mirror of
https://github.com/BookStackApp/BookStack.git
synced 2025-07-28 17:02:04 +03:00
Extracted API auth into guard
Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings.
This commit is contained in:
Dan Brown
@ -2,10 +2,9 @@
|
||||
|
||||
namespace BookStack\Http\Middleware;
|
||||
|
||||
use BookStack\Api\ApiToken;
|
||||
use BookStack\Exceptions\ApiAuthException;
|
||||
use BookStack\Http\Request;
|
||||
use Closure;
|
||||
use Hash;
|
||||
|
||||
class ApiAuthenticate
|
||||
{
|
||||
@ -15,58 +14,29 @@ class ApiAuthenticate
|
||||
*/
|
||||
public function handle(Request $request, Closure $next)
|
||||
{
|
||||
// TODO - Look to extract a lot of the logic here into a 'Guard'
|
||||
// Ideally would like to be able to request API via browser without having to boot
|
||||
// the session middleware (in Kernel).
|
||||
|
||||
// $sessionCookieName = config('session.cookie');
|
||||
// if ($request->cookies->has($sessionCookieName)) {
|
||||
// $sessionCookie = $request->cookies->get($sessionCookieName);
|
||||
// $sessionCookie = decrypt($sessionCookie, false);
|
||||
// dd($sessionCookie);
|
||||
// }
|
||||
|
||||
// Return if the user is already found to be signed in via session-based auth.
|
||||
// This is to make it easy to browser the API via browser after just logging into the system.
|
||||
if (signedInUser()) {
|
||||
return $next($request);
|
||||
}
|
||||
|
||||
$authToken = trim($request->header('Authorization', ''));
|
||||
if (empty($authToken)) {
|
||||
return $this->unauthorisedResponse(trans('errors.api_no_authorization_found'));
|
||||
// Set our api guard to be the default for this request lifecycle.
|
||||
auth()->shouldUse('api');
|
||||
|
||||
// Validate the token and it's users API access
|
||||
try {
|
||||
auth()->authenticate();
|
||||
} catch (ApiAuthException $exception) {
|
||||
return $this->unauthorisedResponse($exception->getMessage(), $exception->getCode());
|
||||
}
|
||||
|
||||
if (strpos($authToken, ':') === false || strpos($authToken, 'Token ') !== 0) {
|
||||
return $this->unauthorisedResponse(trans('errors.api_bad_authorization_format'));
|
||||
}
|
||||
|
||||
[$id, $secret] = explode(':', str_replace('Token ', '', $authToken));
|
||||
$token = ApiToken::query()
|
||||
->where('token_id', '=', $id)
|
||||
->with(['user'])->first();
|
||||
|
||||
if ($token === null) {
|
||||
return $this->unauthorisedResponse(trans('errors.api_user_token_not_found'));
|
||||
}
|
||||
|
||||
if (!Hash::check($secret, $token->secret)) {
|
||||
return $this->unauthorisedResponse(trans('errors.api_incorrect_token_secret'));
|
||||
}
|
||||
|
||||
if (!$token->user->can('access-api')) {
|
||||
return $this->unauthorisedResponse(trans('errors.api_user_no_api_permission'), 403);
|
||||
}
|
||||
|
||||
auth()->login($token->user);
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
|
||||
/**
|
||||
* Provide a standard API unauthorised response.
|
||||
*/
|
||||
protected function unauthorisedResponse(string $message, int $code = 401)
|
||||
protected function unauthorisedResponse(string $message, int $code)
|
||||
{
|
||||
return response()->json([
|
||||
'error' => [
|
||||
|
||||
Reference in New Issue
Block a user