From b0e8bfa3ce4ba880092be7706b43086b63f09974 Mon Sep 17 00:00:00 2001
From: Peter Papp <peterpapp@makingcg.com>
Date: Thu, 22 Jul 2021 12:27:36 +0200
Subject: [PATCH] Setup Wizard middleware implemented

---
 routes/setup.php                              | 21 +++++++-----
 routes/web.php                                |  4 ---
 src/App/Http/Kernel.php                       |  3 ++
 src/App/Providers/RouteServiceProvider.php    |  3 +-
 .../Middleware/ProtectSetupWizardRoutes.php   | 33 +++++++++++++++++++
 tests/Domain/SetupWizard/SetupWizardTest.php  | 10 +++---
 6 files changed, 55 insertions(+), 19 deletions(-)
 create mode 100644 src/Support/Middleware/ProtectSetupWizardRoutes.php

diff --git a/routes/setup.php b/routes/setup.php
index 4b3818fd..677e3ab9 100644
--- a/routes/setup.php
+++ b/routes/setup.php
@@ -1,5 +1,6 @@
 <?php
 
+use Domain\SetupWizard\Controllers\CreateAdminAccountController;
 use Domain\SetupWizard\Controllers\StorePlansController;
 use Domain\SetupWizard\Controllers\StoreBillingsController;
 use Domain\SetupWizard\Controllers\StoreAppSettingsController;
@@ -8,11 +9,15 @@ use Domain\SetupWizard\Controllers\StoreDatabaseCredentialsController;
 use Domain\SetupWizard\Controllers\StoreEnvironmentSettingsController;
 use Domain\SetupWizard\Controllers\StoreSubscriptionServiceCredentialsController;
 
-// TODO: create middleware for setup wizard protection after successful installation
-Route::post('/stripe-credentials', StoreSubscriptionServiceCredentialsController::class);
-Route::post('/environment-setup', StoreEnvironmentSettingsController::class);
-Route::post('/database', StoreDatabaseCredentialsController::class);
-Route::post('/purchase-code', VerifyPurchaseCodeController::class);
-Route::post('/stripe-billings', StoreBillingsController::class);
-Route::post('/app-setup', StoreAppSettingsController::class);
-Route::post('/stripe-plans', StorePlansController::class);
+Route::group(['prefix' => 'api/setup'], function () {
+    Route::post('/stripe-credentials', StoreSubscriptionServiceCredentialsController::class);
+    Route::post('/environment-setup', StoreEnvironmentSettingsController::class);
+    Route::post('/database', StoreDatabaseCredentialsController::class);
+    Route::post('/purchase-code', VerifyPurchaseCodeController::class);
+    Route::post('/stripe-billings', StoreBillingsController::class);
+    Route::post('/app-setup', StoreAppSettingsController::class);
+    Route::post('/stripe-plans', StorePlansController::class);
+});
+
+Route::post('/admin-setup', CreateAdminAccountController::class)
+    ->middleware('web');
diff --git a/routes/web.php b/routes/web.php
index aa4feaf9..3daec34e 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -5,12 +5,8 @@ use Domain\Invoices\Controllers\AdminInvoiceController;
 use Domain\Sharing\Controllers\SharePublicIndexController;
 use Domain\Sharing\Controllers\WebCrawlerOpenGraphController;
 use Domain\Subscriptions\Controllers\StripeWebhookController;
-use Domain\SetupWizard\Controllers\CreateAdminAccountController;
 use Domain\Localization\Controllers\CurrentLocalizationController;
 
-// Setup Wizard
-Route::post('/admin-setup', CreateAdminAccountController::class);
-
 // Subscription Services
 Route::post('/stripe/webhook', [StripeWebhookController::class, 'handleWebhook']);
 Route::get('/invoice/{customer}/{token}', [AdminInvoiceController::class, 'show'])->middleware(['auth:sanctum']);
diff --git a/src/App/Http/Kernel.php b/src/App/Http/Kernel.php
index 1d2de0f3..4872a968 100644
--- a/src/App/Http/Kernel.php
+++ b/src/App/Http/Kernel.php
@@ -1,7 +1,9 @@
 <?php
+
 namespace App\Http;
 
 use Fruitcake\Cors\HandleCors;
+use Support\Middleware\ProtectSetupWizardRoutes;
 use Support\Middleware\TrimStrings;
 use Support\Middleware\TrustProxies;
 use Support\Middleware\EncryptCookies;
@@ -73,5 +75,6 @@ class Kernel extends HttpKernel
         'signed'           => \Illuminate\Routing\Middleware\ValidateSignature::class,
         'throttle'         => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'verified'         => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
+        'setup-wizard'     => ProtectSetupWizardRoutes::class,
     ];
 }
diff --git a/src/App/Providers/RouteServiceProvider.php b/src/App/Providers/RouteServiceProvider.php
index 2a4e3c22..70e37f3a 100644
--- a/src/App/Providers/RouteServiceProvider.php
+++ b/src/App/Providers/RouteServiceProvider.php
@@ -108,8 +108,7 @@ class RouteServiceProvider extends ServiceProvider
 
     protected function mapSetupWizardApiRoutes()
     {
-        Route::prefix('api/setup')
-            ->middleware('api')
+        Route::middleware(['setup-wizard'])
             ->group(base_path('routes/setup.php'));
     }
 }
diff --git a/src/Support/Middleware/ProtectSetupWizardRoutes.php b/src/Support/Middleware/ProtectSetupWizardRoutes.php
new file mode 100644
index 00000000..26505521
--- /dev/null
+++ b/src/Support/Middleware/ProtectSetupWizardRoutes.php
@@ -0,0 +1,33 @@
+<?php
+
+namespace Support\Middleware;
+
+use Closure;
+use Doctrine\DBAL\Driver\PDOException;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+use Schema;
+
+class ProtectSetupWizardRoutes
+{
+    /**
+     * Prevent access for setup wizard controllers after initial app installation.
+     */
+    public function handle(Request $request, Closure $next): mixed
+    {
+        try {
+            // Check database connections
+            DB::getPdo();
+
+            // Get setup_wizard status
+            if (Schema::hasTable('settings') && get_setting('setup_wizard_success')) {
+                return response('Gone', 410);
+            }
+
+            return $next($request);
+
+        } catch (PDOException $e) {
+            return $next($request);
+        }
+    }
+}
diff --git a/tests/Domain/SetupWizard/SetupWizardTest.php b/tests/Domain/SetupWizard/SetupWizardTest.php
index deddd7ac..8d6b492d 100644
--- a/tests/Domain/SetupWizard/SetupWizardTest.php
+++ b/tests/Domain/SetupWizard/SetupWizardTest.php
@@ -207,7 +207,7 @@ class SetupWizardTest extends TestCase
      */
     public function it_create_admin_account()
     {
-        $this->postJson('/admin-setup', [
+        $this->post('/admin-setup', [
             'email'                 => 'john@doe.com',
             'password'              => 'VerySecretPassword',
             'password_confirmation' => 'VerySecretPassword',
@@ -280,10 +280,10 @@ class SetupWizardTest extends TestCase
      */
     public function it_try_to_create_admin_account_after_setup_wizard_success()
     {
-        Setting::forceCreate([
-            'name'  => 'setup_wizard_success',
-            'value' => '1',
-        ]);
+        Setting::updateOrCreate(
+            ['name' => 'setup_wizard_success'],
+            ['value' => '1']
+        );
 
         $this->postJson('/admin-setup', [
             'email'                 => 'john@doe.com',