refactor: remove source host allowlist from direct login
This commit is contained in:
@@ -20,7 +20,7 @@ final class DirectAdminContext
|
||||
if (!preg_match('/^[A-Za-z0-9][A-Za-z0-9._-]{0,31}$/', $username)) {
|
||||
throw new InvalidArgumentException('Invalid DirectAdmin username');
|
||||
}
|
||||
$host = self::trustedSourceHost($server, $settings);
|
||||
$host = self::trustedSourceHost($server);
|
||||
if ($host === '') {
|
||||
throw new InvalidArgumentException('Missing source host');
|
||||
}
|
||||
@@ -37,17 +37,8 @@ final class DirectAdminContext
|
||||
/**
|
||||
* @param array<string,mixed> $server
|
||||
*/
|
||||
private static function trustedSourceHost(array $server, Settings $settings): string
|
||||
private static function trustedSourceHost(array $server): string
|
||||
{
|
||||
$configuredName = $settings->sourceServerName();
|
||||
if ($configuredName !== '') {
|
||||
foreach ($settings->allowedSourceHosts() as $allowedHost) {
|
||||
$label = $settings->sanitizeServerName(explode('.', $allowedHost)[0] ?? '');
|
||||
if ($label === $configuredName) {
|
||||
return $allowedHost;
|
||||
}
|
||||
}
|
||||
}
|
||||
return Settings::normalizeHost((string)($server['SERVER_NAME'] ?? ''));
|
||||
}
|
||||
|
||||
|
||||
@@ -64,7 +64,6 @@ final class Settings
|
||||
'MAIL_LOGIN_REDIRECT_URL' => '/',
|
||||
'LOGIN_KEY_TTL' => '30',
|
||||
'USER_IP_BOUND' => '1',
|
||||
'MAIL_LOGIN_ALLOWED_SOURCE_HOSTS' => 's1.abc.pl,serwer.mojserwer.pl,serwer2.xxb.ovh',
|
||||
'MAIL_LOGIN_SOURCE_SERVER_NAME' => '',
|
||||
'MAIL_LOGIN_CLIENT_IP_MODE' => 'direct',
|
||||
'MAIL_LOGIN_TRUSTED_PROXIES' => '',
|
||||
@@ -136,14 +135,6 @@ final class Settings
|
||||
return $this->getString('USER_IP_BOUND', '1') === '1';
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
public function allowedSourceHosts(): array
|
||||
{
|
||||
return $this->csvHosts('MAIL_LOGIN_ALLOWED_SOURCE_HOSTS');
|
||||
}
|
||||
|
||||
public function sourceServerName(): string
|
||||
{
|
||||
return $this->sanitizeServerName($this->getString('MAIL_LOGIN_SOURCE_SERVER_NAME', ''));
|
||||
@@ -213,25 +204,6 @@ final class Settings
|
||||
return substr($name, 0, 32);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
private function csvHosts(string $key): array
|
||||
{
|
||||
$raw = $this->getString($key, '');
|
||||
if ($raw === '') {
|
||||
return [];
|
||||
}
|
||||
$out = [];
|
||||
foreach (explode(',', $raw) as $item) {
|
||||
$host = self::normalizeHost($item);
|
||||
if ($host !== '') {
|
||||
$out[] = $host;
|
||||
}
|
||||
}
|
||||
return array_values(array_unique($out));
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
|
||||
@@ -1,16 +0,0 @@
|
||||
<?php
|
||||
declare(strict_types=1);
|
||||
|
||||
final class SourceAuthorizer
|
||||
{
|
||||
public static function assertAllowed(string $sourceHost, Settings $settings): void
|
||||
{
|
||||
$allowed = $settings->allowedSourceHosts();
|
||||
if ($allowed === []) {
|
||||
throw new RuntimeException('No source host allowlist configured');
|
||||
}
|
||||
if (!in_array(Settings::normalizeHost($sourceHost), $allowed, true)) {
|
||||
throw new RuntimeException('Source host is not allowed');
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user