Add toran-proxy web authorize, and composer request not validated.

app.php

<?php

use Symfony\Component\HttpFoundation\Request;

error_reporting(0);
$uri = parse_url($_SERVER['REQUEST_URI'])['path'];
$uri = trim($uri, '/');
if (in_array($uri, [
    '', 'app.php',
    'settings', 'app.php/settings',
    'repositories', 'app.php/repositories',
    'packagist', 'app.php/packagist',
    'docs/bootstrap.md', 'app.php/docs/bootstrap.md',
])) {
    authLogin();
}

function authLogin() {

    // username => password
    $validPasswds = [
        'wangwl' => 'test',
        'zhangpc' => 'test',
    ];

    $user = $_SERVER['PHP_AUTH_USER'];
    $pass = $_SERVER['PHP_AUTH_PW'];

    $validated = array_key_exists($user, $validPasswds) && $pass == $validPasswds[$user];

    if (!$validated) {
        header('WWW-Authenticate: Basic realm="wilon.github.io"');
        header('HTTP/1.0 401 Unauthorized');
        die ("Not authorized");
    }
    return $user;
}

/**
 * @var Composer\Autoload\ClassLoader
 */
$loader = require __DIR__.'/../app/autoload.php';
include_once __DIR__.'/../app/bootstrap.php.cache';

// Enable the line below to display errors and troubleshoot a broken setup
// Symfony\Component\Debug\Debug::enable();

$kernel = new AppKernel('prod', false);
$kernel->loadClassCache();

$request = Request::createFromGlobals();
$response = $kernel->handle($request);
$response->send();
$kernel->terminate($request, $response);

When set TORAN_AUTH_ENABLE false, devolopers can use Toran Proxy composer service whit no authorize.

But you don't want people visit Toran Proxy settings. Just replace the toran/web/app.php ——

wget -O YOUR_TORAN_PROJECT/web/app.php https://gist.githubusercontent.com/wilon/aaf8e444cd081a48f25dd15f5d2c43fa/raw/9c72cea4686b178c682ad0823c17997c5db26c29/app.php

aaaa