| 
									
										
										
										
											2019-12-30 10:16:07 +08:00
										 |  |  | <?php | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | namespace BookStack\Http\Middleware; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-01-02 01:01:36 +08:00
										 |  |  | use BookStack\Exceptions\ApiAuthException; | 
					
						
							| 
									
										
										
										
											2020-01-02 00:33:47 +08:00
										 |  |  | use BookStack\Exceptions\UnauthorizedException; | 
					
						
							| 
									
										
										
										
											2019-12-30 10:16:07 +08:00
										 |  |  | use Closure; | 
					
						
							| 
									
										
										
										
											2019-12-30 23:46:12 +08:00
										 |  |  | use Illuminate\Http\Request; | 
					
						
							| 
									
										
										
										
											2019-12-30 10:16:07 +08:00
										 |  |  | 
 | 
					
						
							|  |  |  | class ApiAuthenticate | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  |     /** | 
					
						
							|  |  |  |      * Handle an incoming request. | 
					
						
							|  |  |  |      */ | 
					
						
							|  |  |  |     public function handle(Request $request, Closure $next) | 
					
						
							| 
									
										
										
										
											2020-01-02 00:33:47 +08:00
										 |  |  |     { | 
					
						
							|  |  |  |         // Validate the token and it's users API access
 | 
					
						
							|  |  |  |         try { | 
					
						
							|  |  |  |             $this->ensureAuthorizedBySessionOrToken(); | 
					
						
							|  |  |  |         } catch (UnauthorizedException $exception) { | 
					
						
							|  |  |  |             return $this->unauthorisedResponse($exception->getMessage(), $exception->getCode()); | 
					
						
							|  |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         return $next($request); | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     /** | 
					
						
							|  |  |  |      * Ensure the current user can access authenticated API routes, either via existing session | 
					
						
							|  |  |  |      * authentication or via API Token authentication. | 
					
						
							| 
									
										
										
										
											2021-06-26 23:23:15 +08:00
										 |  |  |      * | 
					
						
							| 
									
										
										
										
											2020-01-02 00:33:47 +08:00
										 |  |  |      * @throws UnauthorizedException | 
					
						
							|  |  |  |      */ | 
					
						
							|  |  |  |     protected function ensureAuthorizedBySessionOrToken(): void | 
					
						
							| 
									
										
										
										
											2019-12-30 10:16:07 +08:00
										 |  |  |     { | 
					
						
							|  |  |  |         // Return if the user is already found to be signed in via session-based auth.
 | 
					
						
							|  |  |  |         // This is to make it easy to browser the API via browser after just logging into the system.
 | 
					
						
							| 
									
										
										
										
											2020-05-23 05:34:18 +08:00
										 |  |  |         if (signedInUser() || session()->isStarted()) { | 
					
						
							| 
									
										
										
										
											2021-11-30 21:55:56 +08:00
										 |  |  |             if (!$this->sessionUserHasApiAccess()) { | 
					
						
							| 
									
										
										
										
											2020-01-02 01:01:36 +08:00
										 |  |  |                 throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403); | 
					
						
							|  |  |  |             } | 
					
						
							| 
									
										
										
										
											2021-06-26 23:23:15 +08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-01-02 00:33:47 +08:00
										 |  |  |             return; | 
					
						
							| 
									
										
										
										
											2019-12-30 10:16:07 +08:00
										 |  |  |         } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-12-30 22:51:28 +08:00
										 |  |  |         // Set our api guard to be the default for this request lifecycle.
 | 
					
						
							|  |  |  |         auth()->shouldUse('api'); | 
					
						
							| 
									
										
										
										
											2019-12-30 10:16:07 +08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-12-30 22:51:28 +08:00
										 |  |  |         // Validate the token and it's users API access
 | 
					
						
							| 
									
										
										
										
											2020-01-02 00:33:47 +08:00
										 |  |  |         auth()->authenticate(); | 
					
						
							| 
									
										
										
										
											2019-12-30 10:16:07 +08:00
										 |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-11-30 21:55:56 +08:00
										 |  |  |     /** | 
					
						
							| 
									
										
										
										
											2021-11-30 22:25:09 +08:00
										 |  |  |      * Check if the active session user has API access. | 
					
						
							| 
									
										
										
										
											2021-11-30 21:55:56 +08:00
										 |  |  |      */ | 
					
						
							|  |  |  |     protected function sessionUserHasApiAccess(): bool | 
					
						
							|  |  |  |     { | 
					
						
							|  |  |  |         $hasApiPermission = user()->can('access-api'); | 
					
						
							| 
									
										
										
										
											2021-11-30 22:25:09 +08:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-11-30 21:55:56 +08:00
										 |  |  |         return $hasApiPermission && hasAppAccess(); | 
					
						
							|  |  |  |     } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-12-30 10:16:07 +08:00
										 |  |  |     /** | 
					
						
							|  |  |  |      * Provide a standard API unauthorised response. | 
					
						
							|  |  |  |      */ | 
					
						
							| 
									
										
										
										
											2019-12-30 22:51:28 +08:00
										 |  |  |     protected function unauthorisedResponse(string $message, int $code) | 
					
						
							| 
									
										
										
										
											2019-12-30 10:16:07 +08:00
										 |  |  |     { | 
					
						
							|  |  |  |         return response()->json([ | 
					
						
							|  |  |  |             'error' => [ | 
					
						
							| 
									
										
										
										
											2021-06-26 23:23:15 +08:00
										 |  |  |                 'code'    => $code, | 
					
						
							| 
									
										
										
										
											2019-12-30 10:16:07 +08:00
										 |  |  |                 'message' => $message, | 
					
						
							| 
									
										
										
										
											2021-06-26 23:23:15 +08:00
										 |  |  |             ], | 
					
						
							| 
									
										
										
										
											2020-01-02 00:33:47 +08:00
										 |  |  |         ], $code); | 
					
						
							| 
									
										
										
										
											2019-12-30 10:16:07 +08:00
										 |  |  |     } | 
					
						
							|  |  |  | } |