             'token_type' => 'Bearer',
+            'auth_type' => is_null($token) ? 'session' : 'token'
         ]);
     }
 
@@ -61,28 +76,18 @@ class AuthController extends Controller
     {
         Logger::log("Logout");
 
-        auth()->guard('api')->logout();
-        $request->session()->invalidate();
-        $request->session()->regenerateToken();
+        if(
+            method_exists($request->user(), 'currentAccessToken') &&
+            method_exists($request->user()->currentAccessToken(), 'delete')
+        ) {
+            $request->user()->currentAccessToken()->delete();
+        } else {
+            auth()->guard('api')->logout();
+            $request->session()->invalidate();
+            $request->session()->regenerateToken();
+        }
 
-        /**
-         * Only works with cookie auth, Laravel authentication sucks
-         * I just want to auth users in the webapp using cookies and
-         * using Bearer tokens when making API calls from outside the frontend
-         * (for example mobile apps, external clients etc.)
-         * but it's not possible without a lot of hacks.
-         * Even this way, it doesn't work 100% well, with random 419 errors
-         * and other stuff.
-         * I'm wasting too much time on this.
-         * Users are authenticated, that's enough for now.
-         * Logout doesn't work very well even this cookies to be honest.
-         * I'm not sure if it's a Laravel bug or what.
-         * I don't know, I should ask online.
-         * 
-         * TODO: https://github.com/laravel/sanctum/issues/80
-         */
-
-        return;
+		return response()->json(null, 200);
     }
 
     public function me(Request $request)
diff --git a/backend/config/app.php b/backend/config/app.php
index 1f40070..faa2518 100644
--- a/backend/config/app.php
+++ b/backend/config/app.php
@@ -82,7 +82,7 @@ return [
     |
     */
 
