Update Remote Auth feature, fix custom domain bug and enforce banned …

…domains
pixelfed · Jul 18, 2023 · acabf60 · acabf60
1 parent 780e78f
commit acabf60
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 5 deletions.
diff --git a/app/Http/Controllers/RemoteAuthController.php b/app/Http/Controllers/RemoteAuthController.php
@@ -7,6 +7,7 @@
 use App\Services\Account\RemoteAuthService;
 use App\Models\RemoteAuth;
 use App\Profile;
+use App\Instance;
 use App\User;
 use Purify;
 use Illuminate\Support\Facades\Auth;
@@ -36,6 +37,8 @@ public function startRedirect(Request $request)
 
     public function getAuthDomains(Request $request)
     {
+        abort_unless(config_cache('pixelfed.open_registration') && config('remote-auth.mastodon.enabled'), 404);
+
         if(config('remote-auth.mastodon.domains.only_custom')) {
             $res = config('remote-auth.mastodon.domains.custom');
             if(!$res || !strlen($res)) {
@@ -45,6 +48,19 @@ public function getAuthDomains(Request $request)
             return response()->json($res);
         }
 
+        if( config('remote-auth.mastodon.domains.custom') &&
+            !config('remote-auth.mastodon.domains.only_default') &&
+            strlen(config('remote-auth.mastodon.domains.custom')) > 3 &&
+            strpos(config('remote-auth.mastodon.domains.custom'), '.') > -1
+        ) {
+            $res = config('remote-auth.mastodon.domains.custom');
+            if(!$res || !strlen($res)) {
+                return [];
+            }
+            $res = explode(',', $res);
+            return response()->json($res);
+        }
+
         $res = config('remote-auth.mastodon.domains.default');
         $res = explode(',', $res);
 
@@ -57,6 +73,27 @@ public function redirect(Request $request)
         $this->validate($request, ['domain' => 'required']);
 
         $domain = $request->input('domain');
+
+        if(str_starts_with(strtolower($domain), 'http')) {
+            $res = [
+                'domain' => $domain,
+                'ready' => false,
+                'action' => 'incompatible_domain'
+            ];
+            return response()->json($res);
+        }
+
+        $validateInstance = Helpers::validateUrl('https://' . $domain . '/?block-check=' . time());
+
+        if(!$validateInstance) {
+             $res = [
+                'domain' => $domain,
+                'ready' => false,
+                'action' => 'blocked_domain'
+            ];
+            return response()->json($res);
+        }
+
         $compatible = RemoteAuthService::isDomainCompatible($domain);
 
         if(!$compatible) {

diff --git a/app/Services/Account/RemoteAuthService.php b/app/Services/Account/RemoteAuthService.php
@@ -12,6 +12,14 @@ class RemoteAuthService
 {
     const CACHE_KEY = 'pf:services:remoteauth:';
 
+    public static function getConfig()
+    {
+        return json_encode([
+            'default_only' => config('remote-auth.mastodon.domains.only_default'),
+            'custom_only' => config('remote-auth.mastodon.domains.only_custom'),
+        ]);
+    }
+
     public static function getMastodonClient($domain)
     {
         if(RemoteAuthInstance::whereDomain($domain)->exists()) {

diff --git a/resources/assets/components/remote-auth/StartComponent.vue b/resources/assets/components/remote-auth/StartComponent.vue
@@ -24,8 +24,8 @@
                         @click="handleRedirect(domain)">
                         <span class="font-weight-bold">{{ domain }}</span>
                     </button>
-                    <hr>
-                    <p class="text-center">
+                    <hr v-if="!config.default_only && !config.custom_only">
+                    <p v-if="!config.default_only && !config.custom_only" class="text-center">
                         <button type="button" class="other-server-btn" @click="handleOther()">Sign-in with a different server</button>
                     </p>
                     <div class="w-100">
@@ -43,6 +43,12 @@
 
 <script type="text/javascript">
     export default {
+        props: {
+            config: {
+                type: Object
+            }
+        },
+
         data() {
             return {
                 loaded: false,
@@ -79,6 +85,11 @@
                         return;
                     }
 
+                    if(res.data.hasOwnProperty('action') && res.data.action === 'blocked_domain') {
+                        swal('Server Blocked', 'This server is blocked by admins and cannot be used, please try another server!', 'error');
+                        return;
+                    }
+
                     if(res.data.ready) {
                         window.location.href = '/auth/raw/mastodon/preflight?d=' + domain + '&dsh=' + res.data.dsh;
                     }
@@ -95,9 +106,13 @@
                   },
                 })
                 .then(domain => {
-                  if (!domain) throw null;
+                  if (!domain || domain.length < 2 || domain.indexOf('.') == -1) {
+                    swal('Oops!', "Please enter a valid domain!", 'error');
+                    return;
+                  };
 
-                  if(domain.startsWith('https://')) {
+                  if(domain.startsWith('http')) {
+                    swal('Oops!', "The domain you enter should not start with http(s://)\nUse the domain format, like mastodon.social", 'error');
                     return;
                   }
 

diff --git a/resources/views/auth/remote/start.blade.php b/resources/views/auth/remote/start.blade.php
@@ -1,7 +1,7 @@
 @extends('layouts.app')
 
 @section('content')
-<remote-auth-start-component />
+<remote-auth-start-component :config='{!!\App\Services\Account\RemoteAuthService::getConfig()!!}'/>
 @endsection
 
 @push('scripts')