feat(auth): gate first-user registration with setup token
Require a setup_token query parameter to access the registration page when no users exist, preventing admin hijacking on new instances.
This commit is contained in:
parent
8db2a8624a
commit
d2e11171f8
6 changed files with 81 additions and 4 deletions
|
|
@ -35,6 +35,14 @@ public function create(array $input): User
|
|||
])->validate();
|
||||
|
||||
if (User::count() == 0) {
|
||||
// MapleDeploy: validate setup token for first user registration
|
||||
if ($settings->setup_token) {
|
||||
$providedToken = $input['setup_token'] ?? null;
|
||||
if (! $providedToken || ! hash_equals($settings->setup_token, $providedToken)) {
|
||||
abort(403);
|
||||
}
|
||||
}
|
||||
|
||||
// If this is the first user, make them the root user
|
||||
// Team is already created in the database/seeders/ProductionSeeder.php
|
||||
$user = User::create([
|
||||
|
|
|
|||
|
|
@ -44,15 +44,24 @@ public function boot(): void
|
|||
{
|
||||
Fortify::createUsersUsing(CreateNewUser::class);
|
||||
Fortify::registerView(function () {
|
||||
$isFirstUser = User::count() === 0;
|
||||
|
||||
$settings = instanceSettings();
|
||||
if (! $settings->is_registration_enabled) {
|
||||
return redirect()->route('login');
|
||||
}
|
||||
|
||||
$isFirstUser = User::count() === 0;
|
||||
|
||||
// MapleDeploy: token-gated registration for first user
|
||||
if ($isFirstUser && $settings->setup_token) {
|
||||
$token = request()->query('setup_token');
|
||||
if (! $token || ! hash_equals($settings->setup_token, $token)) {
|
||||
abort(403);
|
||||
}
|
||||
}
|
||||
|
||||
return view('auth.register', [
|
||||
'isFirstUser' => $isFirstUser,
|
||||
'setupToken' => request()->query('setup_token'),
|
||||
]);
|
||||
});
|
||||
|
||||
|
|
@ -61,7 +70,15 @@ public function boot(): void
|
|||
$enabled_oauth_providers = OauthSetting::where('enabled', true)->get();
|
||||
$users = User::count();
|
||||
if ($users == 0) {
|
||||
// If there are no users, redirect to registration
|
||||
// MapleDeploy: don't redirect to register if setup token is required
|
||||
if ($settings->setup_token) {
|
||||
return view('auth.login', [
|
||||
'setup_pending' => true,
|
||||
'is_registration_enabled' => false,
|
||||
'enabled_oauth_providers' => collect(),
|
||||
]);
|
||||
}
|
||||
|
||||
return redirect()->route('register');
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
return [
|
||||
// MapleDeploy branding: registry pointed to Forgejo, auto-update disabled by default
|
||||
'coolify' => [
|
||||
'version' => '4.0.0-beta.463.9',
|
||||
'version' => '4.0.0-beta.463.10',
|
||||
'helper_version' => '1.0.12',
|
||||
'realtime_version' => '1.0.10',
|
||||
'self_hosted' => env('SELF_HOSTED', true),
|
||||
|
|
|
|||
|
|
@ -0,0 +1,28 @@
|
|||
<?php
|
||||
|
||||
use Illuminate\Database\Migrations\Migration;
|
||||
use Illuminate\Database\Schema\Blueprint;
|
||||
use Illuminate\Support\Facades\Schema;
|
||||
|
||||
return new class extends Migration
|
||||
{
|
||||
/**
|
||||
* Run the migrations.
|
||||
*/
|
||||
public function up(): void
|
||||
{
|
||||
Schema::table('instance_settings', function (Blueprint $table) {
|
||||
$table->string('setup_token')->nullable();
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Reverse the migrations.
|
||||
*/
|
||||
public function down(): void
|
||||
{
|
||||
Schema::table('instance_settings', function (Blueprint $table) {
|
||||
$table->dropColumn('setup_token');
|
||||
});
|
||||
}
|
||||
};
|
||||
|
|
@ -10,6 +10,26 @@
|
|||
</div>
|
||||
|
||||
<div class="space-y-6">
|
||||
@if (!empty($setup_pending))
|
||||
{{-- MapleDeploy: setup token required but not provided --}}
|
||||
<div class="mb-6 p-4 bg-warning/10 border border-warning rounded-lg">
|
||||
<div class="flex gap-3">
|
||||
<svg class="size-5 text-warning flex-shrink-0 mt-0.5" xmlns="http://www.w3.org/2000/svg"
|
||||
viewBox="0 0 20 20" fill="currentColor">
|
||||
<path fill-rule="evenodd"
|
||||
d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a.75.75 0 000 1.5h.253a.25.25 0 01.244.304l-.459 2.066A1.75 1.75 0 0010.747 15H11a.75.75 0 000-1.5h-.253a.25.25 0 01-.244-.304l.459-2.066A1.75 1.75 0 009.253 9H9z"
|
||||
clip-rule="evenodd" />
|
||||
</svg>
|
||||
<div>
|
||||
<p class="font-bold text-warning">Setup pending</p>
|
||||
<p class="text-sm dark:text-white text-black">
|
||||
Initial setup has not been completed. Please use the setup link from your
|
||||
<a href="https://app.mapledeploy.ca" class="underline hover:text-warning">MapleDeploy dashboard</a>.
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
@else
|
||||
@if (session('status'))
|
||||
<div class="mb-6 p-4 bg-success/10 border border-success rounded-lg">
|
||||
<p class="text-sm text-success">{{ session('status') }}</p>
|
||||
|
|
@ -96,6 +116,7 @@ class="block w-full text-center py-3 px-4 rounded-lg border border-neutral-300 d
|
|||
@endforeach
|
||||
</div>
|
||||
@endif
|
||||
@endif {{-- end setup_pending --}}
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
|
|
|||
|
|
@ -51,6 +51,9 @@ function getOldOrLocal($key, $localValue)
|
|||
|
||||
<form action="/register" method="POST" class="flex flex-col gap-4">
|
||||
@csrf
|
||||
@if (isset($setupToken))
|
||||
<input type="hidden" name="setup_token" value="{{ $setupToken }}" />
|
||||
@endif
|
||||
<x-forms.input id="name" required type="text" name="name" value="{{ $name }}"
|
||||
label="{{ __('input.name') }}" />
|
||||
<x-forms.input id="email" required type="email" name="email" value="{{ $email }}"
|
||||
|
|
|
|||
Loading…
Reference in a new issue