mirrors/shlink
1
0
Fork 0
mirror of https://github.com/shlinkio/shlink.git synced 2025-02-17 15:59:56 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #218 from acelaya/feature/api-key

Browse source 
Feature/api key
This commit is contained in:
Alejandro Celaya 2018-09-29 09:05:37 +02:00 committed by GitHub
commit d5dc6cea99
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
33 changed files with 1091 additions and 371 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
config/autoload/middleware-pipeline.global.php
View file

@ -39,7 +39,7 @@ return [
Rest\Middleware\CrossDomainMiddleware::class, Rest\Middleware\CrossDomainMiddleware::class,
Expressive\Router\Middleware\ImplicitOptionsMiddleware::class, Expressive\Router\Middleware\ImplicitOptionsMiddleware::class,
Rest\Middleware\BodyParserMiddleware::class, Rest\Middleware\BodyParserMiddleware::class,
Rest\Middleware\CheckAuthenticationMiddleware::class, Rest\Middleware\AuthenticationMiddleware::class,
], ],
'priority' => 5, 'priority' => 5,
], ],

5
docs/swagger/paths/v1_authenticate.json
View file

@ -1,11 +1,12 @@
{ {
"post": { "post": {
"deprecated": true,
"operationId": "authenticate", "operationId": "authenticate",
"tags": [ "tags": [
"Authentication" "Authentication"
], ],
"summary": "Perform authentication", "summary": "[Deprecated] Perform authentication",
"description": "Performs an authentication", "description": "**This endpoint is deprecated, since the authentication can be performed via API key now**. Performs an authentication.",
"requestBody": { "requestBody": {
"description": "Request body.", "description": "Request body.",
"required": true, "required": true,

6
docs/swagger/paths/v1_short-urls.json
View file

@ -54,6 +54,9 @@
} }
], ],
"security": [ "security": [
{
"ApiKey": []
},
{ {
"Bearer": [] "Bearer": []
} }
@ -150,6 +153,9 @@
"summary": "Create short URL", "summary": "Create short URL",
"description": "Creates a new short URL.<br><br>**Important note**: Before shlink v1.13, this endpoint used to use the `/short-codes` path instead of `/short-urls`. Both of them will keep working, while the first one is considered deprecated.", "description": "Creates a new short URL.<br><br>**Important note**: Before shlink v1.13, this endpoint used to use the `/short-codes` path instead of `/short-urls`. Both of them will keep working, while the first one is considered deprecated.",
"security": [ "security": [
{
"ApiKey": []
},
{ {
"Bearer": [] "Bearer": []
} }

9
docs/swagger/paths/v1_short-urls_{shortCode}.json
View file

@ -18,6 +18,9 @@
} }
], ],
"security": [ "security": [
{
"ApiKey": []
},
{ {
"Bearer": [] "Bearer": []
} }
@ -122,6 +125,9 @@
} }
}, },
"security": [ "security": [
{
"ApiKey": []
},
{ {
"Bearer": [] "Bearer": []
} }
@ -182,6 +188,9 @@
} }
], ],
"security": [ "security": [
{
"ApiKey": []
},
{ {
"Bearer": [] "Bearer": []
} }

3
docs/swagger/paths/v1_short-urls_{shortCode}_tags.json
View file

@ -41,6 +41,9 @@
} }
}, },
"security": [ "security": [
{
"ApiKey": []
},
{ {
"Bearer": [] "Bearer": []
} }

3
docs/swagger/paths/v1_short-urls_{shortCode}_visits.json
View file

@ -36,6 +36,9 @@
} }
], ],
"security": [ "security": [
{
"ApiKey": []
},
{ {
"Bearer": [] "Bearer": []
} }

12
docs/swagger/paths/v1_tags.json
View file

@ -7,6 +7,9 @@
"summary": "List existing tags", "summary": "List existing tags",
"description": "Returns the list of all tags used in any short URL, ordered by name", "description": "Returns the list of all tags used in any short URL, ordered by name",
"security": [ "security": [
{
"ApiKey": []
},
{ {
"Bearer": [] "Bearer": []
} }
@ -68,6 +71,9 @@
"summary": "Create tags", "summary": "Create tags",
"description": "Provided a list of tags, creates all that do not yet exist", "description": "Provided a list of tags, creates all that do not yet exist",
"security": [ "security": [
{
"ApiKey": []
},
{ {
"Bearer": [] "Bearer": []
} }
@ -152,6 +158,9 @@
"summary": "Rename tag", "summary": "Rename tag",
"description": "Renames one existing tag", "description": "Renames one existing tag",
"security": [ "security": [
{
"ApiKey": []
},
{ {
"Bearer": [] "Bearer": []
} }
@ -240,6 +249,9 @@
} }
], ],
"security": [ "security": [
{
"ApiKey": []
},
{ {
"Bearer": [] "Bearer": []
} }

24
docs/swagger/swagger.json
View file

@ -23,8 +23,14 @@
"components": { "components": {
"securitySchemes": { "securitySchemes": {
"ApiKey": {
"description": "A valid shlink API key",
"type": "apiKey",
"in": "header",
"name": "X-Api-Key"
},
"Bearer": { "Bearer": {
"description": "The JWT identifying a previously logged API key", "description": "**[Deprecated]** The JWT identifying a previously authenticated API key",
"type": "http", "type": "http",
"scheme": "bearer", "scheme": "bearer",
"bearerFormat": "JWT" "bearerFormat": "JWT"
@ -33,10 +39,6 @@
}, },
"tags": [ "tags": [
{
"name": "Authentication",
"description": "Authentication-related endpoints"
},
{ {
"name": "Short URLs", "name": "Short URLs",
"description": "Operations that can be performed on short URLs" "description": "Operations that can be performed on short URLs"
@ -48,14 +50,14 @@
{ {
"name": "Visits", "name": "Visits",
"description": "Operations to manage visits on short URLs" "description": "Operations to manage visits on short URLs"
},
{
"name": "Authentication",
"description": "Authentication-related endpoints"
} }
], ],
"paths": { "paths": {
"/v1/authenticate": {
"$ref": "paths/v1_authenticate.json"
},
"/v1/short-urls": { "/v1/short-urls": {
"$ref": "paths/v1_short-urls.json" "$ref": "paths/v1_short-urls.json"
}, },
@ -75,6 +77,10 @@
"/v1/short-urls/{shortCode}/visits": { "/v1/short-urls/{shortCode}/visits": {
"$ref": "paths/v1_short-urls_{shortCode}_visits.json" "$ref": "paths/v1_short-urls_{shortCode}_visits.json"
},
"/v1/authenticate": {
"$ref": "paths/v1_authenticate.json"
} }
} }
} }

39
module/Rest/config/auth.config.php
View file

@ -3,6 +3,8 @@ declare(strict_types=1);
namespace Shlinkio\Shlink\Rest; namespace Shlinkio\Shlink\Rest;
use Zend\ServiceManager\AbstractFactory\ConfigAbstractFactory;
return [ return [
'auth' => [ 'auth' => [
@ -10,6 +12,43 @@ return [
Action\AuthenticateAction::class, Action\AuthenticateAction::class,
Action\ShortUrl\SingleStepCreateShortUrlAction::class, Action\ShortUrl\SingleStepCreateShortUrlAction::class,
], ],
'plugins' => [
'factories' => [
Authentication\Plugin\ApiKeyHeaderPlugin::class => ConfigAbstractFactory::class,
Authentication\Plugin\AuthorizationHeaderPlugin::class => ConfigAbstractFactory::class,
],
'aliases' => [
Authentication\Plugin\ApiKeyHeaderPlugin::HEADER_NAME =>
Authentication\Plugin\ApiKeyHeaderPlugin::class,
Authentication\Plugin\AuthorizationHeaderPlugin::HEADER_NAME =>
Authentication\Plugin\AuthorizationHeaderPlugin::class,
],
],
],
'dependencies' => [
'factories' => [
Authentication\AuthenticationPluginManager::class =>
Authentication\AuthenticationPluginManagerFactory::class,
Authentication\RequestToHttpAuthPlugin::class => ConfigAbstractFactory::class,
Middleware\AuthenticationMiddleware::class => ConfigAbstractFactory::class,
],
],
ConfigAbstractFactory::class => [
Authentication\Plugin\AuthorizationHeaderPlugin::class => [Authentication\JWTService::class, 'translator'],
Authentication\Plugin\ApiKeyHeaderPlugin::class => [Service\ApiKeyService::class, 'translator'],
Authentication\RequestToHttpAuthPlugin::class => [Authentication\AuthenticationPluginManager::class],
Middleware\AuthenticationMiddleware::class => [
Authentication\RequestToHttpAuthPlugin::class,
'translator',
'config.auth.routes_whitelist',
'Logger_Shlink',
],
], ],
]; ];

