3 namespace BookStack\Api;
5 use BookStack\Exceptions\ApiAuthException;
6 use Illuminate\Auth\GuardHelpers;
7 use Illuminate\Contracts\Auth\Authenticatable;
8 use Illuminate\Contracts\Auth\Guard;
9 use Illuminate\Support\Carbon;
10 use Illuminate\Support\Facades\Hash;
11 use Symfony\Component\HttpFoundation\Request;
13 class ApiTokenGuard implements Guard
19 * The request instance.
25 * The last auth exception thrown in this request.
26 * @var ApiAuthException
28 protected $lastAuthException;
31 * ApiTokenGuard constructor.
33 public function __construct(Request $request)
35 $this->request = $request;
41 public function user()
43 // Return the user if we've already retrieved them.
44 // Effectively a request-instance cache for this method.
45 if (!is_null($this->user)) {
51 $user = $this->getAuthorisedUserFromRequest();
52 } catch (ApiAuthException $exception) {
53 $this->lastAuthException = $exception;
61 * Determine if current user is authenticated. If not, throw an exception.
63 * @return \Illuminate\Contracts\Auth\Authenticatable
65 * @throws ApiAuthException
67 public function authenticate()
69 if (! is_null($user = $this->user())) {
73 if ($this->lastAuthException) {
74 throw $this->lastAuthException;
77 throw new ApiAuthException('Unauthorized');
81 * Check the API token in the request and fetch a valid authorised user.
82 * @throws ApiAuthException
84 protected function getAuthorisedUserFromRequest(): Authenticatable
86 $authToken = trim($this->request->headers->get('Authorization', ''));
87 $this->validateTokenHeaderValue($authToken);
89 [$id, $secret] = explode(':', str_replace('Token ', '', $authToken));
90 $token = ApiToken::query()
91 ->where('token_id', '=', $id)
92 ->with(['user'])->first();
94 $this->validateToken($token, $secret);
100 * Validate the format of the token header value string.
101 * @throws ApiAuthException
103 protected function validateTokenHeaderValue(string $authToken): void
105 if (empty($authToken)) {
106 throw new ApiAuthException(trans('errors.api_no_authorization_found'));
109 if (strpos($authToken, ':') === false || strpos($authToken, 'Token ') !== 0) {
110 throw new ApiAuthException(trans('errors.api_bad_authorization_format'));
115 * Validate the given secret against the given token and ensure the token
116 * currently has access to the instance API.
117 * @throws ApiAuthException
119 protected function validateToken(?ApiToken $token, string $secret): void
121 if ($token === null) {
122 throw new ApiAuthException(trans('errors.api_user_token_not_found'));
125 if (!Hash::check($secret, $token->secret)) {
126 throw new ApiAuthException(trans('errors.api_incorrect_token_secret'));
129 $now = Carbon::now();
130 if ($token->expires_at <= $now) {
131 throw new ApiAuthException(trans('errors.api_user_token_expired'), 403);
134 if (!$token->user->can('access-api')) {
135 throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
142 public function validate(array $credentials = [])
144 if (empty($credentials['id']) || empty($credentials['secret'])) {
148 $token = ApiToken::query()
149 ->where('token_id', '=', $credentials['id'])
150 ->with(['user'])->first();
152 if ($token === null) {
156 return Hash::check($credentials['secret'], $token->secret);
160 * "Log out" the currently authenticated user.
162 public function logout()