bookstack/app/Http/Controllers/UserApiTokenController.php

<?php

namespace BookStack\Http\Controllers;

use BookStack\Actions\ActivityType;
use BookStack\Api\ApiToken;
use BookStack\Auth\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Str;

class UserApiTokenController extends Controller
{
    /**
     * Show the form to create a new API token.
     */
    public function create(int $userId)
    {
        // Ensure user is has access-api permission and is the current user or has permission to manage the current user.
        $this->checkPermission('access-api');
        $this->checkPermissionOrCurrentUser('users-manage', $userId);

        $user = User::query()->findOrFail($userId);

        return view('users.api-tokens.create', [
            'user' => $user,
        ]);
    }

    /**
     * Store a new API token in the system.
     */
    public function store(Request $request, int $userId)
    {
        $this->checkPermission('access-api');
        $this->checkPermissionOrCurrentUser('users-manage', $userId);

        $this->validate($request, [
            'name'       => ['required', 'max:250'],
            'expires_at' => ['date_format:Y-m-d'],
        ]);

        $user = User::query()->findOrFail($userId);
        $secret = Str::random(32);

        $token = (new ApiToken())->forceFill([
            'name'       => $request->get('name'),
            'token_id'   => Str::random(32),
            'secret'     => Hash::make($secret),
            'user_id'    => $user->id,
            'expires_at' => $request->get('expires_at') ?: ApiToken::defaultExpiry(),
        ]);

        while (ApiToken::query()->where('token_id', '=', $token->token_id)->exists()) {
            $token->token_id = Str::random(32);
        }

        $token->save();

        session()->flash('api-token-secret:' . $token->id, $secret);
        $this->showSuccessNotification(trans('settings.user_api_token_create_success'));
        $this->logActivity(ActivityType::API_TOKEN_CREATE, $token);

        return redirect($user->getEditUrl('/api-tokens/' . $token->id));
    }

    /**
     * Show the details for a user API token, with access to edit.
     */
    public function edit(int $userId, int $tokenId)
    {
        [$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);
        $secret = session()->pull('api-token-secret:' . $token->id, null);

        return view('users.api-tokens.edit', [
            'user'   => $user,
            'token'  => $token,
            'model'  => $token,
            'secret' => $secret,
        ]);
    }

    /**
     * Update the API token.
     */
    public function update(Request $request, int $userId, int $tokenId)
    {
        $this->validate($request, [
            'name'       => ['required', 'max:250'],
            'expires_at' => ['date_format:Y-m-d'],
        ]);

        [$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);
        $token->fill([
            'name'       => $request->get('name'),
            'expires_at' => $request->get('expires_at') ?: ApiToken::defaultExpiry(),
        ])->save();

        $this->showSuccessNotification(trans('settings.user_api_token_update_success'));
        $this->logActivity(ActivityType::API_TOKEN_UPDATE, $token);

        return redirect($user->getEditUrl('/api-tokens/' . $token->id));
    }

    /**
     * Show the delete view for this token.
     */
    public function delete(int $userId, int $tokenId)
    {
        [$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);

        return view('users.api-tokens.delete', [
            'user'  => $user,
            'token' => $token,
        ]);
    }

    /**
     * Destroy a token from the system.
     */
    public function destroy(int $userId, int $tokenId)
    {
        [$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);
        $token->delete();

        $this->showSuccessNotification(trans('settings.user_api_token_delete_success'));
        $this->logActivity(ActivityType::API_TOKEN_DELETE, $token);

        return redirect($user->getEditUrl('#api_tokens'));
    }

    /**
     * Check the permission for the current user and return an array
     * where the first item is the user in context and the second item is their
     * API token in context.
     */
    protected function checkPermissionAndFetchUserToken(int $userId, int $tokenId): array
    {
        $this->checkPermissionOr('users-manage', function () use ($userId) {
            return $userId === user()->id && userCan('access-api');
        });