8
module/Rest/config/dependencies.config.php
View file

@ -35,7 +35,6 @@ return [
Middleware\BodyParserMiddleware::class => InvokableFactory::class, Middleware\BodyParserMiddleware::class => InvokableFactory::class,
Middleware\CrossDomainMiddleware::class => InvokableFactory::class, Middleware\CrossDomainMiddleware::class => InvokableFactory::class,
Middleware\PathVersionMiddleware::class => InvokableFactory::class, Middleware\PathVersionMiddleware::class => InvokableFactory::class,
Middleware\CheckAuthenticationMiddleware::class => ConfigAbstractFactory::class,
Middleware\ShortUrl\CreateShortUrlContentNegotiationMiddleware::class => InvokableFactory::class, Middleware\ShortUrl\CreateShortUrlContentNegotiationMiddleware::class => InvokableFactory::class,
Middleware\ShortUrl\ShortCodePathMiddleware::class => InvokableFactory::class, Middleware\ShortUrl\ShortCodePathMiddleware::class => InvokableFactory::class,
], ],
@ -91,13 +90,6 @@ return [
Action\Tag\DeleteTagsAction::class => [Service\Tag\TagService::class, LoggerInterface::class], Action\Tag\DeleteTagsAction::class => [Service\Tag\TagService::class, LoggerInterface::class],
Action\Tag\CreateTagsAction::class => [Service\Tag\TagService::class, LoggerInterface::class], Action\Tag\CreateTagsAction::class => [Service\Tag\TagService::class, LoggerInterface::class],
Action\Tag\UpdateTagAction::class => [Service\Tag\TagService::class, Translator::class, LoggerInterface::class], Action\Tag\UpdateTagAction::class => [Service\Tag\TagService::class, Translator::class, LoggerInterface::class],
Middleware\CheckAuthenticationMiddleware::class => [
Authentication\JWTService::class,
'translator',
'config.auth.routes_whitelist',
'Logger_Shlink',
],
], ],
]; ];

4
module/Rest/src/Action/ShortUrl/SingleStepCreateShortUrlAction.php
View file

@ -43,9 +43,7 @@ class SingleStepCreateShortUrlAction extends AbstractCreateShortUrlAction
{ {
$query = $request->getQueryParams(); $query = $request->getQueryParams();
// Check provided API key if (! $this->apiKeyService->check($query['apiKey'] ?? '')) {
$apiKey = $this->apiKeyService->getByKey($query['apiKey'] ?? '');
if ($apiKey === null || ! $apiKey->isValid()) {
throw new InvalidArgumentException( throw new InvalidArgumentException(
$this->translator->translate('No API key was provided or it is not valid') $this->translator->translate('No API key was provided or it is not valid')
); );

11
module/Rest/src/Authentication/AuthenticationPluginManager.php Normal file
View file

@ -0,0 +1,11 @@
<?php
declare(strict_types=1);
namespace Shlinkio\Shlink\Rest\Authentication;
use Zend\ServiceManager\AbstractPluginManager;
class AuthenticationPluginManager extends AbstractPluginManager implements AuthenticationPluginManagerInterface
{
protected $instanceOf = Plugin\AuthenticationPluginInterface::class;
}

31
module/Rest/src/Authentication/AuthenticationPluginManagerFactory.php Normal file
View file

@ -0,0 +1,31 @@
<?php
declare(strict_types=1);
namespace Shlinkio\Shlink\Rest\Authentication;
use Interop\Container\ContainerInterface;
use Interop\Container\Exception\ContainerException;
use Zend\ServiceManager\Exception\ServiceNotCreatedException;
use Zend\ServiceManager\Exception\ServiceNotFoundException;
use Zend\ServiceManager\Factory\FactoryInterface;
class AuthenticationPluginManagerFactory implements FactoryInterface
{
/**
* Create an object
*
* @param ContainerInterface $container
* @param string $requestedName
* @param null|array $options
* @return object
* @throws ServiceNotFoundException if unable to resolve the service.
* @throws ServiceNotCreatedException if an exception is raised when
* creating a service.
* @throws ContainerException if any other error occurs
*/
public function __invoke(ContainerInterface $container, $requestedName, array $options = null)
{
$config = $container->get('config') ?? [];
return new AuthenticationPluginManager($container, $config['auth']['plugins'] ?? []);
}
}

10
module/Rest/src/Authentication/AuthenticationPluginManagerInterface.php Normal file
View file

@ -0,0 +1,10 @@
<?php
declare(strict_types=1);
namespace Shlinkio\Shlink\Rest\Authentication;
use Psr\Container\ContainerInterface;
interface AuthenticationPluginManagerInterface extends ContainerInterface
{
}

3
module/Rest/src/Authentication/JWTService.php
View file

@ -7,6 +7,7 @@ use Firebase\JWT\JWT;
use Shlinkio\Shlink\Core\Options\AppOptions; use Shlinkio\Shlink\Core\Options\AppOptions;
use Shlinkio\Shlink\Rest\Entity\ApiKey; use Shlinkio\Shlink\Rest\Entity\ApiKey;
use Shlinkio\Shlink\Rest\Exception\AuthenticationException; use Shlinkio\Shlink\Rest\Exception\AuthenticationException;
use function time;
class JWTService implements JWTServiceInterface class JWTService implements JWTServiceInterface
{ {
@ -32,7 +33,7 @@ class JWTService implements JWTServiceInterface
$currentTimestamp = time(); $currentTimestamp = time();
return $this->encode([ return $this->encode([
'iss' => $this->appOptions->__toString(), 'iss' => (string) $this->appOptions,
'iat' => $currentTimestamp, 'iat' => $currentTimestamp,
'exp' => $currentTimestamp + $lifetime, 'exp' => $currentTimestamp + $lifetime,
'sub' => 'auth', 'sub' => 'auth',

52
module/Rest/src/Authentication/Plugin/ApiKeyHeaderPlugin.php Normal file
View file

@ -0,0 +1,52 @@
<?php
declare(strict_types=1);
namespace Shlinkio\Shlink\Rest\Authentication\Plugin;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Shlinkio\Shlink\Rest\Exception\VerifyAuthenticationException;
use Shlinkio\Shlink\Rest\Service\ApiKeyServiceInterface;
use Shlinkio\Shlink\Rest\Util\RestUtils;
use Zend\I18n\Translator\TranslatorInterface;
class ApiKeyHeaderPlugin implements AuthenticationPluginInterface
{
public const HEADER_NAME = 'X-Api-Key';
/**
* @var ApiKeyServiceInterface
*/
private $apiKeyService;
/**
* @var TranslatorInterface
*/
private $translator;
public function __construct(ApiKeyServiceInterface $apiKeyService, TranslatorInterface $translator)
{
$this->apiKeyService = $apiKeyService;
$this->translator = $translator;
}
/**
* @throws VerifyAuthenticationException
*/
public function verify(ServerRequestInterface $request): void
{
$apiKey = $request->getHeaderLine(self::HEADER_NAME);
if ($this->apiKeyService->check($apiKey)) {
return;
}
throw VerifyAuthenticationException::withError(
RestUtils::INVALID_API_KEY_ERROR,
$this->translator->translate('Provided API key does not exist or is invalid.')
);
}
public function update(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
{
return $response;
}
}

