Extracted API auth into guard

Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings.
2025-07-28 17:02:04 +03:00 · 2019-12-30 14:51:28 +00:00
parent 3de55ee645
commit 349b4629be
9 changed files with 224 additions and 60 deletions
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -1,6 +1,5 @@
 <?php namespace BookStack\Http;

-use BookStack\Http\Middleware\ApiAuthenticate;
 use Illuminate\Foundation\Http\Kernel as HttpKernel;

 class Kernel extends HttpKernel
@ -24,6 +23,7 @@ class Kernel extends HttpKernel
        \BookStack\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
+        \BookStack\Http\Middleware\StartSessionIfCookieExists::class,
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \Illuminate\Routing\Middleware\ThrottleRequests::class,
        \BookStack\Http\Middleware\VerifyCsrfToken::class,
@ -54,8 +54,7 @@ class Kernel extends HttpKernel
        ],
        'api' => [
            'throttle:60,1',
-            \BookStack\Http\Middleware\EncryptCookies::class,
-            \Illuminate\Session\Middleware\StartSession::class,
+            \BookStack\Http\Middleware\StartSessionIfCookieExists::class,
            \BookStack\Http\Middleware\ApiAuthenticate::class,
            \BookStack\Http\Middleware\ConfirmEmails::class,
        ],