Merge pull request #3 from fintechbd/LP-3-Login

LP-3 login request validation and verification

lang/en/messages.php

@@ -11,17 +11,14 @@
 */
 return [
     'success' => 'Login successful.',
+    'forbidden' => 'Access Forbidden! You are not allowed to :permission',
     'logout' => 'Logout successful. Thank you for using our services',
     'failed' => 'These credentials do not match our records.',
     'password' => 'The provided password is incorrect.',
     'throttle' => 'Too many login attempts. Please try again in :seconds seconds.',
-    'Invalid Token' => 'Invalid Token',
-    'Your IP :user_ip is blocked. Please contact support.' => 'Your IP :user_ip is blocked. Please contact support.', //don't translate :user_ip
-    'This user are not login. Please contact support.' => 'This user are not login. Please contact support.',
-    'Sorry, You entered wrong mobile number or invalid password!' => 'Sorry, You entered wrong mobile number or invalid password!',
+    'ip_blocked' => 'Your IP :ip is blocked, Please contact support.',
     'warning' => 'Sorry, You entered wrong credentials! You already attempt :attempt. times out of :threshold',
     'lockup' => 'Sorry, Your Account is has been Locked. Please contact support!',
-    'This user are not login' => 'This user are not login',
     'Sorry, You entered wrong mobile number or invalid pin!' => 'Sorry, You entered wrong mobile number or invalid pin!',
     'Sorry, You entered wrong mobile number or pin! You already attempt :wrong_pin_password. times out of :password_retry_limit' => 'Sorry, You entered wrong mobile number or pin! You already attempt :wrong_pin_password. times out of :password_retry_limit',
 ];

src/Http/Controllers/AuthenticatedSessionController.php

@@ -49,22 +49,29 @@ public function store(LoginRequest $request): LoginResource|JsonResponse
         if (! Hash::check($request->input('password'), $attemptUser->password)) {
 
             $request->hitRateLimited();
-
+            $wrongPasswordCount = $attemptUser->wrong_password + 1;
             \Fintech\Auth\Facades\Auth::user()->update($attemptUser->id, [
-                'wrong_password' => $attemptUser->wrong_password + 1,
+                'wrong_password' => $wrongPasswordCount,
             ]);
 
-            return $this->failed(__('auth::messages.failed'));
+            return $this->failed(__('auth::messages.warning', [
+                'attempt' => $wrongPasswordCount,
+                'threshold' => config('fintech.auth.threshold.password', 10),
+            ]));
         }
 
         $request->clearRateLimited();
 
+        if ($attemptUser->can('auth.login')) {
+            $request->session()->invalidate();
+
+            return $this->forbidden(__('auth::messages.forbidden', ['permission' => permission_format('auth.login', 'auth')]));
+        }
+
         Auth::login($attemptUser);
 
         Auth::user()->tokens->each(fn ($token) => $token->delete());
 
-        //permission check
-
         return new LoginResource(Auth::user());
     }
 

src/Http/Middleware/IpAddressVerified.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace Fintech\Auth\Http\Middlewares;
+
+use Closure;
+use Fintech\Core\Traits\ApiResponseTrait;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\App;
+use Symfony\Component\HttpFoundation\Response;
+
+class IpAddressVerified
+{
+    use ApiResponseTrait;
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        if (App::isProduction()) {
+
+            return $this->banned(__('auth::messages.ip_blocked', ['ip' => $request->ip()]));
+        }
+
+        return $next($request);
+    }
+}

src/Http/Requests/LoginRequest.php

@@ -62,7 +62,7 @@ public function ensureIsNotRateLimited(): void
 
         $seconds = RateLimiter::availableIn($this->throttleKey());
 
-        abort(Response::HTTP_TOO_MANY_REQUESTS, trans('auth.throttle', [
+        abort(Response::HTTP_TOO_MANY_REQUESTS, trans('auth::messages.throttle', [
             'seconds' => $seconds,
             'minutes' => ceil($seconds / 60),
         ]));

src/Models/User.php

@@ -7,11 +7,13 @@
 use Illuminate\Foundation\Auth\User as Authenticatable;
 use Laravel\Sanctum\HasApiTokens;
 use OwenIt\Auditing\Contracts\Auditable;
+use Spatie\Permission\Traits\HasRoles;
 
 class User extends Authenticatable implements Auditable
 {
     use BlameableTrait;
     use HasApiTokens;
+    use HasRoles;
     use \OwenIt\Auditing\Auditable;
     use SoftDeletes;
 
@@ -30,6 +32,12 @@ class User extends Authenticatable implements Auditable
     protected $casts = [
         'email_verified_at' => 'datetime',
         'mobile_verified_at' => 'datetime',
+        'wrong_password' => 'integer',
+    ];
+
+    protected $attributes = [
+        'wrong_password' => 0,
+        'wrong_pin' => 0,
     ];
 
     /*

src/RouteServiceProvider.php

@@ -2,6 +2,7 @@
 
 namespace Fintech\Auth;
 
+use Fintech\Auth\Http\Middlewares\IpAddressVerified;
 use Illuminate\Cache\RateLimiting\Limit;
 use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
 use Illuminate\Http\Request;
@@ -27,6 +28,8 @@ public function boot()
                 ->middleware('api')
                 ->group(__DIR__.'/../routes/api.php');
         });
+
+        Route::middlewareGroup('ip_verified', [IpAddressVerified::class]);
     }
 
     /**

src/Services/UserService.php

@@ -125,10 +125,10 @@ public function read($id)
 
     public function update($id, array $inputs = [])
     {
-        if ($inputs['password']) {
+        if (isset($inputs['password']) && ! empty($inputs['password'])) {
             $inputs['password'] = Hash::make($inputs['password']);
         }
-        if ($inputs['pin']) {
+        if (isset($inputs['pin']) && ! empty($inputs['pin'])) {
             $inputs['pin'] = Hash::make($inputs['pin']);
         }