bookstack/app/Http/Middleware/ApiAuthenticate.php

<?php

namespace BookStack\Http\Middleware;

use BookStack\Exceptions\ApiAuthException;
use BookStack\Exceptions\UnauthorizedException;
use Closure;
use Illuminate\Http\Request;

class ApiAuthenticate
{
    /**
     * Handle an incoming request.
     */
    public function handle(Request $request, Closure $next)
    {
        // Validate the token and it's users API access
        try {
            $this->ensureAuthorizedBySessionOrToken();
        } catch (UnauthorizedException $exception) {
            return $this->unauthorisedResponse($exception->getMessage(), $exception->getCode());
        }

        return $next($request);
    }

    /**
     * Ensure the current user can access authenticated API routes, either via existing session
     * authentication or via API Token authentication.
     *
     * @throws UnauthorizedException
     */
    protected function ensureAuthorizedBySessionOrToken(): void
    {
        // Return if the user is already found to be signed in via session-based auth.
        // This is to make it easy to browser the API via browser after just logging into the system.
        if (signedInUser() || session()->isStarted()) {
            if (!user()->can('access-api')) {
                throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
            }

            return;
        }

        // Set our api guard to be the default for this request lifecycle.
        auth()->shouldUse('api');

        // Validate the token and it's users API access
        auth()->authenticate();
    }

    /**
     * Provide a standard API unauthorised response.
     */
    protected function unauthorisedResponse(string $message, int $code)
    {
        return response()->json([
            'error' => [
                'code'    => $code,
                'message' => $message,
            ],
        ], $code);
    }
}
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`<?php`

			`namespace BookStack\Http\Middleware;`

Fixed test class names + add perm. check to api session auth 2020-01-02 01:01:36 +08:00			`use BookStack\Exceptions\ApiAuthException;`
Added API listing filtering & cleaned ApiAuthenticate returns API listing endpoint filter can be found via &filter[name]=my+book query parameters. There are a range of operators that can be used such as &filter[id:gte]=4 2020-01-02 00:33:47 +08:00			`use BookStack\Exceptions\UnauthorizedException;`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`use Closure;`
Change email confirmation from own middle to trait Email confirmation middleware caused more mess than good, As caused priority issues and it depended on auth actions. Instead its now a trai used on auth middlewares. Also used 'EncryptCookies' middleware on API instead of custom decryption in custom middleware since we'd need to do replicate all the same actions anyway. Shouldn't have too much effect since it only actions over cookies that exist, of which none should be there for most API requests. Also split out some large guard functions to be a little more readable and appease codeclimate. 2019-12-30 23:46:12 +08:00			`use Illuminate\Http\Request;`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00
			`class ApiAuthenticate`
			`{`
			`/**`
			`* Handle an incoming request.`
			`*/`
			`public function handle(Request $request, Closure $next)`
Added API listing filtering & cleaned ApiAuthenticate returns API listing endpoint filter can be found via &filter[name]=my+book query parameters. There are a range of operators that can be used such as &filter[id:gte]=4 2020-01-02 00:33:47 +08:00			`{`
			`// Validate the token and it's users API access`
			`try {`
			`$this->ensureAuthorizedBySessionOrToken();`
			`} catch (UnauthorizedException $exception) {`
			`return $this->unauthorisedResponse($exception->getMessage(), $exception->getCode());`
			`}`

			`return $next($request);`
			`}`

			`/**`
			`* Ensure the current user can access authenticated API routes, either via existing session`
			`* authentication or via API Token authentication.`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`*`
Added API listing filtering & cleaned ApiAuthenticate returns API listing endpoint filter can be found via &filter[name]=my+book query parameters. There are a range of operators that can be used such as &filter[id:gte]=4 2020-01-02 00:33:47 +08:00			`* @throws UnauthorizedException`
			`*/`
			`protected function ensureAuthorizedBySessionOrToken(): void`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`{`
			`// Return if the user is already found to be signed in via session-based auth.`
			`// This is to make it easy to browser the API via browser after just logging into the system.`
Updated API auth to allow public user if given permission 2020-05-23 05:34:18 +08:00			`if (signedInUser() \|\| session()->isStarted()) {`
			`if (!user()->can('access-api')) {`
Fixed test class names + add perm. check to api session auth 2020-01-02 01:01:36 +08:00			`throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);`
			`}`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00
Added API listing filtering & cleaned ApiAuthenticate returns API listing endpoint filter can be found via &filter[name]=my+book query parameters. There are a range of operators that can be used such as &filter[id:gte]=4 2020-01-02 00:33:47 +08:00			`return;`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`}`

Extracted API auth into guard Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings. 2019-12-30 22:51:28 +08:00			`// Set our api guard to be the default for this request lifecycle.`
			`auth()->shouldUse('api');`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00
Extracted API auth into guard Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings. 2019-12-30 22:51:28 +08:00			`// Validate the token and it's users API access`
Added API listing filtering & cleaned ApiAuthenticate returns API listing endpoint filter can be found via &filter[name]=my+book query parameters. There are a range of operators that can be used such as &filter[id:gte]=4 2020-01-02 00:33:47 +08:00			`auth()->authenticate();`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`}`

			`/**`
			`* Provide a standard API unauthorised response.`
			`*/`
Extracted API auth into guard Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings. 2019-12-30 22:51:28 +08:00			`protected function unauthorisedResponse(string $message, int $code)`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`{`
			`return response()->json([`
			`'error' => [`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'code' => $code,`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`'message' => $message,`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`],`
Added API listing filtering & cleaned ApiAuthenticate returns API listing endpoint filter can be found via &filter[name]=my+book query parameters. There are a range of operators that can be used such as &filter[id:gte]=4 2020-01-02 00:33:47 +08:00			`], $code);`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`}`
			`}`