alexa-app icon indicating copy to clipboard operation
alexa-app copied to clipboard

Published 20 hours ago verified publisher icon kevin-mitchell

Security issue in route authorization using passport

Open vrajroham opened this issue 7 years ago • 1 comments

I'm using passport to authenticate the Alexa routes with account linking functionality.

Actual (What I'm doing)

I have api.php routes file as below and my api driver is set to passport,

<?php


Route::group(['prefix' => 'api'], function () {

	require 'alexa.php';

	Route::get('/user',function (){

	   return response()->json(['status' => 'I am In!']);
    });
});

my alexa.php is as below,

<?php

AlexaRoute::launch('/alexa', '\App\Http\Controllers\AlexaController@start');
....
?>

Issues

  • When I need to provide endpoint it should be https://my-app.dev/api/alexa but, I have to provide it as https://my-app.dev/alexa as prefixing dose not seems to work, same way if I want to access user route it works as expected.

  • As my api drivers are set to passport in config\auth.php then my alexa.php routes should be authenticated right? But they wont! I setup account linking and everything works fine too but, if I remove account linking and try to envoke the skill with only endpoint provided, it works!! As I have provided alexa routes in closure with passport authentication they should not be invoked without authentication.

Expected

  • Prefix should work. (It took me day to figure out what is wrong with url. For first time users it is very confusing)
  • After setup of passport and account linking everything works great, but user will be in impression that their routes are authenticated. But they are not!!! Anyone can access same alexa routes without authentication.

Is there any work around to get authentication issue fixed? as I can see Router is extended for use and maybe there would be any work around.

Thanks Happy Coding

vrajroham avatar Apr 09 '18 05:04 vrajroham

First, thanks for taking the time to make such a great issue / ticket!

Second, tl;dr; routes that go through the AlexaRoute is ultimately it's "own thing" - there is basically a seperate router that has it's own stack of middleware and such. Now, I /would/ expect the prefix functionality to work, that's something I'd have to look at. I've had pretty limited availability recently but can try to add it to the list.

That said, if you figure it out or keep digging into it I would very much welcome PRs :)

develpr avatar May 03 '18 18:05 develpr