grocy/middleware/ApiKeyAuthMiddleware.php

<?php

namespace Grocy\Middleware;

use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
use Psr\Http\Message\ResponseInterface as Response;
use Slim\Routing\RouteContext;

use Grocy\Services\SessionService;
use Grocy\Services\ApiKeyService;

class ApiKeyAuthMiddleware extends BaseMiddleware
{
	public function __construct(\DI\Container $container, string $sessionCookieName, string $apiKeyHeaderName)
	{
		parent::__construct($container);
		$this->SessionCookieName = $sessionCookieName;
		$this->ApiKeyHeaderName = $apiKeyHeaderName;
	}

	protected $SessionCookieName;
	protected $ApiKeyHeaderName;

	public function __invoke(Request $request, RequestHandler $handler): Response
	{
		$routeContext = RouteContext::fromRequest($request);
		$route = $routeContext->getRoute();
		$routeName = $route->getName();

		if (GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease' || GROCY_IS_EMBEDDED_INSTALL || GROCY_DISABLE_AUTH)
		{
			define('GROCY_AUTHENTICATED', true);
			$response = $handler->handle($request);
		}
		else
		{
			$validSession = true;
			$validApiKey = true;
			$usedApiKey = null;

			$sessionService = SessionService::getInstance();
			if (!isset($_COOKIE[$this->SessionCookieName]) || !$sessionService->IsValidSession($_COOKIE[$this->SessionCookieName]))
			{
				$validSession = false;
			}

			$apiKeyService = new ApiKeyService();

			// First check of the API key in the configured header
			if (!$request->hasHeader($this->ApiKeyHeaderName) || !$apiKeyService->IsValidApiKey($request->getHeaderLine($this->ApiKeyHeaderName)))
			{
				$validApiKey = false;
			}
			else
			{
				$usedApiKey = $request->getHeaderLine($this->ApiKeyHeaderName);
			}

			// Not recommended, but it's also possible to provide the API key via a query parameter (same name as the configured header)
			if (!$validApiKey && !empty($request->getQueryParam($this->ApiKeyHeaderName)) && $apiKeyService->IsValidApiKey($request->getQueryParam($this->ApiKeyHeaderName)))
			{
				$validApiKey = true;
				$usedApiKey = $request->getQueryParam($this->ApiKeyHeaderName);
			}

			// Handling of special purpose API keys
			if (!$validApiKey)
			{
				if ($routeName === 'calendar-ical')
				{
					if ($request->getQueryParam('secret') !== null && $apiKeyService->IsValidApiKey($request->getQueryParam('secret'), ApiKeyService::API_KEY_TYPE_SPECIAL_PURPOSE_CALENDAR_ICAL))
					{
						$validApiKey = true;
					}
				}
			}

			if (!$validSession && !$validApiKey)
			{
				define('GROCY_AUTHENTICATED', false);
				$response = new \Slim\Psr7\Response(); // No content when unauthorized
				$response = $response->withStatus(401);
			}
			elseif ($validApiKey)
			{
				$user = $apiKeyService->GetUserByApiKey($usedApiKey);
				define('GROCY_AUTHENTICATED', true);
				define('GROCY_USER_ID', $user->id);

				$response = $handler->handle($request);
			}
			elseif ($validSession)
			{
				$user = $sessionService->GetUserBySessionKey($_COOKIE[$this->SessionCookieName]);
				define('GROCY_AUTHENTICATED', true);
				define('GROCY_USER_ID', $user->id);

				$response = $handler->handle($request);
			}
		}

		return $response;
	}
}
Finish API documentation and token auth (references #5) 2018-04-21 19:18:00 +02:00			`<?php`

			`namespace Grocy\Middleware;`

Upgrade Slim Framework to v4 (closes #561) 2020-02-11 17:42:03 +01:00			`use Psr\Http\Message\ServerRequestInterface as Request;`
			`use Psr\Http\Server\RequestHandlerInterface as RequestHandler;`
			`use Psr\Http\Message\ResponseInterface as Response;`
			`use Slim\Routing\RouteContext;`

