1
0

AdminInviteController.php 6.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243
  1. <?php
  2. namespace App\Http\Controllers;
  3. use Illuminate\Http\Request;
  4. use App\Models\AdminInvite;
  5. use App\Profile;
  6. use App\User;
  7. use Purify;
  8. use App\Util\Lexer\RestrictedNames;
  9. use Illuminate\Foundation\Auth\RegistersUsers;
  10. use Illuminate\Support\Facades\Auth;
  11. use Illuminate\Support\Facades\Hash;
  12. use Illuminate\Support\Facades\Validator;
  13. use Illuminate\Auth\Events\Registered;
  14. use App\Services\EmailService;
  15. use App\Http\Controllers\Auth\RegisterController;
  16. class AdminInviteController extends Controller
  17. {
  18. public function __construct()
  19. {
  20. abort_if(!config('instance.admin_invites.enabled'), 404);
  21. }
  22. public function index(Request $request, $code)
  23. {
  24. if($request->user()) {
  25. return redirect('/');
  26. }
  27. return view('invite.admin_invite', compact('code'));
  28. }
  29. public function apiVerifyCheck(Request $request)
  30. {
  31. $this->validate($request, [
  32. 'token' => 'required',
  33. ]);
  34. $invite = AdminInvite::whereInviteCode($request->input('token'))->first();
  35. abort_if(!$invite, 404);
  36. abort_if($invite->expires_at && $invite->expires_at->lt(now()), 400, 'Invite has expired.');
  37. abort_if($invite->max_uses && $invite->uses >= $invite->max_uses, 400, 'Maximum invites reached.');
  38. $res = [
  39. 'message' => $invite->message,
  40. 'max_uses' => $invite->max_uses,
  41. 'sev' => $invite->skip_email_verification
  42. ];
  43. return response()->json($res);
  44. }
  45. public function apiUsernameCheck(Request $request)
  46. {
  47. $this->validate($request, [
  48. 'token' => 'required',
  49. 'username' => 'required'
  50. ]);
  51. $invite = AdminInvite::whereInviteCode($request->input('token'))->first();
  52. abort_if(!$invite, 404);
  53. abort_if($invite->expires_at && $invite->expires_at->lt(now()), 400, 'Invite has expired.');
  54. abort_if($invite->max_uses && $invite->uses >= $invite->max_uses, 400, 'Maximum invites reached.');
  55. $usernameRules = [
  56. 'required',
  57. 'min:2',
  58. 'max:15',
  59. 'unique:users',
  60. function ($attribute, $value, $fail) {
  61. $dash = substr_count($value, '-');
  62. $underscore = substr_count($value, '_');
  63. $period = substr_count($value, '.');
  64. if(ends_with($value, ['.php', '.js', '.css'])) {
  65. return $fail('Username is invalid.');
  66. }
  67. if(($dash + $underscore + $period) > 1) {
  68. return $fail('Username is invalid. Can only contain one dash (-), period (.) or underscore (_).');
  69. }
  70. if (!ctype_alnum($value[0])) {
  71. return $fail('Username is invalid. Must start with a letter or number.');
  72. }
  73. if (!ctype_alnum($value[strlen($value) - 1])) {
  74. return $fail('Username is invalid. Must end with a letter or number.');
  75. }
  76. $val = str_replace(['_', '.', '-'], '', $value);
  77. if(!ctype_alnum($val)) {
  78. return $fail('Username is invalid. Username must be alpha-numeric and may contain dashes (-), periods (.) and underscores (_).');
  79. }
  80. $restricted = RestrictedNames::get();
  81. if (in_array(strtolower($value), array_map('strtolower', $restricted))) {
  82. return $fail('Username cannot be used.');
  83. }
  84. },
  85. ];
  86. $rules = ['username' => $usernameRules];
  87. $validator = Validator::make($request->all(), $rules);
  88. if($validator->fails()) {
  89. return response()->json($validator->errors(), 400);
  90. }
  91. return response()->json([]);
  92. }
  93. public function apiEmailCheck(Request $request)
  94. {
  95. $this->validate($request, [
  96. 'token' => 'required',
  97. 'email' => 'required'
  98. ]);
  99. $invite = AdminInvite::whereInviteCode($request->input('token'))->first();
