mirror of
https://github.com/flarum/framework.git
synced 2025-05-01 00:54:04 +08:00
[b8] master token fix (#1622)
* fixed not being able to use master token because id column no longer holds key * added flexibility of user_id column * added tests to confirm the api keys actually work as intended
This commit is contained in:
Daniël Klabbers
Franz Liedke
parent
fb185f70cd
commit
bb0fc165af
@ -11,7 +11,9 @@
|
|||||||
|
|
||||||
namespace Flarum\Api;
|
namespace Flarum\Api;
|
||||||
|
|
||||||
|
use Carbon\Carbon;
|
||||||
use Flarum\Database\AbstractModel;
|
use Flarum\Database\AbstractModel;
|
||||||
|
use Flarum\User\User;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @property int $id
|
* @property int $id
|
||||||
@ -19,11 +21,14 @@ use Flarum\Database\AbstractModel;
|
|||||||
* @property string|null $allowed_ips
|
* @property string|null $allowed_ips
|
||||||
* @property string|null $scopes
|
* @property string|null $scopes
|
||||||
* @property int|null $user_id
|
* @property int|null $user_id
|
||||||
|
* @property \Flarum\User\User|null $user
|
||||||
* @property \Carbon\Carbon $created_at
|
* @property \Carbon\Carbon $created_at
|
||||||
* @property \Carbon\Carbon|null $last_activity_at
|
* @property \Carbon\Carbon|null $last_activity_at
|
||||||
*/
|
*/
|
||||||
class ApiKey extends AbstractModel
|
class ApiKey extends AbstractModel
|
||||||
{
|
{
|
||||||
|
protected $dates = ['last_activity_at'];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Generate an API key.
|
* Generate an API key.
|
||||||
*
|
*
|
||||||
@ -37,4 +42,16 @@ class ApiKey extends AbstractModel
|
|||||||
|
|
||||||
return $key;
|
return $key;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function touch()
|
||||||
|
{
|
||||||
|
$this->last_activity_at = Carbon::now();
|
||||||
|
|
||||||
|
return $this->save();
|
||||||
|
}
|
||||||
|
|
||||||
|
public function user()
|
||||||
|
{
|
||||||
|
return $this->belongsTo(User::class);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -32,13 +32,14 @@ class AuthenticateWithHeader implements Middleware
|
|||||||
if (isset($parts[0]) && starts_with($parts[0], self::TOKEN_PREFIX)) {
|
if (isset($parts[0]) && starts_with($parts[0], self::TOKEN_PREFIX)) {
|
||||||
$id = substr($parts[0], strlen(self::TOKEN_PREFIX));
|
$id = substr($parts[0], strlen(self::TOKEN_PREFIX));
|
||||||
|
|
||||||
if (isset($parts[1])) {
|
if ($key = ApiKey::where('key', $id)->first()) {
|
||||||
if ($key = ApiKey::find($id)) {
|
$key->touch();
|
||||||
$actor = $this->getUser($parts[1]);
|
|
||||||
|
|
||||||
$request = $request->withAttribute('apiKey', $key);
|
$userId = $parts[1] ?? '';
|
||||||
$request = $request->withAttribute('bypassFloodgate', true);
|
$actor = $key->user ?? $this->getUser($userId);
|
||||||
}
|
|
||||||
|
$request = $request->withAttribute('apiKey', $key);
|
||||||
|
$request = $request->withAttribute('bypassFloodgate', true);
|
||||||
} elseif ($token = AccessToken::find($id)) {
|
} elseif ($token = AccessToken::find($id)) {
|
||||||
$token->touch();
|
$token->touch();
|
||||||
|
|
||||||
|
|||||||
150
tests/Api/Auth/AuthenticateWithApiKeyTest.php
Normal file
150
tests/Api/Auth/AuthenticateWithApiKeyTest.php
Normal file
@ -0,0 +1,150 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This file is part of Flarum.
|
||||||
|
*
|
||||||
|
* (c) Toby Zerner <toby.zerner@gmail.com>
|
||||||
|
*
|
||||||
|
* For the full copyright and license information, please view the LICENSE
|
||||||
|
* file that was distributed with this source code.