			`use Grocy\Services\SessionService;`
			`use Grocy\Services\ApiKeyService;`
Finish API documentation and token auth (references #5) 2018-04-21 19:18:00 +02:00
			`class ApiKeyAuthMiddleware extends BaseMiddleware`
			`{`
Upgrade Slim Framework to v4 (closes #561) 2020-02-11 17:42:03 +01:00			`public function __construct(\DI\Container $container, string $sessionCookieName, string $apiKeyHeaderName)`
Finish API documentation and token auth (references #5) 2018-04-21 19:18:00 +02:00			`{`
			`parent::__construct($container);`
			`$this->SessionCookieName = $sessionCookieName;`
			`$this->ApiKeyHeaderName = $apiKeyHeaderName;`
			`}`

			`protected $SessionCookieName;`
			`protected $ApiKeyHeaderName;`

Upgrade Slim Framework to v4 (closes #561) 2020-02-11 17:42:03 +01:00			`public function __invoke(Request $request, RequestHandler $handler): Response`
Finish API documentation and token auth (references #5) 2018-04-21 19:18:00 +02:00			`{`
Upgrade Slim Framework to v4 (closes #561) 2020-02-11 17:42:03 +01:00			`$routeContext = RouteContext::fromRequest($request);`
			`$route = $routeContext->getRoute();`
Finish API documentation and token auth (references #5) 2018-04-21 19:18:00 +02:00			`$routeName = $route->getName();`

Handle demo mode via a setting instead of checking the existence of a file (closes #484) 2020-01-05 09:11:11 +01:00			`if (GROCY_MODE === 'dev' \|\| GROCY_MODE === 'demo' \|\| GROCY_MODE === 'prerelease' \|\| GROCY_IS_EMBEDDED_INSTALL \|\| GROCY_DISABLE_AUTH)`
Finish API documentation and token auth (references #5) 2018-04-21 19:18:00 +02:00			`{`
Optimize and refactor latest changes 2018-07-25 19:28:15 +02:00			`define('GROCY_AUTHENTICATED', true);`
Upgrade Slim Framework to v4 (closes #561) 2020-02-11 17:42:03 +01:00			`$response = $handler->handle($request);`
Finish API documentation and token auth (references #5) 2018-04-21 19:18:00 +02:00			`}`
			`else`
			`{`
			`$validSession = true;`
			`$validApiKey = true;`
Allow providing the API key also via a query parameter (closes #329) 2019-08-10 13:30:50 +02:00			`$usedApiKey = null;`
Convert services to singletons and use lazy loading to improve performance (#479) * use singletons to reduce need to recreate the same objects * unable to make the constructor private * comment out debug printing to log file * correct typo of treating self() as a var instead of a function * utilise Localisation service as a singleton * fix errent line that should have been commented * remove phpinfo * correct mistake in stock controller * try storing app in apcu * serialise inside the app closures * get timings for db-changed-time * get timings for db-changed-time * store localisation service in apcu * stor translations in apcu instead of localisation service (due to database connection) * correct syntax error * forgot to uncomment instance map * correct indentation and variable out of scope * more timings for app execution time * try apc caching for views * correct scope for Pot variable * remove additional fopen * correct timings for app build time * correct timings for app object build time * correct timings for app route build time * get timings for routing timings * get more in depth timings for routing loading * fix more in depth timings for routing loading * start investigating session auth middleware creation * start investigating session auth middleware creation * start investigating Login controller time * start investigating Login controller time * in depth look at Logincontroller timings * comment out debug printing * lazily obtain valus for page rendering * correct syntax error * correct scope of variable * correct visibiity of methds inherited from BaseController * missing use for Userfieldsservice * lazy loading of open api spec * lazy loading of users service * lazy loading of batteries service * lazy loading of services in controllers * lazy loading of services in services * correct mistake * fix userservice * fix userservice * fix userfieldservice * fix chores service * fix calendar service * remove Dockerfile used for development * Remove docker compose file used for development * Clean up app.php * remove last diff * Clean up base controller * Clean up controllers * lean up middleware * Clean up and tuen all services into singletons * remove debug from routes.php * remove acpu from localisation * Complete removal of acpu from localisation * fixes for things broken * More fixes following merge * Fix for start up bug. Re factoring singleton code had brroken due to scope of clas var. * fix bug where getUsersService is declared twice * bug fixes following merge * bug fixes following merge * bug fixes following merge * bug fixes following merge * bug fixes following merge * Fix all the not working things... * Deleted off-topic files * Deleted off-topic files Co-authored-by: Bernd Bestel <bernd@berrnd.de> 2020-03-01 23:47:47 +07:00
			`$sessionService = SessionService::getInstance();`
Finish API documentation and token auth (references #5) 2018-04-21 19:18:00 +02:00			`if (!isset($_COOKIE[$this->SessionCookieName]) \|\| !$sessionService->IsValidSession($_COOKIE[$this->SessionCookieName]))`
			`{`
			`$validSession = false;`
			`}`