  100. abort_if(!$invite, 404);
  101. abort_if($invite->expires_at && $invite->expires_at->lt(now()), 400, 'Invite has expired.');
  102. abort_if($invite->max_uses && $invite->uses >= $invite->max_uses, 400, 'Maximum invites reached.');
  103. $emailRules = [
  104. 'required',
  105. 'string',
  106. 'email',
  107. 'max:255',
  108. 'unique:users',
  109. function ($attribute, $value, $fail) {
  110. $banned = EmailService::isBanned($value);
  111. if($banned) {
  112. return $fail('Email is invalid.');
  113. }
  114. },
  115. ];
  116. $rules = ['email' => $emailRules];
  117. $validator = Validator::make($request->all(), $rules);
  118. if($validator->fails()) {
  119. return response()->json($validator->errors(), 400);
  120. }
  121. return response()->json([]);
  122. }
  123. public function apiRegister(Request $request)
  124. {
  125. $this->validate($request, [
  126. 'token' => 'required',
  127. 'username' => [
  128. 'required',
  129. 'min:2',
  130. 'max:15',
  131. 'unique:users',
  132. function ($attribute, $value, $fail) {
  133. $dash = substr_count($value, '-');
  134. $underscore = substr_count($value, '_');
  135. $period = substr_count($value, '.');
  136. if(ends_with($value, ['.php', '.js', '.css'])) {
  137. return $fail('Username is invalid.');
  138. }
  139. if(($dash + $underscore + $period) > 1) {
  140. return $fail('Username is invalid. Can only contain one dash (-), period (.) or underscore (_).');
  141. }
  142. if (!ctype_alnum($value[0])) {
  143. return $fail('Username is invalid. Must start with a letter or number.');
  144. }
  145. if (!ctype_alnum($value[strlen($value) - 1])) {
  146. return $fail('Username is invalid. Must end with a letter or number.');
  147. }
  148. $val = str_replace(['_', '.', '-'], '', $value);
  149. if(!ctype_alnum($val)) {
  150. return $fail('Username is invalid. Username must be alpha-numeric and may contain dashes (-), periods (.) and underscores (_).');
  151. }
  152. $restricted = RestrictedNames::get();
  153. if (in_array(strtolower($value), array_map('strtolower', $restricted))) {
  154. return $fail('Username cannot be used.');
  155. }
  156. },
  157. ],
  158. 'name' => 'nullable|string|max:'.config('pixelfed.max_name_length'),
  159. 'email' => [
  160. 'required',
  161. 'string',
  162. 'email',
  163. 'max:255',
  164. 'unique:users',
  165. function ($attribute, $value, $fail) {
  166. $banned = EmailService::isBanned($value);
  167. if($banned) {
  168. return $fail('Email is invalid.');
  169. }
  170. },
  171. ],
  172. 'password' => 'required',
  173. 'password_confirm' => 'required'
  174. ]);
  175. $invite = AdminInvite::whereInviteCode($request->input('token'))->firstOrFail();
  176. abort_if($invite->expires_at && $invite->expires_at->lt(now()), 400, 'Invite expired');
  177. abort_if($invite->max_uses && $invite->uses >= $invite->max_uses, 400, 'Maximum invites reached.');
  178. $invite->uses = $invite->uses + 1;
  179. event(new Registered($user = User::create([
  180. 'name' => Purify::clean($request->input('name')) ?? $request->input('username'),
  181. 'username' => $request->input('username'),
  182. 'email' => $request->input('email'),
  183. 'password' => Hash::make($request->input('password')),
  184. ])));
  185. sleep(5);
  186. $invite->used_by = array_merge($invite->used_by ?? [], [[
  187. 'user_id' => $user->id,
  188. 'username' => $user->username
  189. ]]);
  190. $invite->save();
  191. if($invite->skip_email_verification) {
  192. $user->email_verified_at = now();
  193. $user->save();
  194. }
  195. if(Auth::attempt([
  196. 'email' => $request->input('email'),
  197. 'password' => $request->input('password')
  198. ])) {
  199. $request->session()->regenerate();
  200. return redirect()->intended('/');
  201. } else {
  202. return response()->json([], 400);
  203. }
  204. }
  205. }