webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-07-28 17:02:04 +03:00
Code Activity

Added expiry checking to API token auth

Browse Source 
- Added test to cover to ensure its checked going forward
This commit is contained in:
Dan Brown
2019-12-30 19:51:41 +00:00
parent 3d11cba223
commit 3cacda6762
4 changed files with 34 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/Api/ApiTokenGuard.php
View File

@ -6,6 +6,7 @@ use BookStack\Exceptions\ApiAuthException;
use Illuminate\Auth\GuardHelpers;
use Illuminate\Contracts\Auth\Authenticatable;
use Illuminate\Contracts\Auth\Guard;
use Illuminate\Support\Carbon;
use Illuminate\Support\Facades\Hash;
use Symfony\Component\HttpFoundation\Request;
@ -125,6 +126,11 @@ class ApiTokenGuard implements Guard
throw new ApiAuthException(trans('errors.api_incorrect_token_secret'));
}
$now = Carbon::now();
if ($token->expires_at <= $now) {
throw new ApiAuthException(trans('errors.api_user_token_expired'), 403);
}
if (!$token->user->can('access-api')) {
throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
}