			`$apiKeyService = new ApiKeyService();`
Allow providing the API key also via a query parameter (closes #329) 2019-08-10 13:30:50 +02:00
			`// First check of the API key in the configured header`
Finish API documentation and token auth (references #5) 2018-04-21 19:18:00 +02:00			`if (!$request->hasHeader($this->ApiKeyHeaderName) \|\| !$apiKeyService->IsValidApiKey($request->getHeaderLine($this->ApiKeyHeaderName)))`
			`{`
			`$validApiKey = false;`
			`}`
Allow providing the API key also via a query parameter (closes #329) 2019-08-10 13:30:50 +02:00			`else`
			`{`
			`$usedApiKey = $request->getHeaderLine($this->ApiKeyHeaderName);`
			`}`

			`// Not recommended, but it's also possible to provide the API key via a query parameter (same name as the configured header)`
			`if (!$validApiKey && !empty($request->getQueryParam($this->ApiKeyHeaderName)) && $apiKeyService->IsValidApiKey($request->getQueryParam($this->ApiKeyHeaderName)))`
			`{`
			`$validApiKey = true;`
			`$usedApiKey = $request->getQueryParam($this->ApiKeyHeaderName);`
			`}`
Finish API documentation and token auth (references #5) 2018-04-21 19:18:00 +02:00
Added possibility to export the calendar in iCal format (closes #141) 2019-03-04 17:44:48 +01:00			`// Handling of special purpose API keys`
			`if (!$validApiKey)`
			`{`
			`if ($routeName === 'calendar-ical')`
			`{`
			`if ($request->getQueryParam('secret') !== null && $apiKeyService->IsValidApiKey($request->getQueryParam('secret'), ApiKeyService::API_KEY_TYPE_SPECIAL_PURPOSE_CALENDAR_ICAL))`
			`{`
			`$validApiKey = true;`
			`}`
			`}`
			`}`

Finish API documentation and token auth (references #5) 2018-04-21 19:18:00 +02:00			`if (!$validSession && !$validApiKey)`
			`{`
Optimize and refactor latest changes 2018-07-25 19:28:15 +02:00			`define('GROCY_AUTHENTICATED', false);`
Upgrade Slim Framework to v4 (closes #561) 2020-02-11 17:42:03 +01:00			`$response = new \Slim\Psr7\Response(); // No content when unauthorized`
Finish API documentation and token auth (references #5) 2018-04-21 19:18:00 +02:00			`$response = $response->withStatus(401);`
			`}`
Fix some form validation problems (closes #36) 2018-08-04 07:45:24 +02:00			`elseif ($validApiKey)`
Finish API documentation and token auth (references #5) 2018-04-21 19:18:00 +02:00			`{`
Allow providing the API key also via a query parameter (closes #329) 2019-08-10 13:30:50 +02:00			`$user = $apiKeyService->GetUserByApiKey($usedApiKey);`
Optimize and refactor latest changes 2018-07-25 19:28:15 +02:00			`define('GROCY_AUTHENTICATED', true);`
			`define('GROCY_USER_ID', $user->id);`

Upgrade Slim Framework to v4 (closes #561) 2020-02-11 17:42:03 +01:00			`$response = $handler->handle($request);`
Fix some form validation problems (closes #36) 2018-08-04 07:45:24 +02:00			`}`
			`elseif ($validSession)`
			`{`
			`$user = $sessionService->GetUserBySessionKey($_COOKIE[$this->SessionCookieName]);`
			`define('GROCY_AUTHENTICATED', true);`
			`define('GROCY_USER_ID', $user->id);`

Upgrade Slim Framework to v4 (closes #561) 2020-02-11 17:42:03 +01:00			`$response = $handler->handle($request);`
Finish API documentation and token auth (references #5) 2018-04-21 19:18:00 +02:00			`}`
			`}`

			`return $response;`
			`}`
			`}`