mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-11-26 18:30:50 +08:00
Added expiry checking to API token auth
- Added test to cover to ensure its checked going forward
This commit is contained in:
parent
3d11cba223
commit
3cacda6762
|
@ -6,6 +6,7 @@ use BookStack\Exceptions\ApiAuthException;
|
|||
use Illuminate\Auth\GuardHelpers;
|
||||
use Illuminate\Contracts\Auth\Authenticatable;
|
||||
use Illuminate\Contracts\Auth\Guard;
|
||||
use Illuminate\Support\Carbon;
|
||||
use Illuminate\Support\Facades\Hash;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
|
||||
|
@ -125,6 +126,11 @@ class ApiTokenGuard implements Guard
|
|||
throw new ApiAuthException(trans('errors.api_incorrect_token_secret'));
|
||||
}
|
||||
|
||||
$now = Carbon::now();
|
||||
if ($token->expires_at <= $now) {
|
||||
throw new ApiAuthException(trans('errors.api_user_token_expired'), 403);
|
||||
}
|
||||
|
||||
if (!$token->user->can('access-api')) {
|
||||
throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
|
||||
}
|
||||
|
|
|
@ -95,5 +95,6 @@ return [
|
|||
'api_user_token_not_found' => 'No matching API token was found for the provided authorization token',
|
||||
'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect',
|
||||
'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls',
|
||||
'api_user_token_expired' => 'The authorization token used has expired',
|
||||
|
||||
];
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
namespace Tests;
|
||||
|
||||
use BookStack\Auth\Permissions\RolePermission;
|
||||
use Carbon\Carbon;
|
||||
|
||||
class ApiAuthTest extends TestCase
|
||||
{
|
||||
|
@ -52,7 +53,7 @@ class ApiAuthTest extends TestCase
|
|||
|
||||
public function test_api_access_permission_required_to_access_api()
|
||||
{
|
||||
$resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
|
||||
$resp = $this->get($this->endpoint, $this->apiAuthHeader());
|
||||
$resp->assertStatus(200);
|
||||
auth()->logout();
|
||||
|
||||
|
@ -60,12 +61,27 @@ class ApiAuthTest extends TestCase
|
|||
$editorRole = $this->getEditor()->roles()->first();
|
||||
$editorRole->detachPermission($accessApiPermission);
|
||||
|
||||
$resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
|
||||
$resp = $this->get($this->endpoint, $this->apiAuthHeader());
|
||||
$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
|
||||
}
|
||||
|
||||
public function test_token_expiry_checked()
|
||||
{
|
||||
$editor = $this->getEditor();
|
||||
$token = $editor->apiTokens()->first();
|
||||
|
||||
public function test_email_confirmation_checked_on_auth_requets()
|
||||
$resp = $this->get($this->endpoint, $this->apiAuthHeader());
|
||||
$resp->assertStatus(200);
|
||||
auth()->logout();
|
||||
|
||||
$token->expires_at = Carbon::now()->subDay()->format('Y-m-d');
|
||||
$token->save();
|
||||
|
||||
$resp = $this->get($this->endpoint, $this->apiAuthHeader());
|
||||
$resp->assertJson($this->errorResponse("The authorization token used has expired", 403));
|
||||
}
|
||||
|
||||
public function test_email_confirmation_checked_using_api_auth()
|
||||
{
|
||||
$editor = $this->getEditor();
|
||||
$editor->email_confirmed = false;
|
||||
|
@ -74,7 +90,7 @@ class ApiAuthTest extends TestCase
|
|||
// Set settings and get user instance
|
||||
$this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
|
||||
|
||||
$resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
|
||||
$resp = $this->get($this->endpoint, $this->apiAuthHeader());
|
||||
$resp->assertStatus(401);
|
||||
$resp->assertJson($this->errorResponse("The email address for the account in use needs to be confirmed", 401));
|
||||
}
|
||||
|
|
|
@ -13,4 +13,11 @@ trait TestsApi
|
|||
return ["error" => ["code" => $code, "message" => $messge]];
|
||||
}
|
||||
|
||||
protected function apiAuthHeader()
|
||||
{
|
||||
return [
|
||||
"Authorization" => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"
|
||||
];
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in New Issue
Block a user