676571dab9
The hoster writes the environment variable with bearer token to REDIRECT_HTTP_AUTHORIZATION and needs to provide RewriteBase / to .htaccess
148 lines
4.2 KiB
PHP
148 lines
4.2 KiB
PHP
<?php
|
|
namespace Shaarli\Api;
|
|
|
|
use Shaarli\Api\Exceptions\ApiAuthorizationException;
|
|
use Shaarli\Api\Exceptions\ApiException;
|
|
use Shaarli\Bookmark\BookmarkFileService;
|
|
use Shaarli\Config\ConfigManager;
|
|
use Slim\Container;
|
|
use Slim\Http\Request;
|
|
use Slim\Http\Response;
|
|
|
|
/**
|
|
* Class ApiMiddleware
|
|
*
|
|
* This will be called before accessing any API Controller.
|
|
* Its role is to make sure that the API is enabled, configured, and to validate the JWT token.
|
|
*
|
|
* If the request is validated, the controller is called, otherwise a JSON error response is returned.
|
|
*
|
|
* @package Api
|
|
*/
|
|
class ApiMiddleware
|
|
{
|
|
/**
|
|
* @var int JWT token validity in seconds (9 min).
|
|
*/
|
|
public static $TOKEN_DURATION = 540;
|
|
|
|
/**
|
|
* @var Container: contains conf, plugins, etc.
|
|
*/
|
|
protected $container;
|
|
|
|
/**
|
|
* @var ConfigManager instance.
|
|
*/
|
|
protected $conf;
|
|
|
|
/**
|
|
* ApiMiddleware constructor.
|
|
*
|
|
* @param Container $container instance.
|
|
*/
|
|
public function __construct($container)
|
|
{
|
|
$this->container = $container;
|
|
$this->conf = $this->container->get('conf');
|
|
$this->setLinkDb($this->conf);
|
|
}
|
|
|
|
/**
|
|
* Middleware execution:
|
|
* - check the API request
|
|
* - execute the controller
|
|
* - return the response
|
|
*
|
|
* @param Request $request Slim request
|
|
* @param Response $response Slim response
|
|
* @param callable $next Next action
|
|
*
|
|
* @return Response response.
|
|
*/
|
|
public function __invoke($request, $response, $next)
|
|
{
|
|
try {
|
|
$this->checkRequest($request);
|
|
$response = $next($request, $response);
|
|
} catch (ApiException $e) {
|
|
$e->setResponse($response);
|
|
$e->setDebug($this->conf->get('dev.debug', false));
|
|
$response = $e->getApiResponse();
|
|
}
|
|
|
|
return $response
|
|
->withHeader('Access-Control-Allow-Origin', '*')
|
|
->withHeader(
|
|
'Access-Control-Allow-Headers',
|
|
'X-Requested-With, Content-Type, Accept, Origin, Authorization'
|
|
)
|
|
->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
|
|
;
|
|
}
|
|
|
|
/**
|
|
* Check the request validity (HTTP method, request value, etc.),
|
|
* that the API is enabled, and the JWT token validity.
|
|
*
|
|
* @param Request $request Slim request
|
|
*
|
|
* @throws ApiAuthorizationException The API is disabled or the token is invalid.
|
|
*/
|
|
protected function checkRequest($request)
|
|
{
|
|
if (! $this->conf->get('api.enabled', true)) {
|
|
throw new ApiAuthorizationException('API is disabled');
|
|
}
|
|
$this->checkToken($request);
|
|
}
|
|
|
|
/**
|
|
* Check that the JWT token is set and valid.
|
|
* The API secret setting must be set.
|
|
*
|
|
* @param Request $request Slim request
|
|
*
|
|
* @throws ApiAuthorizationException The token couldn't be validated.
|
|
*/
|
|
protected function checkToken($request)
|
|
{
|
|
if (! $request->hasHeader('Authorization') && !isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
|
|
throw new ApiAuthorizationException('JWT token not provided');
|
|
}
|
|
|
|
if (empty($this->conf->get('api.secret'))) {
|
|
throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration');
|
|
}
|
|
|
|
if (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
|
|
$authorization = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
|
|
} else {
|
|
$authorization = $request->getHeaderLine('Authorization');
|
|
}
|
|
|
|
if (! preg_match('/^Bearer (.*)/i', $authorization, $matches)) {
|
|
throw new ApiAuthorizationException('Invalid JWT header');
|
|
}
|
|
|
|
ApiUtils::validateJwtToken($matches[1], $this->conf->get('api.secret'));
|
|
}
|
|
|
|
/**
|
|
* Instantiate a new LinkDB including private bookmarks,
|
|
* and load in the Slim container.
|
|
*
|
|
* FIXME! LinkDB could use a refactoring to avoid this trick.
|
|
*
|
|
* @param ConfigManager $conf instance.
|
|
*/
|
|
protected function setLinkDb($conf)
|
|
{
|
|
$linkDb = new BookmarkFileService(
|
|
$conf,
|
|
$this->container->get('history'),
|
|
true
|
|
);
|
|
$this->container['db'] = $linkDb;
|
|
}
|
|
}
|