4 use malkusch\lock\mutex\FlockMutex
;
5 use Shaarli\Api\Exceptions\ApiAuthorizationException
;
6 use Shaarli\Api\Exceptions\ApiException
;
7 use Shaarli\Bookmark\BookmarkFileService
;
8 use Shaarli\Config\ConfigManager
;
10 use Slim\Http\Request
;
11 use Slim\Http\Response
;
16 * This will be called before accessing any API Controller.
17 * Its role is to make sure that the API is enabled, configured, and to validate the JWT token.
19 * If the request is validated, the controller is called, otherwise a JSON error response is returned.
26 * @var int JWT token validity in seconds (9 min).
28 public static $TOKEN_DURATION = 540;
31 * @var Container: contains conf, plugins, etc.
36 * @var ConfigManager instance.
41 * ApiMiddleware constructor.
43 * @param Container $container instance.
45 public function __construct($container)
47 $this->container
= $container;
48 $this->conf
= $this->container
->get('conf');
49 $this->setLinkDb($this->conf
);
53 * Middleware execution:
54 * - check the API request
55 * - execute the controller
56 * - return the response
58 * @param Request $request Slim request
59 * @param Response $response Slim response
60 * @param callable $next Next action
62 * @return Response response.
64 public function __invoke($request, $response, $next)
67 $this->checkRequest($request);
68 $response = $next($request, $response);
69 } catch (ApiException
$e) {
70 $e->setResponse($response);
71 $e->setDebug($this->conf
->get('dev.debug', false));
72 $response = $e->getApiResponse();
76 ->withHeader('Access-Control-Allow-Origin', '*')
78 'Access-Control-Allow-Headers',
79 'X-Requested-With, Content-Type, Accept, Origin, Authorization'
81 ->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
86 * Check the request validity (HTTP method, request value, etc.),
87 * that the API is enabled, and the JWT token validity.
89 * @param Request $request Slim request
91 * @throws ApiAuthorizationException The API is disabled or the token is invalid.
93 protected function checkRequest($request)
95 if (! $this->conf
->get('api.enabled', true)) {
96 throw new ApiAuthorizationException('API is disabled');
98 $this->checkToken($request);
102 * Check that the JWT token is set and valid.
103 * The API secret setting must be set.
105 * @param Request $request Slim request
107 * @throws ApiAuthorizationException The token couldn't be validated.
109 protected function checkToken($request)
111 if (!$request->hasHeader('Authorization')
112 && !isset($this->container
->environment
['REDIRECT_HTTP_AUTHORIZATION'])
114 throw new ApiAuthorizationException('JWT token not provided');
117 if (empty($this->conf
->get('api.secret'))) {
118 throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration');
121 if (isset($this->container
->environment
['REDIRECT_HTTP_AUTHORIZATION'])) {
122 $authorization = $this->container
->environment
['REDIRECT_HTTP_AUTHORIZATION'];
124 $authorization = $request->getHeaderLine('Authorization');
127 if (! preg_match('/^Bearer (.*)/i', $authorization, $matches)) {
128 throw new ApiAuthorizationException('Invalid JWT header');
131 ApiUtils
::validateJwtToken($matches[1], $this->conf
->get('api.secret'));
135 * Instantiate a new LinkDB including private bookmarks,
136 * and load in the Slim container.
138 * FIXME! LinkDB could use a refactoring to avoid this trick.
140 * @param ConfigManager $conf instance.
142 protected function setLinkDb($conf)
144 $linkDb = new BookmarkFileService(
146 $this->container
->get('history'),
147 new FlockMutex(fopen(SHAARLI_MUTEX_FILE
, 'r'), 2),
150 $this->container
['db'] = $linkDb;