-    'locale' => 'en',
+    'locale' => env('APP_LOCALE', 'it'),
 
     /*
     |--------------------------------------------------------------------------
diff --git a/backend/lang/en/auth.php b/backend/lang/en/auth.php
new file mode 100644
index 0000000..6598e2c
--- /dev/null
+++ b/backend/lang/en/auth.php
@@ -0,0 +1,20 @@
+<?php
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | Authentication Language Lines
+    |--------------------------------------------------------------------------
+    |
+    | The following language lines are used during authentication for various
+    | messages that we need to display to the user. You are free to modify
+    | these language lines according to your application's requirements.
+    |
+    */
+
+    'failed' => 'These credentials do not match our records.',
+    'password' => 'The provided password is incorrect.',
+    'throttle' => 'Too many login attempts. Please try again in :seconds seconds.',
+
+];
diff --git a/backend/lang/en/pagination.php b/backend/lang/en/pagination.php
new file mode 100644
index 0000000..d481411
--- /dev/null
+++ b/backend/lang/en/pagination.php
@@ -0,0 +1,19 @@
+<?php
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | Pagination Language Lines
+    |--------------------------------------------------------------------------
+    |
+    | The following language lines are used by the paginator library to build
+    | the simple pagination links. You are free to change them to anything
+    | you want to customize your views to better match your application.
+    |
+    */
+
+    'previous' => '&laquo; Previous',
+    'next' => 'Next &raquo;',
+
+];
diff --git a/backend/lang/en/validation.php b/backend/lang/en/validation.php
new file mode 100644
index 0000000..4f8f726
--- /dev/null
+++ b/backend/lang/en/validation.php
@@ -0,0 +1,185 @@
+<?php
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | Validation Language Lines
+    |--------------------------------------------------------------------------
+    |
+    | The following language lines contain the default error messages used by
+    | the validator class. Some of these rules have multiple versions such
+    | as the size rules. Feel free to tweak each of these messages here.
+    |
+    */
+
+    'accepted' => 'The :attribute field must be accepted.',
+    'accepted_if' => 'The :attribute field must be accepted when :other is :value.',
+    'active_url' => 'The :attribute field must be a valid URL.',
+    'after' => 'The :attribute field must be a date after :date.',
+    'after_or_equal' => 'The :attribute field must be a date after or equal to :date.',
+    'alpha' => 'The :attribute field must only contain letters.',
+    'alpha_dash' => 'The :attribute field must only contain letters, numbers, dashes, and underscores.',
+    'alpha_num' => 'The :attribute field must only contain letters and numbers.',
+    'array' => 'The :attribute field must be an array.',
+    'ascii' => 'The :attribute field must only contain single-byte alphanumeric characters and symbols.',
+    'before' => 'The :attribute field must be a date before :date.',
+    'before_or_equal' => 'The :attribute field must be a date before or equal to :date.',
+    'between' => [
+        'array' => 'The :attribute field must have between :min and :max items.',
+        'file' => 'The :attribute field must be between :min and :max kilobytes.',
+        'numeric' => 'The :attribute field must be between :min and :max.',
+        'string' => 'The :attribute field must be between :min and :max characters.',
+    ],
+    'boolean' => 'The :attribute field must be true or false.',
+    'can' => 'The :attribute field contains an unauthorized value.',
+    'confirmed' => 'The :attribute field confirmation does not match.',
+    'current_password' => 'The password is incorrect.',
+    'date' => 'The :attribute field must be a valid date.',
+    'date_equals' => 'The :attribute field must be a date equal to :date.',
+    'date_format' => 'The :attribute field must match the format :format.',
+    'decimal' => 'The :attribute field must have :decimal decimal places.',
+    'declined' => 'The :attribute field must be declined.',
+    'declined_if' => 'The :attribute field must be declined when :other is :value.',
+    'different' => 'The :attribute field and :other must be different.',
+    'digits' => 'The :attribute field must be :digits digits.',
+    'digits_between' => 'The :attribute field must be between :min and :max digits.',
+    'dimensions' => 'The :attribute field has invalid image dimensions.',
+    'distinct' => 'The :attribute field has a duplicate value.',
+    'doesnt_end_with' => 'The :attribute field must not end with one of the following: :values.',
+    'doesnt_start_with' => 'The :attribute field must not start with one of the following: :values.',
+    'email' => 'The :attribute field must be a valid email address.',
+    'ends_with' => 'The :attribute field must end with one of the following: :values.',
+    'enum' => 'The selected :attribute is invalid.',
+    'exists' => 'The selected :attribute is invalid.',
+    'file' => 'The :attribute field must be a file.',
+    'filled' => 'The :attribute field must have a value.',
+    'gt' => [
+        'array' => 'The :attribute field must have more than :value items.',
+        'file' => 'The :attribute field must be greater than :value kilobytes.',
+        'numeric' => 'The :attribute field must be greater than :value.',
+        'string' => 'The :attribute field must be greater than :value characters.',
+    ],
+    'gte' => [
+        'array' => 'The :attribute field must have :value items or more.',
+        'file' => 'The :attribute field must be greater than or equal to :value kilobytes.',
+        'numeric' => 'The :attribute field must be greater than or equal to :value.',
+        'string' => 'The :attribute field must be greater than or equal to :value characters.',
+    ],
+    'image' => 'The :attribute field must be an image.',
+    'in' => 'The selected :attribute is invalid.',
+    'in_array' => 'The :attribute field must exist in :other.',
+    'integer' => 'The :attribute field must be an integer.',
+    'ip' => 'The :attribute field must be a valid IP address.',
+    'ipv4' => 'The :attribute field must be a valid IPv4 address.',
+    'ipv6' => 'The :attribute field must be a valid IPv6 address.',
+    'json' => 'The :attribute field must be a valid JSON string.',
+    'lowercase' => 'The :attribute field must be lowercase.',
+    'lt' => [
+        'array' => 'The :attribute field must have less than :value items.',
+        'file' => 'The :attribute field must be less than :value kilobytes.',
+        'numeric' => 'The :attribute field must be less than :value.',
+        'string' => 'The :attribute field must be less than :value characters.',
+    ],
+    'lte' => [
+        'array' => 'The :attribute field must not have more than :value items.',
+        'file' => 'The :attribute field must be less than or equal to :value kilobytes.',
+        'numeric' => 'The :attribute field must be less than or equal to :value.',
+        'string' => 'The :attribute field must be less than or equal to :value characters.',
+    ],
+    'mac_address' => 'The :attribute field must be a valid MAC address.',
+    'max' => [