18
module/Rest/src/Authentication/Plugin/AuthenticationPluginInterface.php Normal file
View file

@ -0,0 +1,18 @@
<?php
declare(strict_types=1);
namespace Shlinkio\Shlink\Rest\Authentication\Plugin;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Shlinkio\Shlink\Rest\Exception\VerifyAuthenticationException;
interface AuthenticationPluginInterface
{
/**
* @throws VerifyAuthenticationException
*/
public function verify(ServerRequestInterface $request): void;
public function update(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface;
}

95
module/Rest/src/Authentication/Plugin/AuthorizationHeaderPlugin.php Normal file
View file

@ -0,0 +1,95 @@
<?php
declare(strict_types=1);
namespace Shlinkio\Shlink\Rest\Authentication\Plugin;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Shlinkio\Shlink\Rest\Authentication\JWTServiceInterface;
use Shlinkio\Shlink\Rest\Exception\VerifyAuthenticationException;
use Shlinkio\Shlink\Rest\Util\RestUtils;
use Throwable;
use Zend\I18n\Translator\TranslatorInterface;
use function count;
use function explode;
use function sprintf;
use function strtolower;
class AuthorizationHeaderPlugin implements AuthenticationPluginInterface
{
public const HEADER_NAME = 'Authorization';
/**
* @var JWTServiceInterface
*/
private $jwtService;
/**
* @var TranslatorInterface
*/
private $translator;
public function __construct(JWTServiceInterface $jwtService, TranslatorInterface $translator)
{
$this->jwtService = $jwtService;
$this->translator = $translator;
}
/**
* @throws VerifyAuthenticationException
*/
public function verify(ServerRequestInterface $request): void
{
// Get token making sure the an authorization type is provided
$authToken = $request->getHeaderLine(self::HEADER_NAME);
$authTokenParts = explode(' ', $authToken);
if (count($authTokenParts) === 1) {
throw VerifyAuthenticationException::withError(
RestUtils::INVALID_AUTHORIZATION_ERROR,
sprintf(
$this->translator->translate('You need to provide the Bearer type in the %s header.'),
self::HEADER_NAME
)
);
}
// Make sure the authorization type is Bearer
[$authType, $jwt] = $authTokenParts;
if (strtolower($authType) !== 'bearer') {
throw VerifyAuthenticationException::withError(
RestUtils::INVALID_AUTHORIZATION_ERROR,
sprintf($this->translator->translate(
'Provided authorization type %s is not supported. Use Bearer instead.'
), $authType)
);
}
try {
if (! $this->jwtService->verify($jwt)) {
throw $this->createInvalidTokenError();
}
} catch (Throwable $e) {
throw $this->createInvalidTokenError($e);
}
}
private function createInvalidTokenError(Throwable $prev = null): VerifyAuthenticationException
{
return VerifyAuthenticationException::withError(
RestUtils::INVALID_AUTH_TOKEN_ERROR,
sprintf($this->translator->translate(
'Missing or invalid auth token provided. Perform a new authentication request and send provided '
. 'token on every new request on the %s header'
), self::HEADER_NAME),
$prev
);
}
public function update(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
{
$authToken = $request->getHeaderLine(self::HEADER_NAME);
[, $jwt] = explode(' ', $authToken);
$jwt = $this->jwtService->refresh($jwt);
return $response->withHeader(self::HEADER_NAME, sprintf('Bearer %s', $jwt));
}
}

64
module/Rest/src/Authentication/RequestToHttpAuthPlugin.php Normal file
View file

@ -0,0 +1,64 @@
<?php
declare(strict_types=1);
namespace Shlinkio\Shlink\Rest\Authentication;
use Psr\Container;
use Psr\Http\Message\ServerRequestInterface;
use Shlinkio\Shlink\Rest\Exception\NoAuthenticationException;
use function array_filter;
use function array_reduce;
use function array_shift;
class RequestToHttpAuthPlugin implements RequestToHttpAuthPluginInterface
{
// Headers here have to be defined in order of priority.
// When more than one is matched, the first one to be found will take precedence.
public const SUPPORTED_AUTH_HEADERS = [
Plugin\ApiKeyHeaderPlugin::HEADER_NAME,
Plugin\AuthorizationHeaderPlugin::HEADER_NAME,
];
/**
* @var AuthenticationPluginManagerInterface
*/
private $authPluginManager;
public function __construct(AuthenticationPluginManagerInterface $authPluginManager)
{
$this->authPluginManager = $authPluginManager;
}
/**
* @throws Container\ContainerExceptionInterface
* @throws NoAuthenticationException
*/
public function fromRequest(ServerRequestInterface $request): Plugin\AuthenticationPluginInterface
{
if (! $this->hasAnySupportedHeader($request)) {
throw NoAuthenticationException::fromExpectedTypes([
Plugin\ApiKeyHeaderPlugin::HEADER_NAME,
Plugin\AuthorizationHeaderPlugin::HEADER_NAME,
]);
}
return $this->authPluginManager->get($this->getFirstAvailableHeader($request));
}
private function hasAnySupportedHeader(ServerRequestInterface $request): bool
{
return array_reduce(
self::SUPPORTED_AUTH_HEADERS,
function (bool $carry, string $header) use ($request) {
return $carry || $request->hasHeader($header);
},
false
);
}
private function getFirstAvailableHeader(ServerRequestInterface $request): string
{
$foundHeaders = array_filter(self::SUPPORTED_AUTH_HEADERS, [$request, 'hasHeader']);
return array_shift($foundHeaders) ?? '';
}
}

17
module/Rest/src/Authentication/RequestToHttpAuthPluginInterface.php Normal file
View file

@ -0,0 +1,17 @@
<?php
declare(strict_types=1);
namespace Shlinkio\Shlink\Rest\Authentication;
use Psr\Container;
use Psr\Http\Message\ServerRequestInterface;
use Shlinkio\Shlink\Rest\Exception\NoAuthenticationException;
interface RequestToHttpAuthPluginInterface
{
/**
* @throws Container\ContainerExceptionInterface
* @throws NoAuthenticationException
*/
public function fromRequest(ServerRequestInterface $request): Plugin\AuthenticationPluginInterface;
}

7
module/Rest/src/Exception/AuthenticationException.php
View file

@ -5,12 +5,7 @@ namespace Shlinkio\Shlink\Rest\Exception;
class AuthenticationException extends RuntimeException class AuthenticationException extends RuntimeException
{ {
public static function fromCredentials($username, $password) public static function expiredJWT(\Exception $prev = null): self
{
return new self(sprintf('Invalid credentials. Username -> "%s". Password -> "%s"', $username, $password));
}
public static function expiredJWT(\Exception $prev = null)
{ {
return new self('The token has expired.', -1, $prev); return new self('The token has expired.', -1, $prev);
} }

18
module/Rest/src/Exception/NoAuthenticationException.php Normal file
View file

@ -0,0 +1,18 @@
<?php
declare(strict_types=1);
namespace Shlinkio\Shlink\Rest\Exception;
use function implode;
use function sprintf;
class NoAuthenticationException extends RuntimeException
{
public static function fromExpectedTypes(array $expectedTypes): self
{
return new self(sprintf(
'None of the valid authentication mechanisms where provided. Expected one of ["%s"]',
implode('", "', $expectedTypes)
));
}
}

