Fix #11383

app/Http/Controllers/Auth/LoginController.php

@@ -31,6 +31,7 @@ use FireflyIII\Exceptions\FireflyException;
 use FireflyIII\Http\Controllers\Controller;
 use FireflyIII\Providers\RouteServiceProvider;
 use FireflyIII\Repositories\User\UserRepositoryInterface;
+use FireflyIII\Support\Facades\Steam;
 use FireflyIII\User;
 use Illuminate\Contracts\Foundation\Application;
 use Illuminate\Contracts\View\Factory;
@@ -85,7 +86,7 @@ class LoginController extends Controller
      *
      * @throws ValidationException
      */
-    public function login(Request $request): JsonResponse|RedirectResponse
+    public function login(Request $request): JsonResponse | RedirectResponse
     {
         $username = $request->get($this->username());
         Log::channel('audit')->info(sprintf('User is trying to login using "%s"', $username));
@@ -103,8 +104,7 @@ class LoginController extends Controller
                         $this->username => trans('auth.failed'),
                     ]
                 )
-                ->onlyInput($this->username)
+                ->onlyInput($this->username);
-            ;
         }
         Log::debug('Login data is present.');
 
@@ -128,11 +128,10 @@ class LoginController extends Controller
             // send a custom login event because laravel will also fire a login event if a "remember me"-cookie
             // restores the event.
             event(new ActuallyLoggedIn($this->guard()->user()));
-
             return $this->sendLoginResponse($request);
         }
         Log::warning('Login attempt failed.');
-        $username = (string) $request->get($this->username());
+        $username = (string)$request->get($this->username());
         $user     = $this->repository->findByEmail($username);
         if (!$user instanceof User) {
             // send event to owner.
@@ -185,7 +184,7 @@ class LoginController extends Controller
     /**
      * Log the user out of the application.
      */
-    public function logout(Request $request): Redirector|RedirectResponse|Response
+    public function logout(Request $request): Redirector | RedirectResponse | Response
     {
         $authGuard = config('firefly.authentication_guard');
         $logoutUrl = config('firefly.custom_logout_url');
@@ -222,13 +221,13 @@ class LoginController extends Controller
      * @throws ContainerExceptionInterface
      * @throws NotFoundExceptionInterface
      */
-    public function showLoginForm(Request $request): Factory|Redirector|RedirectResponse|View
+    public function showLoginForm(Request $request): Factory | Redirector | RedirectResponse | View
     {
         Log::channel('audit')->info('Show login form (1.1).');
 
         $count = DB::table('users')->count();
         $guard = config('auth.defaults.guard');
-        $title             = (string) trans('firefly.login_page_title');
+        $title = (string)trans('firefly.login_page_title');
 
         if (0 === $count && 'web' === $guard) {
             return redirect(route('register'));
@@ -254,10 +253,31 @@ class LoginController extends Controller
         $storeInCookie = config('google2fa.store_in_cookie', false);
         if (false !== $storeInCookie) {
             $cookieName = config('google2fa.cookie_name', 'google2fa_token');
-            Cookie::queue(Cookie::make($cookieName, 'invalid-'.Carbon::now()->getTimestamp()));
+            Cookie::queue(Cookie::make($cookieName, 'invalid-' . Carbon::now()->getTimestamp()));
         }
         $usernameField = $this->username();
 
         return view('auth.login', ['allowRegistration' => $allowRegistration, 'email' => $email, 'remember' => $remember, 'allowReset' => $allowReset, 'title' => $title, 'usernameField' => $usernameField]);
     }
+
+    /**
+     * Send the response after the user was authenticated.
+     *
+     * @param \Illuminate\Http\Request $request
+     *
+     * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\JsonResponse
+     */
+    protected function sendLoginResponse(Request $request)
+    {
+        $request->session()->regenerate();
+        $this->clearLoginAttempts($request);
+
+        if ($response = $this->authenticated($request, $this->guard()->user())) {
+            return $response;
+        }
+        $path = Steam::getSafeUrl(session()->pull('url.intended', route('index')), route('index'));
+        Log::debug(sprintf('SafeURL is %s', $path));
+        return $request->wantsJson() ? new JsonResponse([], 204) : redirect()->to($path);
+    }
+
 }

app/Support/Steam.php

@@ -23,9 +23,8 @@ declare(strict_types=1);
 
 namespace FireflyIII\Support;
 
-use FireflyIII\Support\Facades\Preferences;
-use Deprecated;
 use Carbon\Carbon;
+use Deprecated;
 use Exception;
 use FireflyIII\Exceptions\FireflyException;
 use FireflyIII\Models\Account;
@@ -33,6 +32,7 @@ use FireflyIII\Models\AccountMeta;
 use FireflyIII\Models\Transaction;
 use FireflyIII\Models\TransactionCurrency;
 use FireflyIII\Support\Facades\Amount;
+use FireflyIII\Support\Facades\Preferences;
 use FireflyIII\Support\Http\Api\ExchangeRateConverter;
 use FireflyIII\Support\Singleton\PreferencesSingleton;
 use Illuminate\Support\Collection;
@@ -43,7 +43,6 @@ use Psr\Container\ContainerExceptionInterface;
 use Psr\Container\NotFoundExceptionInterface;
 use Safe\Exceptions\UrlException;
 use ValueError;
-
 use function Safe\parse_url;
 use function Safe\preg_replace;
 
