BookStack Code Mirror - bookstack/blob - app/Http/Middleware/ApiAuthenticate.php

1 <?php

3 namespace BookStack\Http\Middleware;

5 use BookStack\Exceptions\ApiAuthException;

6 use BookStack\Exceptions\UnauthorizedException;

7 use Closure;

8 use Illuminate\Http\Request;

10 class ApiAuthenticate

11 {

12 use ChecksForEmailConfirmation;

14 /**

15 * Handle an incoming request.

16 */

17 public function handle(Request $request, Closure $next)

18 {

19 // Validate the token and it's users API access

20 try {

21 $this->ensureAuthorizedBySessionOrToken();

22 } catch (UnauthorizedException $exception) {

23 return $this->unauthorisedResponse($exception->getMessage(), $exception->getCode());

24 }

26 return $next($request);

27 }

29 /**

30 * Ensure the current user can access authenticated API routes, either via existing session

31 * authentication or via API Token authentication.

32 *

33 * @throws UnauthorizedException

34 */

35 protected function ensureAuthorizedBySessionOrToken(): void

36 {

37 // Return if the user is already found to be signed in via session-based auth.

38 // This is to make it easy to browser the API via browser after just logging into the system.

39 if (signedInUser() || session()->isStarted()) {

40 $this->ensureEmailConfirmedIfRequested();

41 if (!user()->can('access-api')) {

42 throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);

43 }

45 return;

46 }

48 // Set our api guard to be the default for this request lifecycle.

49 auth()->shouldUse('api');

51 // Validate the token and it's users API access

52 auth()->authenticate();

53 $this->ensureEmailConfirmedIfRequested();

54 }

56 /**

57 * Provide a standard API unauthorised response.

58 */

59 protected function unauthorisedResponse(string $message, int $code)

60 {

61 return response()->json([

62 'error' => [

63 'code' => $code,

64 'message' => $message,

65 ],

66 ], $code);

67 }

68 }