-
-
Notifications
You must be signed in to change notification settings - Fork 366
Expand file tree
/
Copy pathSecurePathController.php
More file actions
94 lines (79 loc) · 2.63 KB
/
SecurePathController.php
File metadata and controls
94 lines (79 loc) · 2.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
<?php
/**
* SPDX-License-Identifier: MIT
* Copyright (c) 2017-2018 Tobias Reich
* Copyright (c) 2018-2025 LycheeOrg.
*/
namespace App\Http\Controllers;
use App\Enum\StorageDiskType;
use App\Exceptions\SecurePaths\InvalidPayloadException;
use App\Exceptions\SecurePaths\InvalidSignatureException;
use App\Exceptions\SecurePaths\SignatureExpiredException;
use App\Exceptions\SecurePaths\WrongPathException;
use App\Models\Configs;
use App\Models\Extensions\HasUrlGenerator;
use Illuminate\Contracts\Encryption\DecryptException;
use Illuminate\Http\Request;
use Illuminate\Routing\Controller;
use Illuminate\Support\Carbon;
use Illuminate\Support\Collection;
use Illuminate\Support\Facades\Crypt;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Facades\Storage;
/**
* Controller responsible for serving files securely.
*/
class SecurePathController extends Controller
{
use HasUrlGenerator;
public function __invoke(Request $request, ?string $path)
{
// First we verify that the request has not expired.
if (!self::shouldNotUseSignedUrl() && !$this->signatureHasNotExpired($request)) {
throw new SignatureExpiredException();
}
// Then we verify that the request has a valid signature.
if (!self::shouldNotUseSignedUrl() && !$request->hasValidSignature()) {
Log::error('Invalid signature for secure path request. Verify that the url generated for the image match.', [
'candidate url' => $this->getUrl($request),
]);
throw new InvalidSignatureException();
}
if (is_null($path)) {
throw new WrongPathException();
}
if (Configs::getValueAsBool('secure_image_link_enabled')) {
try {
$path = Crypt::decryptString($path);
} catch (DecryptException) {
throw new InvalidPayloadException();
}
}
$file = Storage::disk(StorageDiskType::LOCAL->value)->path($path);
if (!file_exists($file)) {
throw new WrongPathException();
}
return response()->file($file);
}
private function getUrl(Request $request): string
{
$ignore_query = ['signature'];
$query_string = '';
$query_string = (new Collection(explode('&', (string) $request->server->get('QUERY_STRING'))))
->reject(fn ($parameter) => in_array(\Str::before($parameter, '='), $ignore_query, true))
->join('&');
return rtrim($request->url() . '?' . $query_string, '?');
}
/**
* Determine if the expires timestamp from the given request is not from the past.
*
* @param \Illuminate\Http\Request $request
*
* @return bool
*/
private function signatureHasNotExpired(Request $request)
{
$expires = $request->query('expires');
return !($expires !== null && $expires !== '' && Carbon::now()->getTimestamp() > $expires);
}
}