use Illuminate\Auth\GuardHelpers;
use Illuminate\Contracts\Auth\Authenticatable;
use Illuminate\Contracts\Auth\Guard;
+use Illuminate\Support\Carbon;
use Illuminate\Support\Facades\Hash;
use Symfony\Component\HttpFoundation\Request;
throw new ApiAuthException(trans('errors.api_incorrect_token_secret'));
}
+ $now = Carbon::now();
+ if ($token->expires_at <= $now) {
+ throw new ApiAuthException(trans('errors.api_user_token_expired'), 403);
+ }
+
if (!$token->user->can('access-api')) {
throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
}
'api_user_token_not_found' => 'No matching API token was found for the provided authorization token',
'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect',
'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls',
+ 'api_user_token_expired' => 'The authorization token used has expired',
];
namespace Tests;
use BookStack\Auth\Permissions\RolePermission;
+use Carbon\Carbon;
class ApiAuthTest extends TestCase
{
public function test_api_access_permission_required_to_access_api()
{
- $resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
+ $resp = $this->get($this->endpoint, $this->apiAuthHeader());
$resp->assertStatus(200);
auth()->logout();
$editorRole = $this->getEditor()->roles()->first();
$editorRole->detachPermission($accessApiPermission);
- $resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
+ $resp = $this->get($this->endpoint, $this->apiAuthHeader());
$resp->assertJson($this->errorResponse("The owner of the used API token does not have permission to make API calls", 403));
}
+ public function test_token_expiry_checked()
+ {
+ $editor = $this->getEditor();
+ $token = $editor->apiTokens()->first();
+
+ $resp = $this->get($this->endpoint, $this->apiAuthHeader());
+ $resp->assertStatus(200);
+ auth()->logout();
+
+ $token->expires_at = Carbon::now()->subDay()->format('Y-m-d');
+ $token->save();
+
+ $resp = $this->get($this->endpoint, $this->apiAuthHeader());
+ $resp->assertJson($this->errorResponse("The authorization token used has expired", 403));
+ }
- public function test_email_confirmation_checked_on_auth_requets()
+ public function test_email_confirmation_checked_using_api_auth()
{
$editor = $this->getEditor();
$editor->email_confirmed = false;
// Set settings and get user instance
$this->setSettings(['registration-enabled' => 'true', 'registration-confirmation' => 'true']);
- $resp = $this->get($this->endpoint, ['Authorization' => "Token {$this->apiTokenId}:{$this->apiTokenSecret}"]);
+ $resp = $this->get($this->endpoint, $this->apiAuthHeader());
$resp->assertStatus(401);
$resp->assertJson($this->errorResponse("The email address for the account in use needs to be confirmed", 401));
}
projects / bookstack / commitdiff