        $user = User::query()->findOrFail($userId);
        $token = ApiToken::query()->where('user_id', '=', $user->id)->where('id', '=', $tokenId)->firstOrFail();

        return [$user, $token];
    }
}
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`<?php`

			`namespace BookStack\Http\Controllers;`
Started work on API token controls - Added access-api permission. - Started user profile UI work. - Created database table and model for tokens. - Fixed incorrect templates down migration :( 2019-12-29 21:02:26 +08:00
Implemented user, api_tokem & role activity logging Also refactored some role content, primarily updating the permission controller to be RoleController since it only dealt with roles. 2020-11-21 02:53:01 +08:00			`use BookStack\Actions\ActivityType;`
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`use BookStack\Api\ApiToken;`
			`use BookStack\Auth\User;`
Started work on API token controls - Added access-api permission. - Started user profile UI work. - Created database table and model for tokens. - Fixed incorrect templates down migration :( 2019-12-29 21:02:26 +08:00			`use Illuminate\Http\Request;`
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`use Illuminate\Support\Facades\Hash;`
			`use Illuminate\Support\Str;`
Started work on API token controls - Added access-api permission. - Started user profile UI work. - Created database table and model for tokens. - Fixed incorrect templates down migration :( 2019-12-29 21:02:26 +08:00
			`class UserApiTokenController extends Controller`
			`{`
			`/**`
			`* Show the form to create a new API token.`
			`*/`
			`public function create(int $userId)`
			`{`
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`// Ensure user is has access-api permission and is the current user or has permission to manage the current user.`
Started work on API token controls - Added access-api permission. - Started user profile UI work. - Created database table and model for tokens. - Fixed incorrect templates down migration :( 2019-12-29 21:02:26 +08:00			`$this->checkPermission('access-api');`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`$this->checkPermissionOrCurrentUser('users-manage', $userId);`
Started work on API token controls - Added access-api permission. - Started user profile UI work. - Created database table and model for tokens. - Fixed incorrect templates down migration :( 2019-12-29 21:02:26 +08:00
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`$user = User::query()->findOrFail($userId);`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`return view('users.api-tokens.create', [`
			`'user' => $user,`
			`]);`
Started work on API token controls - Added access-api permission. - Started user profile UI work. - Created database table and model for tokens. - Fixed incorrect templates down migration :( 2019-12-29 21:02:26 +08:00			`}`

Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`/**`
			`* Store a new API token in the system.`
			`*/`
			`public function store(Request $request, int $userId)`
			`{`
			`$this->checkPermission('access-api');`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`$this->checkPermissionOrCurrentUser('users-manage', $userId);`
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00
			`$this->validate($request, [`
Standardised laravel validation to be array based Converted from string-only-based validation. Array based validation works nicer once you have validation classess or advanced validation options. 2021-11-05 08:26:55 +08:00			`'name' => ['required', 'max:250'],`
			`'expires_at' => ['date_format:Y-m-d'],`
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`]);`

			`$user = User::query()->findOrFail($userId);`
			`$secret = Str::random(32);`
Fixed some empty-expiry conditions of token ui flows 2019-12-30 04:18:37 +08:00
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`$token = (new ApiToken())->forceFill([`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'name' => $request->get('name'),`
			`'token_id' => Str::random(32),`
			`'secret' => Hash::make($secret),`
			`'user_id' => $user->id,`
Extracted API auth into guard Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings. 2019-12-30 22:51:28 +08:00			`'expires_at' => $request->get('expires_at') ?: ApiToken::defaultExpiry(),`
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`]);`

Removed token 'client' text, avoid confusion w/ oAuth - Instead have a token_id and a secret. - Displayed a 'Token ID' and 'Token Secret'. 2019-12-30 04:07:28 +08:00			`while (ApiToken::query()->where('token_id', '=', $token->token_id)->exists()) {`
			`$token->token_id = Str::random(32);`
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`}`