@@ -66,8 +65,7 @@ class Steam
                                   ->leftJoin('transaction_currencies', 'transaction_currencies.id', '=', 'transactions.transaction_currency_id')
                                   ->where('transaction_journals.date', $inclusive ? '<=' : '<', $date->format('Y-m-d H:i:s'))
                                   ->groupBy(['transactions.account_id', 'transaction_currencies.code'])
-            ->get(['transactions.account_id', 'transaction_currencies.code', DB::raw('SUM(transactions.amount) as sum_of_amount')])->toArray()
+                                  ->get(['transactions.account_id', 'transaction_currencies.code', DB::raw('SUM(transactions.amount) as sum_of_amount')])->toArray();
-        ;
 
         Log::debug('Array of sums: ', $arrayOfSums);
 
@@ -80,7 +78,7 @@ class Steam
             $currency = $currencies[$account->id];
 
             // second array
-            $accountSums          = array_filter($arrayOfSums, fn (array $entry): bool => $entry['account_id'] === $account->id);
+            $accountSums = array_filter($arrayOfSums, fn(array $entry): bool => $entry['account_id'] === $account->id);
             if (0 === count($accountSums)) {
                 $result[$account->id] = $return;
 
@@ -131,7 +129,8 @@ class Steam
     }
 
     /**
-     * Calls accountsBalancesOptimized for the given accounts and makes sure that inclusive is set to false, so it properly gets the balance of a range.
+     * Calls accountsBalancesOptimized for the given accounts and makes sure that inclusive is set to false, so it
+     * properly gets the balance of a range.
      */
     public function accountsBalancesInRange(Collection $accounts, Carbon $start, Carbon $end, ?TransactionCurrency $primary = null, ?bool $convertToPrimary = null): array
     {
@@ -160,10 +159,10 @@ class Steam
         // Log::debug(sprintf('Trying bcround("%s",%d)', $number, $precision));
         if (str_contains($number, '.')) {
             if ('-' !== $number[0]) {
-                return bcadd($number, '0.'.str_repeat('0', $precision).'5', $precision);
+                return bcadd($number, '0.' . str_repeat('0', $precision) . '5', $precision);
             }
 
-            return bcsub($number, '0.'.str_repeat('0', $precision).'5', $precision);
+            return bcsub($number, '0.' . str_repeat('0', $precision) . '5', $precision);
         }
 
         return $number;
@@ -305,7 +304,8 @@ class Steam
         "balance": balance in the account's currency OR user's primary currency if the account has no currency
         --> "pc_balance": balance in the user's primary currency, with all amounts converted to the primary currency.
         "EUR": balance in EUR (or whatever currencies the account has balance in)
-        TXT)]
+        TXT
+    )]
     public function finalAccountBalance(Account $account, Carbon $date, ?TransactionCurrency $primary = null, ?bool $convertToPrimary = null, bool $inclusive = true): array
     {
 
@@ -342,8 +342,7 @@ class Steam
                           ->leftJoin('transaction_journals', 'transaction_journals.id', '=', 'transactions.transaction_journal_id')
                           ->leftJoin('transaction_currencies', 'transaction_currencies.id', '=', 'transactions.transaction_currency_id')
                           ->where('transaction_journals.date', $inclusive ? '<=' : '<', $date->format('Y-m-d H:i:s'))
-            ->get(['transaction_currencies.code', 'transactions.amount'])->toArray()
+                          ->get(['transaction_currencies.code', 'transactions.amount'])->toArray();
-        ;
         $others = $this->groupAndSumTransactions($array, 'code', 'amount');
         Log::debug('All balances are (joined)', $others);
         // if there is no request to convert, take this as "balance" and "pc_balance".
@@ -446,8 +445,7 @@ class Steam
                              'transactions.transaction_currency_id',
                              DB::raw('SUM(transactions.amount) AS sum_of_day'),
                            ]
-            )
+                       );
-        ;
 
         $currentBalance = $startBalance;
         $converter      = new ExchangeRateConverter();
@@ -663,8 +661,8 @@ class Steam
      */
     public function getSafePreviousUrl(): string
     {
-        // Log::debug(sprintf('getSafePreviousUrl: "%s"', session()->previousUrl()));
+        $res = $this->getSafeUrl(session()->previousUrl() ?? route('index'), route('index'));
-        return session()->previousUrl() ?? route('index');
+        Log::debug(sprintf('getSafePreviousUrl: "%s"', $res));
     }
 
     /**
@@ -674,7 +672,7 @@ class Steam
     {
         // Log::debug(sprintf('getSafeUrl(%s, %s)', $unknownUrl, $safeUrl));
         $returnUrl = $safeUrl;
-
+//        die('in get safe url');
         try {
             $unknownHost = parse_url($unknownUrl, PHP_URL_HOST);
         } catch (UrlException $e) {