52
module/Rest/src/Exception/VerifyAuthenticationException.php Normal file
View file

@ -0,0 +1,52 @@
<?php
declare(strict_types=1);
namespace Shlinkio\Shlink\Rest\Exception;
use Throwable;
use function sprintf;
class VerifyAuthenticationException extends RuntimeException
{
/**
* @var string
*/
private $errorCode;
/**
* @var string
*/
private $publicMessage;
public function __construct(
string $errorCode,
string $publicMessage,
string $message = '',
int $code = 0,
Throwable $previous = null
) {
parent::__construct($message, $code, $previous);
$this->errorCode = $errorCode;
$this->publicMessage = $publicMessage;
}
public static function withError(string $errorCode, string $publicMessage, Throwable $prev = null): self
{
return new self(
$errorCode,
$publicMessage,
sprintf('Authentication verification failed with the public message "%s"', $publicMessage),
0,
$prev
);
}
public function getErrorCode(): string
{
return $this->errorCode;
}
public function getPublicMessage(): string
{
return $this->publicMessage;
}
}

108
module/Rest/src/Middleware/AuthenticationMiddleware.php Normal file
View file

@ -0,0 +1,108 @@
<?php
declare(strict_types=1);
namespace Shlinkio\Shlink\Rest\Middleware;
use Fig\Http\Message\RequestMethodInterface;
use Fig\Http\Message\StatusCodeInterface;
use Psr\Container\ContainerExceptionInterface;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Psr\Log\LoggerInterface;
use Psr\Log\NullLogger;
use Shlinkio\Shlink\Rest\Authentication\RequestToHttpAuthPlugin;
use Shlinkio\Shlink\Rest\Authentication\RequestToHttpAuthPluginInterface;
use Shlinkio\Shlink\Rest\Exception\NoAuthenticationException;
use Shlinkio\Shlink\Rest\Exception\VerifyAuthenticationException;
use Shlinkio\Shlink\Rest\Util\RestUtils;
use Zend\Diactoros\Response\JsonResponse;
use Zend\Expressive\Router\RouteResult;
use Zend\I18n\Translator\TranslatorInterface;
use function implode;
use function in_array;
use function sprintf;
class AuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterface, RequestMethodInterface
{
/**
* @var TranslatorInterface
*/
private $translator;
/**
* @var LoggerInterface
*/
private $logger;
/**
* @var array
*/
private $routesWhitelist;
/**
* @var RequestToHttpAuthPluginInterface
*/
private $requestToAuthPlugin;
public function __construct(
RequestToHttpAuthPluginInterface $requestToAuthPlugin,
TranslatorInterface $translator,
array $routesWhitelist,
LoggerInterface $logger = null
) {
$this->translator = $translator;
$this->routesWhitelist = $routesWhitelist;
$this->logger = $logger ?: new NullLogger();
$this->requestToAuthPlugin = $requestToAuthPlugin;
}
/**
* Process an incoming server request and return a response, optionally delegating
* to the next middleware component to create the response.
*
* @param Request $request
* @param RequestHandlerInterface $handler
*
* @return Response
* @throws \InvalidArgumentException
*/
public function process(Request $request, RequestHandlerInterface $handler): Response
{
/** @var RouteResult|null $routeResult */
$routeResult = $request->getAttribute(RouteResult::class);
if ($routeResult === null
|| $routeResult->isFailure()
|| $request->getMethod() === self::METHOD_OPTIONS
|| in_array($routeResult->getMatchedRouteName(), $this->routesWhitelist, true)
) {
return $handler->handle($request);
}
try {
$plugin = $this->requestToAuthPlugin->fromRequest($request);
} catch (ContainerExceptionInterface | NoAuthenticationException $e) {
$this->logger->warning('Invalid or no authentication provided.' . PHP_EOL . $e);
return $this->createErrorResponse(sprintf($this->translator->translate(
'Expected one of the following authentication headers, but none were provided, ["%s"]'
), implode('", "', RequestToHttpAuthPlugin::SUPPORTED_AUTH_HEADERS)));
}
try {
$plugin->verify($request);
$response = $handler->handle($request);
return $plugin->update($request, $response);
} catch (VerifyAuthenticationException $e) {
$this->logger->warning('Authentication verification failed.' . PHP_EOL . $e);
return $this->createErrorResponse($e->getPublicMessage(), $e->getErrorCode());
}
}
private function createErrorResponse(
string $message,
string $errorCode = RestUtils::INVALID_AUTHORIZATION_ERROR
): JsonResponse {
return new JsonResponse([
'error' => $errorCode,
'message' => $message,
], self::STATUS_UNAUTHORIZED);
}
}

144
module/Rest/src/Middleware/CheckAuthenticationMiddleware.php
View file

@ -1,144 +0,0 @@
<?php
declare(strict_types=1);
namespace Shlinkio\Shlink\Rest\Middleware;
use Fig\Http\Message\StatusCodeInterface;
use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Psr\Log\LoggerInterface;
use Psr\Log\NullLogger;
use Shlinkio\Shlink\Rest\Authentication\JWTServiceInterface;
use Shlinkio\Shlink\Rest\Exception\AuthenticationException;
use Shlinkio\Shlink\Rest\Util\RestUtils;
use Zend\Diactoros\Response\JsonResponse;
use Zend\Expressive\Router\RouteResult;
use Zend\I18n\Translator\TranslatorInterface;
use Zend\Stdlib\ErrorHandler;
class CheckAuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterface
{
public const AUTHORIZATION_HEADER = 'Authorization';
/**
* @var TranslatorInterface
*/
private $translator;
/**
* @var JWTServiceInterface
*/
private $jwtService;
/**
* @var LoggerInterface
*/
private $logger;
/**
* @var array
*/
private $routesWhitelist;
public function __construct(
JWTServiceInterface $jwtService,
TranslatorInterface $translator,
array $routesWhitelist,
LoggerInterface $logger = null
) {
$this->translator = $translator;
$this->jwtService = $jwtService;
$this->routesWhitelist = $routesWhitelist;
$this->logger = $logger ?: new NullLogger();
}
/**
* Process an incoming server request and return a response, optionally delegating
* to the next middleware component to create the response.
*
* @param Request $request
* @param RequestHandlerInterface $handler
*
* @return Response
* @throws \InvalidArgumentException
* @throws \ErrorException
*/
public function process(Request $request, RequestHandlerInterface $handler): Response
{
// If current route is the authenticate route or an OPTIONS request, continue to the next middleware
/** @var RouteResult|null $routeResult */
$routeResult = $request->getAttribute(RouteResult::class);
if ($routeResult === null
|| $routeResult->isFailure()
|| $request->getMethod() === 'OPTIONS'
|| \in_array($routeResult->getMatchedRouteName(), $this->routesWhitelist, true)
) {
return $handler->handle($request);
}
// Check that the auth header was provided, and that it belongs to a non-expired token
if (! $request->hasHeader(self::AUTHORIZATION_HEADER)) {
return $this->createTokenErrorResponse();
}
// Get token making sure the an authorization type is provided
$authToken = $request->getHeaderLine(self::AUTHORIZATION_HEADER);
$authTokenParts = \explode(' ', $authToken);
if (\count($authTokenParts) === 1) {
return new JsonResponse([
'error' => RestUtils::INVALID_AUTHORIZATION_ERROR,
'message' => \sprintf($this->translator->translate(
'You need to provide the Bearer type in the %s header.'
), self::AUTHORIZATION_HEADER),
], self::STATUS_UNAUTHORIZED);
}
// Make sure the authorization type is Bearer
[$authType, $jwt] = $authTokenParts;
if (\strtolower($authType) !== 'bearer') {
return new JsonResponse([
'error' => RestUtils::INVALID_AUTHORIZATION_ERROR,
'message' => \sprintf($this->translator->translate(
'Provided authorization type %s is not supported. Use Bearer instead.'
), $authType),
], self::STATUS_UNAUTHORIZED);
}
try {
ErrorHandler::start();
if (! $this->jwtService->verify($jwt)) {
return $this->createTokenErrorResponse();
}
ErrorHandler::stop(true);
// Update the token expiration and continue to next middleware
$jwt = $this->jwtService->refresh($jwt);
$response = $handler->handle($request);
// Return the response with the updated token on it
return $response->withHeader(self::AUTHORIZATION_HEADER, 'Bearer ' . $jwt);
} catch (AuthenticationException $e) {
$this->logger->warning('Tried to access API with an invalid JWT.' . PHP_EOL . $e);
return $this->createTokenErrorResponse();
} finally {
ErrorHandler::clean();
}
}
/**
* @return JsonResponse
* @throws \InvalidArgumentException
*/
private function createTokenErrorResponse(): JsonResponse
{
return new JsonResponse([
'error' => RestUtils::INVALID_AUTH_TOKEN_ERROR,
'message' => \sprintf(
$this->translator->translate(
'Missing or invalid auth token provided. Perform a new authentication request and send provided '
. 'token on every new request on the "%s" header'
),
self::AUTHORIZATION_HEADER
),
], self::STATUS_UNAUTHORIZED);
}
}