+        'array' => 'The :attribute field must not have more than :max items.',
+        'file' => 'The :attribute field must not be greater than :max kilobytes.',
+        'numeric' => 'The :attribute field must not be greater than :max.',
+        'string' => 'The :attribute field must not be greater than :max characters.',
+    ],
+    'max_digits' => 'The :attribute field must not have more than :max digits.',
+    'mimes' => 'The :attribute field must be a file of type: :values.',
+    'mimetypes' => 'The :attribute field must be a file of type: :values.',
+    'min' => [
+        'array' => 'The :attribute field must have at least :min items.',
+        'file' => 'The :attribute field must be at least :min kilobytes.',
+        'numeric' => 'The :attribute field must be at least :min.',
+        'string' => 'The :attribute field must be at least :min characters.',
+    ],
+    'min_digits' => 'The :attribute field must have at least :min digits.',
+    'missing' => 'The :attribute field must be missing.',
+    'missing_if' => 'The :attribute field must be missing when :other is :value.',
+    'missing_unless' => 'The :attribute field must be missing unless :other is :value.',
+    'missing_with' => 'The :attribute field must be missing when :values is present.',
+    'missing_with_all' => 'The :attribute field must be missing when :values are present.',
+    'multiple_of' => 'The :attribute field must be a multiple of :value.',
+    'not_in' => 'The selected :attribute is invalid.',
+    'not_regex' => 'The :attribute field format is invalid.',
+    'numeric' => 'The :attribute field must be a number.',
+    'password' => [
+        'letters' => 'The :attribute field must contain at least one letter.',
+        'mixed' => 'The :attribute field must contain at least one uppercase and one lowercase letter.',
+        'numbers' => 'The :attribute field must contain at least one number.',
+        'symbols' => 'The :attribute field must contain at least one symbol.',
+        'uncompromised' => 'The given :attribute has appeared in a data leak. Please choose a different :attribute.',
+    ],
+    'present' => 'The :attribute field must be present.',
+    'prohibited' => 'The :attribute field is prohibited.',
+    'prohibited_if' => 'The :attribute field is prohibited when :other is :value.',
+    'prohibited_unless' => 'The :attribute field is prohibited unless :other is in :values.',
+    'prohibits' => 'The :attribute field prohibits :other from being present.',
+    'regex' => 'The :attribute field format is invalid.',
+    'required' => 'The :attribute field is required.',
+    'required_array_keys' => 'The :attribute field must contain entries for: :values.',
+    'required_if' => 'The :attribute field is required when :other is :value.',
+    'required_if_accepted' => 'The :attribute field is required when :other is accepted.',
+    'required_unless' => 'The :attribute field is required unless :other is in :values.',
+    'required_with' => 'The :attribute field is required when :values is present.',
+    'required_with_all' => 'The :attribute field is required when :values are present.',
+    'required_without' => 'The :attribute field is required when :values is not present.',
+    'required_without_all' => 'The :attribute field is required when none of :values are present.',
+    'same' => 'The :attribute field must match :other.',
+    'size' => [
+        'array' => 'The :attribute field must contain :size items.',
+        'file' => 'The :attribute field must be :size kilobytes.',
+        'numeric' => 'The :attribute field must be :size.',
+        'string' => 'The :attribute field must be :size characters.',
+    ],
+    'starts_with' => 'The :attribute field must start with one of the following: :values.',
+    'string' => 'The :attribute field must be a string.',
+    'timezone' => 'The :attribute field must be a valid timezone.',
+    'unique' => 'The :attribute has already been taken.',
+    'uploaded' => 'The :attribute failed to upload.',
+    'uppercase' => 'The :attribute field must be uppercase.',
+    'url' => 'The :attribute field must be a valid URL.',
+    'ulid' => 'The :attribute field must be a valid ULID.',
+    'uuid' => 'The :attribute field must be a valid UUID.',
+
+    /*
+    |--------------------------------------------------------------------------
+    | Custom Validation Language Lines
+    |--------------------------------------------------------------------------
+    |
+    | Here you may specify custom validation messages for attributes using the
+    | convention "attribute.rule" to name the lines. This makes it quick to
+    | specify a specific custom language line for a given attribute rule.
+    |
+    */
+
+    'custom' => [
+        'attribute-name' => [
+            'rule-name' => 'custom-message',
+        ],
+    ],
+
+    /*
+    |--------------------------------------------------------------------------
+    | Custom Validation Attributes
+    |--------------------------------------------------------------------------
+    |
+    | The following language lines are used to swap our attribute placeholder
+    | with something more reader friendly such as "E-Mail Address" instead
+    | of "email". This simply helps us make our message more expressive.
+    |
+    */
+
+    'attributes' => [],
+
+];
diff --git a/backend/lang/it/auth.php b/backend/lang/it/auth.php
new file mode 100644
index 0000000..5ee4f95
--- /dev/null
+++ b/backend/lang/it/auth.php
@@ -0,0 +1,7 @@
+<?php
+
+return [
+    'failed' => 'Queste credenziali non corrispondono a quelle registrate.',
+    'password' => 'La password inserita non è corretta.',
+    'throttle' => 'Troppi tentativi di accesso. Riprova tra :seconds secondi.'
+];
diff --git a/backend/lang/it/validation.php b/backend/lang/it/validation.php
new file mode 100644
index 0000000..131692e
--- /dev/null
+++ b/backend/lang/it/validation.php
@@ -0,0 +1,8 @@
+<?php
+
+return [
+    "required" => "Il campo :attribute è richiesto.",
+    "unique" => "Il campo :attribute deve essere unico.",
+    "email" => "Il campo :attribute deve essere un indirizzo email valido.",
+    "exists" => "Il campo :attribute non esiste."
+];
diff --git a/frontend/src/app/_services/auth.service.ts b/frontend/src/app/_services/auth.service.ts
index 3484b3c..8b388b3 100644
--- a/frontend/src/app/_services/auth.service.ts
+++ b/frontend/src/app/_services/auth.service.ts
@@ -67,7 +67,8 @@ export class AuthService {
             this.api.get("csrf-cookie").then((data: any) => {
                 this.api.post("login", {
                     username: username,
-                    password: password
+                    password: password,
+                    use_sessions: true
                 }).then((data: any) => {
                     this.loadProfile().then(() => {
                         resolve({
@@ -82,7 +83,7 @@ export class AuthService {
                     });
                 }).catch((err) => {
                     let error_message = "";
-                    if(err.status === 401) {
+                    if(err.status === 401 || err.status === 422) {
                         error_message = err.error.message;
                     } else if (err.status === 400) {
                         let error_messages = err.error.errors;