colin
/
bookstack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added expiry checking to API token auth 

- Added test to cover to ensure its checked going forward
This commit is contained in:
Dan Brown 2019-12-30 19:51:41 +00:00
parent 3d11cba223
commit 3cacda6762
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
4 changed files with 34 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/Api/ApiTokenGuard.php
View File

@ -6,6 +6,7 @@ use BookStack\Exceptions\ApiAuthException;
use Illuminate\Auth\GuardHelpers; use Illuminate\Auth\GuardHelpers;
use Illuminate\Contracts\Auth\Authenticatable; use Illuminate\Contracts\Auth\Authenticatable;
use Illuminate\Contracts\Auth\Guard; use Illuminate\Contracts\Auth\Guard;
use Illuminate\Support\Carbon;
use Illuminate\Support\Facades\Hash; use Illuminate\Support\Facades\Hash;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
@ -125,6 +126,11 @@ class ApiTokenGuard implements Guard
throw new ApiAuthException(trans('errors.api_incorrect_token_secret')); throw new ApiAuthException(trans('errors.api_incorrect_token_secret'));
} }
$now = Carbon::now();
if ($token->expires_at <= $now) {
throw new ApiAuthException(trans('errors.api_user_token_expired'), 403);
}
if (!$token->user->can('access-api')) { if (!$token->user->can('access-api')) {
throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403); throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
} }

1
resources/lang/en/errors.php
View File

@ -95,5 +95,6 @@ return [
'api_user_token_not_found' => 'No matching API token was found for the provided authorization token', 'api_user_token_not_found' => 'No matching API token was found for the provided authorization token',
'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect', 'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect',
'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls', 'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls',
'api_user_token_expired' => 'The authorization token used has expired',
]; ];

24
tests/Api/ApiAuthTest.php
View File

@ -3,6 +3,7 @@
namespace Tests; namespace Tests;
use BookStack\Auth\Permissions\RolePermission; use BookStack\Auth\Permissions\RolePermission;
use Carbon\Carbon;
class ApiAuthTest extends TestCase class ApiAuthTest extends TestCase
{ {
@ -52,7 +53,7 @@ class ApiAuthTest extends TestCase
public function test_api_access_permission_required_to_access_api() public function test_api_access_permission_required_to_access_api()
{ {
$resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]); $resp = $this->get($this->endpoint, $this->apiAuthHeader());
$resp->assertStatus(200); $resp->assertStatus(200);
auth()->logout(); auth()->logout();
@ -60,12 +61,27 @@ class ApiAuthTest extends TestCase
$editorRole = $this->getEditor()->roles()->first(); $editorRole = $this->getEditor()->roles()->first();
$editorRole->detachPermission($accessApiPermission); $editorRole->detachPermission($accessApiPermission);
$resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]); $resp = $this->get($this->endpoint, $this->apiAuthHeader());
$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403)); $resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
} }
public function test_token_expiry_checked()
{
$editor = $this->getEditor();
$token = $editor->apiTokens()->first();
public function test_email_confirmation_checked_on_auth_requets() $resp = $this->get($this->endpoint, $this->apiAuthHeader());
$resp->assertStatus(200);
auth()->logout();
$token->expires_at = Carbon::now()->subDay()->format('Y-m-d');
$token->save();
$resp = $this->get($this->endpoint, $this->apiAuthHeader());
$resp->assertJson($this->errorResponse("The authorization token used has expired", 403));
}
public function test_email_confirmation_checked_using_api_auth()
{ {
$editor = $this->getEditor(); $editor = $this->getEditor();
$editor->email_confirmed = false; $editor->email_confirmed = false;
@ -74,7 +90,7 @@ class ApiAuthTest extends TestCase
// Set settings and get user instance // Set settings and get user instance
$this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']); $this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
$resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]); $resp = $this->get($this->endpoint, $this->apiAuthHeader());
$resp->assertStatus(401); $resp->assertStatus(401);
$resp->assertJson($this->errorResponse("The email address for the account in use needs to be confirmed", 401)); $resp->assertJson($this->errorResponse("The email address for the account in use needs to be confirmed", 401));
} }

7
tests/TestsApi.php
View File

@ -13,4 +13,11 @@ trait TestsApi
return ["error" => ["code" => $code, "message" => $messge]]; return ["error" => ["code" => $code, "message" => $messge]];
} }
protected function apiAuthHeader()
{
return [
"Authorization" => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"
];
}
} }