1
module/Rest/src/Service/ApiKeyService.php
View file

@ -6,6 +6,7 @@ namespace Shlinkio\Shlink\Rest\Service;
use Doctrine\ORM\EntityManagerInterface; use Doctrine\ORM\EntityManagerInterface;
use Shlinkio\Shlink\Common\Exception\InvalidArgumentException; use Shlinkio\Shlink\Common\Exception\InvalidArgumentException;
use Shlinkio\Shlink\Rest\Entity\ApiKey; use Shlinkio\Shlink\Rest\Entity\ApiKey;
use function sprintf;
class ApiKeyService implements ApiKeyServiceInterface class ApiKeyService implements ApiKeyServiceInterface
{ {

18
module/Rest/test/Action/ShortUrl/SingleStepCreateShortUrlActionTest.php
View file

@ -11,7 +11,6 @@ use Psr\Http\Message\UriInterface;
use Shlinkio\Shlink\Core\Entity\ShortUrl; use Shlinkio\Shlink\Core\Entity\ShortUrl;
use Shlinkio\Shlink\Core\Service\UrlShortenerInterface; use Shlinkio\Shlink\Core\Service\UrlShortenerInterface;
use Shlinkio\Shlink\Rest\Action\ShortUrl\SingleStepCreateShortUrlAction; use Shlinkio\Shlink\Rest\Action\ShortUrl\SingleStepCreateShortUrlAction;
use Shlinkio\Shlink\Rest\Entity\ApiKey;
use Shlinkio\Shlink\Rest\Service\ApiKeyServiceInterface; use Shlinkio\Shlink\Rest\Service\ApiKeyServiceInterface;
use Zend\Diactoros\Response\JsonResponse; use Zend\Diactoros\Response\JsonResponse;
use Zend\Diactoros\ServerRequestFactory; use Zend\Diactoros\ServerRequestFactory;
@ -50,12 +49,11 @@ class SingleStepCreateShortUrlActionTest extends TestCase
/** /**
* @test * @test
* @dataProvider provideInvalidApiKeys
*/ */
public function errorResponseIsReturnedIfInvalidApiKeyIsProvided(?ApiKey $apiKey) public function errorResponseIsReturnedIfInvalidApiKeyIsProvided()
{ {
$request = ServerRequestFactory::fromGlobals()->withQueryParams(['apiKey' => 'abc123']); $request = ServerRequestFactory::fromGlobals()->withQueryParams(['apiKey' => 'abc123']);
$findApiKey = $this->apiKeyService->getByKey('abc123')->willReturn($apiKey); $findApiKey = $this->apiKeyService->check('abc123')->willReturn(false);
/** @var JsonResponse $resp */ /** @var JsonResponse $resp */
$resp = $this->action->handle($request); $resp = $this->action->handle($request);
@ -67,21 +65,13 @@ class SingleStepCreateShortUrlActionTest extends TestCase
$findApiKey->shouldHaveBeenCalled(); $findApiKey->shouldHaveBeenCalled();
} }
public function provideInvalidApiKeys(): array
{
return [
[null],
[(new ApiKey())->disable()],
];
}
/** /**
* @test * @test
*/ */
public function errorResponseIsReturnedIfNoUrlIsProvided() public function errorResponseIsReturnedIfNoUrlIsProvided()
{ {
$request = ServerRequestFactory::fromGlobals()->withQueryParams(['apiKey' => 'abc123']); $request = ServerRequestFactory::fromGlobals()->withQueryParams(['apiKey' => 'abc123']);
$findApiKey = $this->apiKeyService->getByKey('abc123')->willReturn(new ApiKey()); $findApiKey = $this->apiKeyService->check('abc123')->willReturn(true);
/** @var JsonResponse $resp */ /** @var JsonResponse $resp */
$resp = $this->action->handle($request); $resp = $this->action->handle($request);
@ -102,7 +92,7 @@ class SingleStepCreateShortUrlActionTest extends TestCase
'apiKey' => 'abc123', 'apiKey' => 'abc123',
'longUrl' => 'http://foobar.com', 'longUrl' => 'http://foobar.com',
]); ]);
$findApiKey = $this->apiKeyService->getByKey('abc123')->willReturn(new ApiKey()); $findApiKey = $this->apiKeyService->check('abc123')->willReturn(true);
$generateShortCode = $this->urlShortener->urlToShortCode( $generateShortCode = $this->urlShortener->urlToShortCode(
Argument::that(function (UriInterface $argument) { Argument::that(function (UriInterface $argument) {
Assert::assertEquals('http://foobar.com', (string) $argument); Assert::assertEquals('http://foobar.com', (string) $argument);

33
module/Rest/test/Authentication/AuthenticationPluginManagerFactoryTest.php Normal file
View file

@ -0,0 +1,33 @@
<?php
declare(strict_types=1);
namespace ShlinkioTest\Shlink\Rest\Authentication;
use PHPUnit\Framework\TestCase;
use Shlinkio\Shlink\Rest\Authentication\AuthenticationPluginManager;
use Shlinkio\Shlink\Rest\Authentication\AuthenticationPluginManagerFactory;
use Zend\ServiceManager\ServiceManager;
class AuthenticationPluginManagerFactoryTest extends TestCase
{
/**
* @var AuthenticationPluginManagerFactory
*/
private $factory;
public function setUp()
{
$this->factory = new AuthenticationPluginManagerFactory();
}
/**
* @test
*/
public function serviceIsProperlyCreated()
{
$instance = $this->factory->__invoke(new ServiceManager(['services' => [
'config' => [],
]]), '');
$this->assertInstanceOf(AuthenticationPluginManager::class, $instance);
}
}

78
module/Rest/test/Authentication/Plugin/ApiKeyHeaderPluginTest.php Normal file
View file

