From 23f8ee408e16da803bb530e1858be9d55ebb1bec Mon Sep 17 00:00:00 2001
From: Pig Fang <g-plane@hotmail.com>
Date: Wed, 22 May 2019 10:13:01 +0800
Subject: [PATCH] Require verified email for OAuth routes (fix #59)

---
 app/Providers/RouteServiceProvider.php   | 2 +-
 resources/misc/changelogs/en/4.2.1.md    | 1 +
 resources/misc/changelogs/zh_CN/4.2.1.md | 1 +
 routes/web.php                           | 2 +-
 tests/MiddlewareTest.php                 | 7 +++++++
 5 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/Providers/RouteServiceProvider.php b/app/Providers/RouteServiceProvider.php
index 4b3e92d4..be8906bf 100644
--- a/app/Providers/RouteServiceProvider.php
+++ b/app/Providers/RouteServiceProvider.php
@@ -45,7 +45,7 @@ class RouteServiceProvider extends ServiceProvider
 
         $this->mapApiRoutes();
 
-        Passport::routes();
+        Passport::routes(null, ['middleware' => ['verified']]);
 
         event(new ConfigureRoutes($router));
     }
diff --git a/resources/misc/changelogs/en/4.2.1.md b/resources/misc/changelogs/en/4.2.1.md
index 10ec7a9f..bee417d7 100644
--- a/resources/misc/changelogs/en/4.2.1.md
+++ b/resources/misc/changelogs/en/4.2.1.md
@@ -4,3 +4,4 @@
 - Fixed that "Operations Panel" in "Texture Details" page is shown even if current user is not privileged.
 - Fixed that banning the texture uploader will in fact ban the reporter.
 - Fixed that an error will occur when handling a report whose texture has been deleted.
+- Fixed that user without verified email can access OAuth.
diff --git a/resources/misc/changelogs/zh_CN/4.2.1.md b/resources/misc/changelogs/zh_CN/4.2.1.md
index 93a30a1e..b67a6730 100644
--- a/resources/misc/changelogs/zh_CN/4.2.1.md
+++ b/resources/misc/changelogs/zh_CN/4.2.1.md
@@ -4,3 +4,4 @@
 - 「材质详情」中「更多操作」面板不再对无权限的用户显示
 - 修复处理举报时，封禁上传者实际上会封禁举报人
 - 修复处理举报时，若材质已被删除，则会出错
+- 未验证邮箱的用户能使用 OAuth 的问题
diff --git a/routes/web.php b/routes/web.php
index e4826d16..91fa019f 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -84,7 +84,7 @@ Route::group([
     Route::post('/closet/rename/{tid}', 'ClosetController@rename');
 
     // OAuth2 Management
-    Route::view('/oauth/manage', 'user.oauth');
+    Route::view('/oauth/manage', 'user.oauth')->middleware('verified');
 });
 
 /*
diff --git a/tests/MiddlewareTest.php b/tests/MiddlewareTest.php
index 26c1595f..8d17c261 100644
--- a/tests/MiddlewareTest.php
+++ b/tests/MiddlewareTest.php
@@ -37,6 +37,13 @@ class MiddlewareTest extends TestCase
         $this->actAs('normal')
             ->get('/skinlib/upload')
             ->assertSuccessful();
+
+        $user = factory(User::class)->create(['verified' => false]);
+        $this->actingAs($user)->get('/user/oauth/manage')->assertForbidden();
+        $this->getJson('/oauth/clients')->assertForbidden();
+        $user->verified = true;
+        $user->save();
+        $this->getJson('/oauth/clients')->assertSuccessful();
     }
 
     public function testCheckAdministrator()