bookstack/app/Http/Middleware/ApiAuthenticate.php

<?php

namespace BookStack\Http\Middleware;

use BookStack\Exceptions\ApiAuthException;
use Closure;
use Illuminate\Http\Request;

class ApiAuthenticate
{
    use ChecksForEmailConfirmation;

    /**
     * Handle an incoming request.
     */
    public function handle(Request $request, Closure $next)
    {
        // Return if the user is already found to be signed in via session-based auth.
        // This is to make it easy to browser the API via browser after just logging into the system.
        if (signedInUser()) {
            if ($this->awaitingEmailConfirmation()) {
                return $this->emailConfirmationErrorResponse($request);
            }
            return $next($request);
        }

        // Set our api guard to be the default for this request lifecycle.
        auth()->shouldUse('api');

        // Validate the token and it's users API access
        try {
            auth()->authenticate();
        } catch (ApiAuthException $exception) {
            return $this->unauthorisedResponse($exception->getMessage(), $exception->getCode());
        }

        if ($this->awaitingEmailConfirmation()) {
            return $this->emailConfirmationErrorResponse($request);
        }

        return $next($request);
    }

    /**
     * Provide a standard API unauthorised response.
     */
    protected function unauthorisedResponse(string $message, int $code)
    {
        return response()->json([
            'error' => [
                'code' => $code,
                'message' => $message,
            ]
        ], 401);
    }
}
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`<?php`

			`namespace BookStack\Http\Middleware;`

Extracted API auth into guard Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings. 2019-12-30 22:51:28 +08:00			`use BookStack\Exceptions\ApiAuthException;`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`use Closure;`
Change email confirmation from own middle to trait Email confirmation middleware caused more mess than good, As caused priority issues and it depended on auth actions. Instead its now a trai used on auth middlewares. Also used 'EncryptCookies' middleware on API instead of custom decryption in custom middleware since we'd need to do replicate all the same actions anyway. Shouldn't have too much effect since it only actions over cookies that exist, of which none should be there for most API requests. Also split out some large guard functions to be a little more readable and appease codeclimate. 2019-12-30 23:46:12 +08:00			`use Illuminate\Http\Request;`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00
			`class ApiAuthenticate`
			`{`
Change email confirmation from own middle to trait Email confirmation middleware caused more mess than good, As caused priority issues and it depended on auth actions. Instead its now a trai used on auth middlewares. Also used 'EncryptCookies' middleware on API instead of custom decryption in custom middleware since we'd need to do replicate all the same actions anyway. Shouldn't have too much effect since it only actions over cookies that exist, of which none should be there for most API requests. Also split out some large guard functions to be a little more readable and appease codeclimate. 2019-12-30 23:46:12 +08:00			`use ChecksForEmailConfirmation;`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00
			`/**`
			`* Handle an incoming request.`
			`*/`
			`public function handle(Request $request, Closure $next)`
			`{`
			`// Return if the user is already found to be signed in via session-based auth.`
			`// This is to make it easy to browser the API via browser after just logging into the system.`
			`if (signedInUser()) {`
Change email confirmation from own middle to trait Email confirmation middleware caused more mess than good, As caused priority issues and it depended on auth actions. Instead its now a trai used on auth middlewares. Also used 'EncryptCookies' middleware on API instead of custom decryption in custom middleware since we'd need to do replicate all the same actions anyway. Shouldn't have too much effect since it only actions over cookies that exist, of which none should be there for most API requests. Also split out some large guard functions to be a little more readable and appease codeclimate. 2019-12-30 23:46:12 +08:00			`if ($this->awaitingEmailConfirmation()) {`
			`return $this->emailConfirmationErrorResponse($request);`
			`}`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`return $next($request);`
			`}`

Extracted API auth into guard Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings. 2019-12-30 22:51:28 +08:00			`// Set our api guard to be the default for this request lifecycle.`
			`auth()->shouldUse('api');`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00
Extracted API auth into guard Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings. 2019-12-30 22:51:28 +08:00			`// Validate the token and it's users API access`
			`try {`
			`auth()->authenticate();`
			`} catch (ApiAuthException $exception) {`
			`return $this->unauthorisedResponse($exception->getMessage(), $exception->getCode());`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`}`

Change email confirmation from own middle to trait Email confirmation middleware caused more mess than good, As caused priority issues and it depended on auth actions. Instead its now a trai used on auth middlewares. Also used 'EncryptCookies' middleware on API instead of custom decryption in custom middleware since we'd need to do replicate all the same actions anyway. Shouldn't have too much effect since it only actions over cookies that exist, of which none should be there for most API requests. Also split out some large guard functions to be a little more readable and appease codeclimate. 2019-12-30 23:46:12 +08:00			`if ($this->awaitingEmailConfirmation()) {`
			`return $this->emailConfirmationErrorResponse($request);`
			`}`

Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`return $next($request);`
			`}`

			`/**`
			`* Provide a standard API unauthorised response.`
			`*/`
Extracted API auth into guard Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings. 2019-12-30 22:51:28 +08:00			`protected function unauthorisedResponse(string $message, int $code)`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`{`
			`return response()->json([`
			`'error' => [`
			`'code' => $code,`
			`'message' => $message,`
			`]`
			`], 401);`
			`}`
			`}`