@ -0,0 +1,78 @@
<?php
declare(strict_types=1);
namespace ShlinkioTest\Shlink\Rest\Authentication\Plugin;
use PHPUnit\Framework\TestCase;
use Prophecy\Prophecy\ObjectProphecy;
use Psr\Http\Message\ServerRequestInterface;
use Shlinkio\Shlink\Rest\Authentication\Plugin\ApiKeyHeaderPlugin;
use Shlinkio\Shlink\Rest\Exception\VerifyAuthenticationException;
use Shlinkio\Shlink\Rest\Service\ApiKeyServiceInterface;
use Zend\Diactoros\Response;
use Zend\Diactoros\ServerRequestFactory;
use Zend\I18n\Translator\Translator;
class ApiKeyHeaderPluginTest extends TestCase
{
/**
* @var ApiKeyHeaderPlugin
*/
private $plugin;
/**
* @var ObjectProphecy
*/
private $apiKeyService;
public function setUp()
{
$this->apiKeyService = $this->prophesize(ApiKeyServiceInterface::class);
$this->plugin = new ApiKeyHeaderPlugin($this->apiKeyService->reveal(), Translator::factory([]));
}
/**
* @test
*/
public function verifyThrowsExceptionWhenApiKeyIsNotValid()
{
$apiKey = 'abc-ABC';
$check = $this->apiKeyService->check($apiKey)->willReturn(false);
$check->shouldBeCalledTimes(1);
$this->expectException(VerifyAuthenticationException::class);
$this->expectExceptionMessage('Provided API key does not exist or is invalid');
$this->plugin->verify($this->createRequest($apiKey));
}
/**
* @test
*/
public function verifyDoesNotThrowExceptionWhenApiKeyIsValid()
{
$apiKey = 'abc-ABC';
$check = $this->apiKeyService->check($apiKey)->willReturn(true);
$this->plugin->verify($this->createRequest($apiKey));
$check->shouldHaveBeenCalledTimes(1);
}
/**
* @test
*/
public function updateReturnsResponseAsIs()
{
$apiKey = 'abc-ABC';
$response = new Response();
$returnedResponse = $this->plugin->update($this->createRequest($apiKey), $response);
$this->assertSame($response, $returnedResponse);
}
private function createRequest(string $apiKey): ServerRequestInterface
{
return ServerRequestFactory::fromGlobals()->withHeader(ApiKeyHeaderPlugin::HEADER_NAME, $apiKey);
}
}

130
module/Rest/test/Authentication/Plugin/AuthorizationHeaderPluginTest.php Normal file
View file

@ -0,0 +1,130 @@
<?php
declare(strict_types=1);
namespace ShlinkioTest\Shlink\Rest\Authentication\Plugin;
use PHPUnit\Framework\TestCase;
use Prophecy\Prophecy\ObjectProphecy;
use Shlinkio\Shlink\Rest\Authentication\JWTServiceInterface;
use Shlinkio\Shlink\Rest\Authentication\Plugin\AuthorizationHeaderPlugin;
use Shlinkio\Shlink\Rest\Exception\VerifyAuthenticationException;
use Zend\Diactoros\Response;
use Zend\Diactoros\ServerRequestFactory;
use Zend\I18n\Translator\Translator;
class AuthorizationHeaderPluginTest extends TestCase
{
/**
* @var AuthorizationHeaderPlugin
*/
private $plugin;
/**
* @var ObjectProphecy
*/
protected $jwtService;
public function setUp()
{
$this->jwtService = $this->prophesize(JWTServiceInterface::class);
$this->plugin = new AuthorizationHeaderPlugin($this->jwtService->reveal(), Translator::factory([]));
}
/**
* @test
*/
public function verifyAnAuthorizationWithoutBearerTypeThrowsException()
{
$authToken = 'ABC-abc';
$request = ServerRequestFactory::fromGlobals()->withHeader(
AuthorizationHeaderPlugin::HEADER_NAME,
$authToken
);
$this->expectException(VerifyAuthenticationException::class);
$this->expectExceptionMessage(sprintf(
'You need to provide the Bearer type in the %s header.',
AuthorizationHeaderPlugin::HEADER_NAME
));
$this->plugin->verify($request);
}
/**
* @test
*/
public function verifyAnAuthorizationWithWrongTypeThrowsException()
{
$authToken = 'Basic ABC-abc';
$request = ServerRequestFactory::fromGlobals()->withHeader(
AuthorizationHeaderPlugin::HEADER_NAME,
$authToken
);
$this->expectException(VerifyAuthenticationException::class);
$this->expectExceptionMessage(
'Provided authorization type Basic is not supported. Use Bearer instead.'
);
$this->plugin->verify($request);
}
/**
* @test
*/
public function verifyAnExpiredTokenThrowsException()
{
$authToken = 'Bearer ABC-abc';
$request = ServerRequestFactory::fromGlobals()->withHeader(
AuthorizationHeaderPlugin::HEADER_NAME,
$authToken
);
$jwtVerify = $this->jwtService->verify('ABC-abc')->willReturn(false);
$this->expectException(VerifyAuthenticationException::class);
$this->expectExceptionMessage(sprintf(
'Missing or invalid auth token provided. Perform a new authentication request and send provided '
. 'token on every new request on the %s header',
AuthorizationHeaderPlugin::HEADER_NAME
));
$this->plugin->verify($request);
$jwtVerify->shouldHaveBeenCalledTimes(1);
}
/**
* @test
*/
public function verifyValidTokenDoesNotThrowException()
{
$authToken = 'Bearer ABC-abc';
$request = ServerRequestFactory::fromGlobals()->withHeader(
AuthorizationHeaderPlugin::HEADER_NAME,
$authToken
);
$jwtVerify = $this->jwtService->verify('ABC-abc')->willReturn(true);
$this->plugin->verify($request);
$jwtVerify->shouldHaveBeenCalledTimes(1);
}
/**
* @test
*/
public function updateReturnsAnUpdatedResponseWithNewJwt()
{
$authToken = 'Bearer ABC-abc';
$request = ServerRequestFactory::fromGlobals()->withHeader(
AuthorizationHeaderPlugin::HEADER_NAME,
$authToken
);
$jwtRefresh = $this->jwtService->refresh('ABC-abc')->willReturn('DEF-def');
$response = $this->plugin->update($request, new Response());
$this->assertTrue($response->hasHeader(AuthorizationHeaderPlugin::HEADER_NAME));
$this->assertEquals('Bearer DEF-def', $response->getHeaderLine(AuthorizationHeaderPlugin::HEADER_NAME));
$jwtRefresh->shouldHaveBeenCalledTimes(1);
}
}

83
module/Rest/test/Authentication/RequestToAuthPluginTest.php Normal file
View file

@ -0,0 +1,83 @@
<?php
declare(strict_types=1);
namespace ShlinkioTest\Shlink\Rest\Authentication;
use PHPUnit\Framework\TestCase;
use Prophecy\Prophecy\ObjectProphecy;
use Shlinkio\Shlink\Rest\Authentication\AuthenticationPluginManagerInterface;
use Shlinkio\Shlink\Rest\Authentication\Plugin\ApiKeyHeaderPlugin;
use Shlinkio\Shlink\Rest\Authentication\Plugin\AuthenticationPluginInterface;
use Shlinkio\Shlink\Rest\Authentication\Plugin\AuthorizationHeaderPlugin;
use Shlinkio\Shlink\Rest\Authentication\RequestToHttpAuthPlugin;
use Shlinkio\Shlink\Rest\Exception\NoAuthenticationException;
use Zend\Diactoros\ServerRequestFactory;
class RequestToAuthPluginTest extends TestCase
{
/**
* @var RequestToHttpAuthPlugin
*/
private $requestToPlugin;
/**
* @var ObjectProphecy
*/
private $pluginManager;
public function setUp()
{
$this->pluginManager = $this->prophesize(AuthenticationPluginManagerInterface::class);
$this->requestToPlugin = new RequestToHttpAuthPlugin($this->pluginManager->reveal());
}
/**
* @test
*/
public function exceptionIsFoundWhenNoneOfTheSupportedMethodsIsFound()
{
$request = ServerRequestFactory::fromGlobals();
$this->expectException(NoAuthenticationException::class);
$this->expectExceptionMessage(sprintf(
'None of the valid authentication mechanisms where provided. Expected one of ["%s"]',
implode('", "', RequestToHttpAuthPlugin::SUPPORTED_AUTH_HEADERS)
));
$this->requestToPlugin->fromRequest($request);
}
/**
* @test
* @dataProvider provideHeaders
*/
public function properPluginIsFetchedWhenAnyAuthTypeIsFound(array $headers, string $expectedHeader)
{
$request = ServerRequestFactory::fromGlobals();
foreach ($headers as $header => $value) {
$request = $request->withHeader($header, $value);
}
$plugin = $this->prophesize(AuthenticationPluginInterface::class);
$getPlugin = $this->pluginManager->get($expectedHeader)->willReturn($plugin->reveal());
$this->requestToPlugin->fromRequest($request);
$getPlugin->shouldHaveBeenCalledTimes(1);
}
public function provideHeaders(): array
{
return [
'API key header only' => [[
ApiKeyHeaderPlugin::HEADER_NAME => 'foobar',
], ApiKeyHeaderPlugin::HEADER_NAME],
'Authorization header only' => [[
AuthorizationHeaderPlugin::HEADER_NAME => 'foobar',
], AuthorizationHeaderPlugin::HEADER_NAME],
'Both headers' => [[
AuthorizationHeaderPlugin::HEADER_NAME => 'foobar',
ApiKeyHeaderPlugin::HEADER_NAME => 'foobar',
], ApiKeyHeaderPlugin::HEADER_NAME],
];
}
}