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace Flarum\Tests\Api\Auth;
|
||||||
|
|
||||||
|
use Carbon\Carbon;
|
||||||
|
use Flarum\Api\ApiKey;
|
||||||
|
use Flarum\Api\Controller\CreateGroupController;
|
||||||
|
use Flarum\Tests\Test\Concerns\RetrievesAuthorizedUsers;
|
||||||
|
use Flarum\Tests\Test\TestCase;
|
||||||
|
use Psr\Http\Message\ResponseInterface;
|
||||||
|
use Psr\Http\Message\ServerRequestInterface;
|
||||||
|
use Psr\Http\Server\MiddlewareInterface;
|
||||||
|
use Psr\Http\Server\RequestHandlerInterface;
|
||||||
|
use Zend\Diactoros\Response;
|
||||||
|
use Zend\Diactoros\ServerRequestFactory;
|
||||||
|
use Zend\Stratigility\MiddlewarePipe;
|
||||||
|
|
||||||
|
class AuthenticateWithApiKeyTest extends TestCase
|
||||||
|
{
|
||||||
|
use RetrievesAuthorizedUsers;
|
||||||
|
|
||||||
|
protected function key(int $user_id = null): ApiKey
|
||||||
|
{
|
||||||
|
return ApiKey::unguarded(function () use ($user_id) {
|
||||||
|
return ApiKey::query()->firstOrCreate([
|
||||||
|
'key' => str_random(),
|
||||||
|
'user_id' => $user_id,
|
||||||
|
'created_at' => Carbon::now()
|
||||||
|
]);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @test
|
||||||
|
* @expectedException \Flarum\User\Exception\PermissionDeniedException
|
||||||
|
*/
|
||||||
|
public function cannot_authorize_without_key()
|
||||||
|
{
|
||||||
|
$this->call(
|
||||||
|
CreateGroupController::class
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @test
|
||||||
|
*/
|
||||||
|
public function master_token_can_authenticate_as_anyone()
|
||||||
|
{
|
||||||
|
$key = $this->key();
|
||||||
|
|
||||||
|
$request = ServerRequestFactory::fromGlobals()
|
||||||
|
->withAddedHeader('Authorization', "Token {$key->key}; userId=1");
|
||||||
|
|
||||||
|
$pipe = $this->injectAuthorizationPipeline();
|
||||||
|
|
||||||
|
$response = $pipe->handle($request);
|
||||||
|
|
||||||
|
$this->assertEquals(200, $response->getStatusCode());
|
||||||
|
$this->assertEquals(1, $response->getHeader('X-Authenticated-As')[0]);
|
||||||
|
|
||||||
|
$key = $key->refresh();
|
||||||
|
|
||||||
|
$this->assertNotNull($key->last_activity_at);
|
||||||
|
|
||||||
|
$key->delete();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @test
|
||||||
|
*/
|
||||||
|
public function personal_api_token_cannot_authenticate_as_anyone()
|
||||||
|
{
|
||||||
|
$user = $this->getNormalUser();
|
||||||
|
|
||||||
|
$key = $this->key($user->id);
|
||||||
|
|
||||||
|
$request = ServerRequestFactory::fromGlobals()
|
||||||
|
->withAddedHeader('Authorization', "Token {$key->key}; userId=1");
|
||||||
|
|
||||||
|
$pipe = $this->injectAuthorizationPipeline();
|
||||||
|
|
||||||
|
$response = $pipe->handle($request);
|
||||||
|
|
||||||
|
$this->assertEquals(200, $response->getStatusCode());
|
||||||
|
$this->assertEquals($user->id, $response->getHeader('X-Authenticated-As')[0]);
|
||||||
|
|
||||||
|
$key = $key->refresh();
|
||||||
|
|
||||||
|
$this->assertNotNull($key->last_activity_at);
|
||||||
|
|
||||||
|
$key->delete();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @test
|
||||||
|
*/
|
||||||
|
public function personal_api_token_authenticates_user()
|
||||||
|
{
|
||||||
|
$user = $this->getNormalUser();
|
||||||
|
|
||||||
|
$key = $this->key($user->id);
|
||||||
|
|
||||||
|
$request = ServerRequestFactory::fromGlobals()
|
||||||
|
->withAddedHeader('Authorization', "Token {$key->key}");
|
||||||
|
|
||||||
|
$pipe = $this->injectAuthorizationPipeline();
|
||||||
|
|
||||||
|
$response = $pipe->handle($request);
|
||||||
|
|
||||||
|
$this->assertEquals(200, $response->getStatusCode());
|
||||||
|
$this->assertEquals($user->id, $response->getHeader('X-Authenticated-As')[0]);
|
||||||
|
|
||||||
|
$key = $key->refresh();
|
||||||
|
|
||||||
|
$this->assertNotNull($key->last_activity_at);
|
||||||
|
|
||||||
|
$key->delete();
|
||||||
|
}
|
||||||
|
|
||||||
|
protected function injectAuthorizationPipeline(): MiddlewarePipe
|
||||||
|
{
|
||||||
|
app()->resolving('flarum.api.middleware', function ($pipeline) {
|
||||||
|
$pipeline->pipe(new class implements MiddlewareInterface {
|
||||||
|
public function process(
|
||||||
|
ServerRequestInterface $request,
|
||||||
|
RequestHandlerInterface $handler
|
||||||
|
): ResponseInterface {
|
||||||
|
if ($actor = $request->getAttribute('actor')) {
|
||||||
|
return new Response\EmptyResponse(200, [
|
||||||
|
'X-Authenticated-As' => $actor->id
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
$pipe = app('flarum.api.middleware');
|
||||||
|
|
||||||
|
return $pipe;
|
||||||
|
}
|
||||||
|
}
|
||||||
0
tests/tmp/storage/sessions/.gitkeep
Normal file
0
tests/tmp/storage/sessions/.gitkeep
Normal file
Loading…
x
Reference in New Issue
Block a user