BookStack/app/Http/Middleware/ApiAuthenticate.php

<?php

namespace BookStack\Http\Middleware;

use BookStack\Exceptions\ApiAuthException;
use Closure;
use Illuminate\Http\Request;

class ApiAuthenticate
{
    /**
     * Handle an incoming request.
     *
     * @throws ApiAuthException
     */
    public function handle(Request $request, Closure $next)
    {
        // Validate the token and it's users API access
        $this->ensureAuthorizedBySessionOrToken();

        return $next($request);
    }

    /**
     * Ensure the current user can access authenticated API routes, either via existing session
     * authentication or via API Token authentication.
     *
     * @throws ApiAuthException
     */
    protected function ensureAuthorizedBySessionOrToken(): void
    {
        // Return if the user is already found to be signed in via session-based auth.
        // This is to make it easy to browser the API via browser after just logging into the system.
        if (!user()->isGuest() || session()->isStarted()) {
            if (!$this->sessionUserHasApiAccess()) {
                throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
            }

            return;
        }

        // Set our api guard to be the default for this request lifecycle.
        auth()->shouldUse('api');

        // Validate the token and it's users API access
        auth()->authenticate();
    }

    /**
     * Check if the active session user has API access.
     */
    protected function sessionUserHasApiAccess(): bool
    {
        $hasApiPermission = user()->can('access-api');

        return $hasApiPermission && user()->hasAppAccess();
    }
}
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`<?php`

			`namespace BookStack\Http\Middleware;`

Fixed test class names + add perm. check to api session auth 2020-01-02 01:01:36 +08:00			`use BookStack\Exceptions\ApiAuthException;`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`use Closure;`
Change email confirmation from own middle to trait Email confirmation middleware caused more mess than good, As caused priority issues and it depended on auth actions. Instead its now a trai used on auth middlewares. Also used 'EncryptCookies' middleware on API instead of custom decryption in custom middleware since we'd need to do replicate all the same actions anyway. Shouldn't have too much effect since it only actions over cookies that exist, of which none should be there for most API requests. Also split out some large guard functions to be a little more readable and appease codeclimate. 2019-12-30 23:46:12 +08:00			`use Illuminate\Http\Request;`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00
			`class ApiAuthenticate`
			`{`
			`/**`
			`* Handle an incoming request.`
Simplify ApiAuthException control flow Remove unnecessary UnauthorizedException and make ApiAuthException compatible with HttpExceptionInterface. Move the creation of a rsponse for the exception from ApiAuthenticate middleware into the application exception handler. 2023-06-14 17:52:22 +08:00			`*`
			`* @throws ApiAuthException`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`*/`
			`public function handle(Request $request, Closure $next)`
Added API listing filtering & cleaned ApiAuthenticate returns API listing endpoint filter can be found via &filter[name]=my+book query parameters. There are a range of operators that can be used such as &filter[id:gte]=4 2020-01-02 00:33:47 +08:00			`{`
			`// Validate the token and it's users API access`
Simplify ApiAuthException control flow Remove unnecessary UnauthorizedException and make ApiAuthException compatible with HttpExceptionInterface. Move the creation of a rsponse for the exception from ApiAuthenticate middleware into the application exception handler. 2023-06-14 17:52:22 +08:00			`$this->ensureAuthorizedBySessionOrToken();`
Added API listing filtering & cleaned ApiAuthenticate returns API listing endpoint filter can be found via &filter[name]=my+book query parameters. There are a range of operators that can be used such as &filter[id:gte]=4 2020-01-02 00:33:47 +08:00
			`return $next($request);`
			`}`

			`/**`
			`* Ensure the current user can access authenticated API routes, either via existing session`
			`* authentication or via API Token authentication.`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`*`
Simplify ApiAuthException control flow Remove unnecessary UnauthorizedException and make ApiAuthException compatible with HttpExceptionInterface. Move the creation of a rsponse for the exception from ApiAuthenticate middleware into the application exception handler. 2023-06-14 17:52:22 +08:00			`* @throws ApiAuthException`
Added API listing filtering & cleaned ApiAuthenticate returns API listing endpoint filter can be found via &filter[name]=my+book query parameters. There are a range of operators that can be used such as &filter[id:gte]=4 2020-01-02 00:33:47 +08:00			`*/`
			`protected function ensureAuthorizedBySessionOrToken(): void`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`{`
			`// Return if the user is already found to be signed in via session-based auth.`
			`// This is to make it easy to browser the API via browser after just logging into the system.`
Guest control: Cleaned methods involved in fetching/handling - Moves guest user caching from User class to app container for simplicity. - Updates test to use simpler $this->users->guest() method for consistency. - Streamlined helpers to avoid function overlap for simplicity. - Extracted user profile dropdown while doing changes. 2023-09-16 20:18:35 +08:00			`if (!user()->isGuest() \|\| session()->isStarted()) {`
Updated API session auth to consider public access setting For #3091 2021-11-30 21:55:56 +08:00			`if (!$this->sessionUserHasApiAccess()) {`
Fixed test class names + add perm. check to api session auth 2020-01-02 01:01:36 +08:00			`throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);`
			`}`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00
Added API listing filtering & cleaned ApiAuthenticate returns API listing endpoint filter can be found via &filter[name]=my+book query parameters. There are a range of operators that can be used such as &filter[id:gte]=4 2020-01-02 00:33:47 +08:00			`return;`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`}`

Extracted API auth into guard Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings. 2019-12-30 22:51:28 +08:00			`// Set our api guard to be the default for this request lifecycle.`
			`auth()->shouldUse('api');`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00
Extracted API auth into guard Also implemented more elegant solution to allowing session auth for API routes; A new 'StartSessionIfCookieExists' middleware, which wraps the default 'StartSession' middleware will run for API routes which only sets up the session if a session cookie is found on the request. Also decrypts only the session cookie. Also cleaned some TokenController codeclimate warnings. 2019-12-30 22:51:28 +08:00			`// Validate the token and it's users API access`
Added API listing filtering & cleaned ApiAuthenticate returns API listing endpoint filter can be found via &filter[name]=my+book query parameters. There are a range of operators that can be used such as &filter[id:gte]=4 2020-01-02 00:33:47 +08:00			`auth()->authenticate();`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`}`

Updated API session auth to consider public access setting For #3091 2021-11-30 21:55:56 +08:00			`/**`
Applied StyleCI changes 2021-11-30 22:25:09 +08:00			`* Check if the active session user has API access.`
Updated API session auth to consider public access setting For #3091 2021-11-30 21:55:56 +08:00			`*/`
			`protected function sessionUserHasApiAccess(): bool`
			`{`
			`$hasApiPermission = user()->can('access-api');`
Applied StyleCI changes 2021-11-30 22:25:09 +08:00
Guest control: Cleaned methods involved in fetching/handling - Moves guest user caching from User class to app container for simplicity. - Updates test to use simpler $this->users->guest() method for consistency. - Streamlined helpers to avoid function overlap for simplicity. - Extracted user profile dropdown while doing changes. 2023-09-16 20:18:35 +08:00			`return $hasApiPermission && user()->hasAppAccess();`
Updated API session auth to consider public access setting For #3091 2021-11-30 21:55:56 +08:00			`}`
Linked new API token system into middleware Base logic in place but needs review and refactor to see if can better fit into Laravel using 'Guard' system. Currently has issues due to cookies in use from active session on API. 2019-12-30 10:16:07 +08:00			`}`