191
module/Rest/test/Middleware/AuthenticationMiddlewareTest.php Normal file
View file

@ -0,0 +1,191 @@
<?php
declare(strict_types=1);
namespace ShlinkioTest\Shlink\Rest\Middleware;
use Exception;
use Fig\Http\Message\RequestMethodInterface;
use PHPUnit\Framework\TestCase;
use Prophecy\Argument;
use Prophecy\Prophecy\ObjectProphecy;
use Psr\Container\ContainerExceptionInterface;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Shlinkio\Shlink\Rest\Action\AuthenticateAction;
use Shlinkio\Shlink\Rest\Authentication\Plugin\AuthenticationPluginInterface;
use Shlinkio\Shlink\Rest\Authentication\RequestToHttpAuthPlugin;
use Shlinkio\Shlink\Rest\Authentication\RequestToHttpAuthPluginInterface;
use Shlinkio\Shlink\Rest\Exception\NoAuthenticationException;
use Shlinkio\Shlink\Rest\Exception\VerifyAuthenticationException;
use Shlinkio\Shlink\Rest\Middleware\AuthenticationMiddleware;
use Shlinkio\Shlink\Rest\Util\RestUtils;
use Zend\Diactoros\Response;
use Zend\Diactoros\ServerRequestFactory;
use Zend\Expressive\Router\Route;
use Zend\Expressive\Router\RouteResult;
use Zend\I18n\Translator\Translator;
use function implode;
use function sprintf;
use function Zend\Stratigility\middleware;
class AuthenticationMiddlewareTest extends TestCase
{
/**
* @var AuthenticationMiddleware
*/
protected $middleware;
/**
* @var ObjectProphecy
*/
protected $requestToPlugin;
/**
* @var callable
*/
protected $dummyMiddleware;
public function setUp()
{
$this->requestToPlugin = $this->prophesize(RequestToHttpAuthPluginInterface::class);
$this->middleware = new AuthenticationMiddleware($this->requestToPlugin->reveal(), Translator::factory([]), [
AuthenticateAction::class,
]);
}
/**
* @test
* @dataProvider provideWhitelistedRequests
*/
public function someWhiteListedSituationsFallbackToNextMiddleware(ServerRequestInterface $request)
{
$handler = $this->prophesize(RequestHandlerInterface::class);
$handle = $handler->handle($request)->willReturn(new Response());
$fromRequest = $this->requestToPlugin->fromRequest(Argument::any())->willReturn(
$this->prophesize(AuthenticationPluginInterface::class)->reveal()
);
$this->middleware->process($request, $handler->reveal());
$handle->shouldHaveBeenCalledTimes(1);
$fromRequest->shouldNotHaveBeenCalled();
}
public function provideWhitelistedRequests(): array
{
$dummyMiddleware = $this->getDummyMiddleware();
return [
'with no route result' => [ServerRequestFactory::fromGlobals()],
'with failure route result' => [ServerRequestFactory::fromGlobals()->withAttribute(
RouteResult::class,
RouteResult::fromRouteFailure([RequestMethodInterface::METHOD_GET])
)],
'with whitelisted route' => [ServerRequestFactory::fromGlobals()->withAttribute(
RouteResult::class,
RouteResult::fromRoute(
new Route('foo', $dummyMiddleware, Route::HTTP_METHOD_ANY, AuthenticateAction::class)
)
)],
'with OPTIONS method' => [ServerRequestFactory::fromGlobals()->withAttribute(
RouteResult::class,
RouteResult::fromRoute(new Route('bar', $dummyMiddleware), [])
)->withMethod(RequestMethodInterface::METHOD_OPTIONS)],
];
}
/**
* @test
* @dataProvider provideExceptions
*/
public function errorIsReturnedWhenNoValidAuthIsProvided($e)
{
$request = ServerRequestFactory::fromGlobals()->withAttribute(
RouteResult::class,
RouteResult::fromRoute(new Route('bar', $this->getDummyMiddleware()), [])
);
$fromRequest = $this->requestToPlugin->fromRequest(Argument::any())->willThrow($e);
/** @var Response\JsonResponse $response */
$response = $this->middleware->process($request, $this->prophesize(RequestHandlerInterface::class)->reveal());
$payload = $response->getPayload();
$this->assertEquals(RestUtils::INVALID_AUTHORIZATION_ERROR, $payload['error']);
$this->assertEquals(sprintf(
'Expected one of the following authentication headers, but none were provided, ["%s"]',
implode('", "', RequestToHttpAuthPlugin::SUPPORTED_AUTH_HEADERS)
), $payload['message']);
$fromRequest->shouldHaveBeenCalledTimes(1);
}
public function provideExceptions(): array
{
return [
[new class extends Exception implements ContainerExceptionInterface {
}],
[NoAuthenticationException::fromExpectedTypes([])],
];
}
/**
* @test
*/
public function errorIsReturnedWhenVerificationFails()
{
$request = ServerRequestFactory::fromGlobals()->withAttribute(
RouteResult::class,
RouteResult::fromRoute(new Route('bar', $this->getDummyMiddleware()), [])
);
$plugin = $this->prophesize(AuthenticationPluginInterface::class);
$verify = $plugin->verify($request)->willThrow(
VerifyAuthenticationException::withError('the_error', 'the_message')
);
$fromRequest = $this->requestToPlugin->fromRequest(Argument::any())->willReturn($plugin->reveal());
/** @var Response\JsonResponse $response */
$response = $this->middleware->process($request, $this->prophesize(RequestHandlerInterface::class)->reveal());
$payload = $response->getPayload();
$this->assertEquals('the_error', $payload['error']);
$this->assertEquals('the_message', $payload['message']);
$verify->shouldHaveBeenCalledTimes(1);
$fromRequest->shouldHaveBeenCalledTimes(1);
}
/**
* @test
*/
public function updatedResponseIsReturnedWhenVerificationPasses()
{
$newResponse = new Response();
$request = ServerRequestFactory::fromGlobals()->withAttribute(
RouteResult::class,
RouteResult::fromRoute(new Route('bar', $this->getDummyMiddleware()), [])
);
$plugin = $this->prophesize(AuthenticationPluginInterface::class);
$verify = $plugin->verify($request)->will(function () {
});
$update = $plugin->update($request, Argument::type(ResponseInterface::class))->willReturn($newResponse);
$fromRequest = $this->requestToPlugin->fromRequest(Argument::any())->willReturn($plugin->reveal());
$handler = $this->prophesize(RequestHandlerInterface::class);
$handle = $handler->handle($request)->willReturn(new Response());
$response = $this->middleware->process($request, $handler->reveal());
$this->assertSame($response, $newResponse);
$verify->shouldHaveBeenCalledTimes(1);
$update->shouldHaveBeenCalledTimes(1);
$handle->shouldHaveBeenCalledTimes(1);
$fromRequest->shouldHaveBeenCalledTimes(1);
}
private function getDummyMiddleware(): MiddlewareInterface
{
return middleware(function () {
return new Response\EmptyResponse();
});
}
}

