Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LoginFilter messes with get's token parameter (reset-password) #94

Closed
fefo-p opened this issue Sep 1, 2019 · 3 comments
Closed

LoginFilter messes with get's token parameter (reset-password) #94

fefo-p opened this issue Sep 1, 2019 · 3 comments

Comments

@fefo-p
Copy link
Contributor

fefo-p commented Sep 1, 2019

Scenario:

  • Login filter is applied globally (in App\Config\Filters)
  • LoginFilter's before($request) method avoids checking for logged in user when route is login, forgot or reset-password
  • App is set to send emails with the token code when a user want's to reset his password

So far, everything works as expected. But, when I click on the reset form link (http://whatever.com/reset-password?token=e6290a3d8d156339963092e08228f039) I keep being redirected to login form.
Routes work as expected too. If, for instance, I write the URL like http://whatever.com/reset-password I get the reset-password form OK.
If I write the URL like http://whatever.com/reset-password? works fine too.
And so on...
...until I write http://whatever.com/reset-password?token=
Then, it redirects to login form. Whatever I write after the = sign makes no difference

Now, if I log-in, I am redirected to the reset-password form and the token input field gets populated just fine.

Tried d($request) first thing inside the before() method of LoginFilter and URL is fine.
But when I d($request) after the current_url() check and before the return, d($request) shows /login as the URL

Also, if I get rid of the global login filter, everything works as expected.

Any ideas?
@lonnieezell
Copy link
Owner

Could you provide your filter setup? I'll have to dig into it but would like that additional info to make sure we're on the same page.

@fefo-p
Copy link
Contributor Author

fefo-p commented Sep 5, 2019

\App\Config\Filters

class Filters extends BaseConfig
{
	// Makes reading things below nicer,
	// and simpler to change out script that's used.
	public $aliases = [
		'csrf'       => \CodeIgniter\Filters\CSRF::class,
		'toolbar'    => \CodeIgniter\Filters\DebugToolbar::class,
		'honeypot'   => \CodeIgniter\Filters\Honeypot::class,
		'login'      => \Myth\Auth\Filters\LoginFilter::class,
		'role'       => \Myth\Auth\Filters\RoleFilter::class,
		'permission' => \Myth\Auth\Filters\PermissionFilter::class,
	];

	// Always applied before every request
	public $globals = [
		'before' => [
			'honeypot',
			// 'csrf',
			'login',
		],
		'after'  => [
			'toolbar',
			'honeypot',
		],
	];

\App\Config\Routes

// Create a new instance of our RouteCollection class.
$routes = Services::routes(true);

// Load the system's routing file first, so that the app and ENVIRONMENT
// can override as needed.
if (file_exists(SYSTEMPATH . 'Config/Routes.php'))
{
	require SYSTEMPATH . 'Config/Routes.php';
}

// Load the Myth's routing file first, so that the app and ENVIRONMENT
// can override as needed.
if (file_exists(APPPATH . '../vendor/myth/auth/src/Config/Routes.php'))
{
	require APPPATH . '../vendor/myth/auth/src/Config/Routes.php';
}

/* -------------------------------------------------------------------------------------------------------*/
/* -------------------------------------------------------------------------------------------------------*/
/* -----------------------A D M I N I S T R A T O R     P R I V I L E D G E S ----------------------------*/
/* -------------------------------------------------------------------------------------------------------*/
/* -------------------------------------------------------------------------------------------------------*/

$routes->group('', ['filter' => 'role:admin,superadmin'], function ($routes) {
	// User administration
	$routes->get('users', 'Admin::index', ['as' => 'user-administration']);

	// User registration
	$routes->get('register', '\Myth\Auth\Controllers\AuthController::register', ['as' => 'user-registration']);
	$routes->post('register', '\Myth\Auth\Controllers\AuthController::attemptRegister');

	// Group registration
	$routes->get('groupRegister', 'Admin::addGroup', ['as' => 'group-registration']);
	$routes->post('groupRegister', 'Admin::attemptAddGroup');

	// Group deletion
	$routes->get('deleteGroup', 'Admin::attemptDeleteGroup', ['as' => 'group-deletion']);

	// Administration password change
	$routes->get('changePassword', 'Admin::changePassword', ['as' => 'password-change']);
	$routes->post('changePassword', 'Admin::attemptChangePassword');
});

And finally, \Myth\Auth\Filters\LoginFilter

	public function before(RequestInterface $request)
	{
		// Make sure this isn't already a login route
		if ((current_url() === site_url(route_to('login'))) || (current_url() === site_url(route_to('forgot'))) || (current_url() === site_url(route_to('reset-password'))))
		{
			return;
		}

@fefo-p
Copy link
Contributor Author

fefo-p commented Sep 21, 2019

It seems the problem had to do with a commented line in htaccess (RewriteBase = /).
Once I uncommented that line, everything started working ok.
I came to realize this because I installed my app in www.ionos.com (aka 1and1.com) and kept getting Error 500.
Once htaccess was updated to include RewriteBase, everything was fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lonnieezell @fefo-p