			`$token->save();`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`session()->flash('api-token-secret:' . $token->id, $secret);`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`$this->showSuccessNotification(trans('settings.user_api_token_create_success'));`
Implemented user, api_tokem & role activity logging Also refactored some role content, primarily updating the permission controller to be RoleController since it only dealt with roles. 2020-11-21 02:53:01 +08:00			`$this->logActivity(ActivityType::API_TOKEN_CREATE, $token);`

Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`return redirect($user->getEditUrl('/api-tokens/' . $token->id));`
			`}`

			`/**`
			`* Show the details for a user API token, with access to edit.`
			`*/`
			`public function edit(int $userId, int $tokenId)`
			`{`
			`[$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);`
			`$secret = session()->pull('api-token-secret:' . $token->id, null);`

			`return view('users.api-tokens.edit', [`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'user' => $user,`
			`'token' => $token,`
			`'model' => $token,`
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`'secret' => $secret,`
			`]);`
			`}`

			`/**`
			`* Update the API token.`
			`*/`
			`public function update(Request $request, int $userId, int $tokenId)`
			`{`
Extracted API auth into guard Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings. 2019-12-30 22:51:28 +08:00			`$this->validate($request, [`
Standardised laravel validation to be array based Converted from string-only-based validation. Array based validation works nicer once you have validation classess or advanced validation options. 2021-11-05 08:26:55 +08:00			`'name' => ['required', 'max:250'],`
			`'expires_at' => ['date_format:Y-m-d'],`
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`]);`

			`[$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);`
Extracted API auth into guard Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings. 2019-12-30 22:51:28 +08:00			`$token->fill([`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'name' => $request->get('name'),`
Extracted API auth into guard Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings. 2019-12-30 22:51:28 +08:00			`'expires_at' => $request->get('expires_at') ?: ApiToken::defaultExpiry(),`
			`])->save();`
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`$this->showSuccessNotification(trans('settings.user_api_token_update_success'));`
Implemented user, api_tokem & role activity logging Also refactored some role content, primarily updating the permission controller to be RoleController since it only dealt with roles. 2020-11-21 02:53:01 +08:00			`$this->logActivity(ActivityType::API_TOKEN_UPDATE, $token);`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`return redirect($user->getEditUrl('/api-tokens/' . $token->id));`
			`}`

			`/**`
			`* Show the delete view for this token.`
			`*/`
			`public function delete(int $userId, int $tokenId)`
			`{`
			`[$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`return view('users.api-tokens.delete', [`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'user' => $user,`
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`'token' => $token,`
			`]);`
			`}`

			`/**`
			`* Destroy a token from the system.`
			`*/`
			`public function destroy(int $userId, int $tokenId)`
			`{`
			`[$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);`
			`$token->delete();`

Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`$this->showSuccessNotification(trans('settings.user_api_token_delete_success'));`
Implemented user, api_tokem & role activity logging Also refactored some role content, primarily updating the permission controller to be RoleController since it only dealt with roles. 2020-11-21 02:53:01 +08:00			`$this->logActivity(ActivityType::API_TOKEN_DELETE, $token);`

Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`return redirect($user->getEditUrl('#api_tokens'));`
			`}`

			`/**`
			`* Check the permission for the current user and return an array`
			`* where the first item is the user in context and the second item is their`
			`* API token in context.`
			`*/`
			`protected function checkPermissionAndFetchUserToken(int $userId, int $tokenId): array`
			`{`
Added testing coverage to user API token interfaces 2019-12-30 03:46:46 +08:00			`$this->checkPermissionOr('users-manage', function () use ($userId) {`
			`return $userId === user()->id && userCan('access-api');`
			`});`
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00
			`$user = User::query()->findOrFail($userId);`
			`$token = ApiToken::query()->where('user_id', '=', $user->id)->where('id', '=', $tokenId)->firstOrFail();`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00
Built out interfaces & endpoints for API token managment 2019-12-30 01:03:52 +08:00			`return [$user, $token];`
			`}`
Started work on API token controls - Added access-api permission. - Started user profile UI work. - Created database table and model for tokens. - Fixed incorrect templates down migration :( 2019-12-29 21:02:26 +08:00			`}`