183
module/Rest/test/Middleware/CheckAuthenticationMiddlewareTest.php
View file

@ -1,183 +0,0 @@
<?php
declare(strict_types=1);
namespace ShlinkioTest\Shlink\Rest\Middleware;
use PHPUnit\Framework\TestCase;
use Prophecy\Prophecy\MethodProphecy;
use Prophecy\Prophecy\ObjectProphecy;
use Psr\Http\Server\RequestHandlerInterface;
use Shlinkio\Shlink\Rest\Action\AuthenticateAction;
use Shlinkio\Shlink\Rest\Authentication\JWTService;
use Shlinkio\Shlink\Rest\Middleware\CheckAuthenticationMiddleware;
use ShlinkioTest\Shlink\Common\Util\TestUtils;
use Zend\Diactoros\Response;
use Zend\Diactoros\ServerRequestFactory;
use Zend\Expressive\Router\Route;
use Zend\Expressive\Router\RouteResult;
use Zend\I18n\Translator\Translator;
use function Zend\Stratigility\middleware;
class CheckAuthenticationMiddlewareTest extends TestCase
{
/**
* @var CheckAuthenticationMiddleware
*/
protected $middleware;
/**
* @var ObjectProphecy
*/
protected $jwtService;
/**
* @var callable
*/
protected $dummyMiddleware;
public function setUp()
{
$this->jwtService = $this->prophesize(JWTService::class);
$this->middleware = new CheckAuthenticationMiddleware($this->jwtService->reveal(), Translator::factory([]), [
AuthenticateAction::class,
]);
$this->dummyMiddleware = middleware(function () {
return new Response\EmptyResponse();
});
}
/**
* @test
*/
public function someWhiteListedSituationsFallbackToNextMiddleware()
{
$request = ServerRequestFactory::fromGlobals();
$delegate = $this->prophesize(RequestHandlerInterface::class);
/** @var MethodProphecy $process */
$process = $delegate->handle($request)->willReturn(new Response());
$this->middleware->process($request, $delegate->reveal());
$process->shouldHaveBeenCalledTimes(1);
$request = ServerRequestFactory::fromGlobals()->withAttribute(
RouteResult::class,
RouteResult::fromRouteFailure(['GET'])
);
$delegate = $this->prophesize(RequestHandlerInterface::class);
/** @var MethodProphecy $process */
$process = $delegate->handle($request)->willReturn(new Response());
$this->middleware->process($request, $delegate->reveal());
$process->shouldHaveBeenCalledTimes(1);
$request = ServerRequestFactory::fromGlobals()->withAttribute(
RouteResult::class,
RouteResult::fromRoute(new Route(
'foo',
$this->dummyMiddleware,
Route::HTTP_METHOD_ANY,
AuthenticateAction::class
))
);
$delegate = $this->prophesize(RequestHandlerInterface::class);
/** @var MethodProphecy $process */
$process = $delegate->handle($request)->willReturn(new Response());
$this->middleware->process($request, $delegate->reveal());
$process->shouldHaveBeenCalledTimes(1);
$request = ServerRequestFactory::fromGlobals()->withAttribute(
RouteResult::class,
RouteResult::fromRoute(new Route('bar', $this->dummyMiddleware), [])
)->withMethod('OPTIONS');
$delegate = $this->prophesize(RequestHandlerInterface::class);
/** @var MethodProphecy $process */
$process = $delegate->handle($request)->willReturn(new Response());
$this->middleware->process($request, $delegate->reveal());
$process->shouldHaveBeenCalledTimes(1);
}
/**
* @test
*/
public function noHeaderReturnsError()
{
$request = ServerRequestFactory::fromGlobals()->withAttribute(
RouteResult::class,
RouteResult::fromRoute(new Route('bar', $this->dummyMiddleware), [])
);
$response = $this->middleware->process($request, TestUtils::createReqHandlerMock()->reveal());
$this->assertEquals(401, $response->getStatusCode());
}
/**
* @test
*/
public function provideAnAuthorizationWithoutTypeReturnsError()
{
$authToken = 'ABC-abc';
$request = ServerRequestFactory::fromGlobals()->withAttribute(
RouteResult::class,
RouteResult::fromRoute(new Route('bar', $this->dummyMiddleware), [])
)->withHeader(CheckAuthenticationMiddleware::AUTHORIZATION_HEADER, $authToken);
$response = $this->middleware->process($request, TestUtils::createReqHandlerMock()->reveal());
$this->assertEquals(401, $response->getStatusCode());
$this->assertTrue(strpos($response->getBody()->getContents(), 'You need to provide the Bearer type') > 0);
}
/**
* @test
*/
public function provideAnAuthorizationWithWrongTypeReturnsError()
{
$authToken = 'ABC-abc';
$request = ServerRequestFactory::fromGlobals()->withAttribute(
RouteResult::class,
RouteResult::fromRoute(new Route('bar', $this->dummyMiddleware), [])
)->withHeader(CheckAuthenticationMiddleware::AUTHORIZATION_HEADER, 'Basic ' . $authToken);
$response = $this->middleware->process($request, TestUtils::createReqHandlerMock()->reveal());
$this->assertEquals(401, $response->getStatusCode());
$this->assertTrue(
strpos($response->getBody()->getContents(), 'Provided authorization type Basic is not supported') > 0
);
}
/**
* @test
*/
public function provideAnExpiredTokenReturnsError()
{
$authToken = 'ABC-abc';
$request = ServerRequestFactory::fromGlobals()->withAttribute(
RouteResult::class,
RouteResult::fromRoute(new Route('bar', $this->dummyMiddleware), [])
)->withHeader(CheckAuthenticationMiddleware::AUTHORIZATION_HEADER, 'Bearer ' . $authToken);
$this->jwtService->verify($authToken)->willReturn(false)->shouldBeCalledTimes(1);
$response = $this->middleware->process($request, TestUtils::createReqHandlerMock()->reveal());
$this->assertEquals(401, $response->getStatusCode());
}
/**
* @test
*/
public function provideCorrectTokenUpdatesExpirationAndFallsBackToNextMiddleware()
{
$authToken = 'ABC-abc';
$request = ServerRequestFactory::fromGlobals()->withAttribute(
RouteResult::class,
RouteResult::fromRoute(new Route('bar', $this->dummyMiddleware), [])
)->withHeader(CheckAuthenticationMiddleware::AUTHORIZATION_HEADER, 'bearer ' . $authToken);
$this->jwtService->verify($authToken)->willReturn(true)->shouldBeCalledTimes(1);
$this->jwtService->refresh($authToken)->willReturn($authToken)->shouldBeCalledTimes(1);
$delegate = $this->prophesize(RequestHandlerInterface::class);
/** @var MethodProphecy $process */
$process = $delegate->handle($request)->willReturn(new Response());
$resp = $this->middleware->process($request, $delegate->reveal());
$process->shouldHaveBeenCalledTimes(1);
$this->assertArrayHasKey(CheckAuthenticationMiddleware::AUTHORIZATION_HEADER, $resp->getHeaders());
}
}