application/api/ApiMiddleware.php

   1 <?php
   2 namespace Shaarli\Api;
   3
   4 use malkusch\lock\mutex\FlockMutex;
   5 use Shaarli\Api\Exceptions\ApiAuthorizationException;
   6 use Shaarli\Api\Exceptions\ApiException;
   7 use Shaarli\Bookmark\BookmarkFileService;
   8 use Shaarli\Config\ConfigManager;
   9 use Slim\Container;
  10 use Slim\Http\Request;
  11 use Slim\Http\Response;
  12
  13 /**
  14  * Class ApiMiddleware
  15  *
  16  * This will be called before accessing any API Controller.
  17  * Its role is to make sure that the API is enabled, configured, and to validate the JWT token.
  18  *
  19  * If the request is validated, the controller is called, otherwise a JSON error response is returned.
  20  *
  21  * @package Api
  22  */
  23 class ApiMiddleware
  24 {
  25     /**
  26      * @var int JWT token validity in seconds (9 min).
  27      */
  28     public static $TOKEN_DURATION = 540;
  29
  30     /**
  31      * @var Container: contains conf, plugins, etc.
  32      */
  33     protected $container;
  34
  35     /**
  36      * @var ConfigManager instance.
  37      */
  38     protected $conf;
  39
  40     /**
  41      * ApiMiddleware constructor.
  42      *
  43      * @param Container $container instance.
  44      */
  45     public function __construct($container)
  46     {
  47         $this->container = $container;
  48         $this->conf = $this->container->get('conf');
  49         $this->setLinkDb($this->conf);
  50     }
  51
  52     /**
  53      * Middleware execution:
  54      *   - check the API request
  55      *   - execute the controller
  56      *   - return the response
  57      *
  58      * @param  Request  $request  Slim request
  59      * @param  Response $response Slim response
  60      * @param  callable $next     Next action
  61      *
  62      * @return Response response.
  63      */
  64     public function __invoke($request, $response, $next)
  65     {
  66         try {
  67             $this->checkRequest($request);
  68             $response = $next($request, $response);
  69         } catch (ApiException $e) {
  70             $e->setResponse($response);
  71             $e->setDebug($this->conf->get('dev.debug', false));
  72             $response = $e->getApiResponse();
  73         }
  74
  75         return $response
  76             ->withHeader('Access-Control-Allow-Origin', '*')
  77             ->withHeader(
  78                 'Access-Control-Allow-Headers',
  79                 'X-Requested-With, Content-Type, Accept, Origin, Authorization'
  80             )
  81             ->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
  82         ;
  83     }
  84
  85     /**
  86      * Check the request validity (HTTP method, request value, etc.),
  87      * that the API is enabled, and the JWT token validity.
  88      *
  89      * @param  Request $request  Slim request
  90      *
  91      * @throws ApiAuthorizationException The API is disabled or the token is invalid.
  92      */
  93     protected function checkRequest($request)
  94     {
  95         if (! $this->conf->get('api.enabled', true)) {
  96             throw new ApiAuthorizationException('API is disabled');
  97         }
  98         $this->checkToken($request);
  99     }
 100
 101     /**
 102      * Check that the JWT token is set and valid.
 103      * The API secret setting must be set.
 104      *
 105      * @param  Request $request  Slim request
 106      *
 107      * @throws ApiAuthorizationException The token couldn't be validated.
 108      */
 109     protected function checkToken($request)
 110     {
 111         if (!$request->hasHeader('Authorization')
 112             && !isset($this->container->environment['REDIRECT_HTTP_AUTHORIZATION'])
 113         ) {
 114             throw new ApiAuthorizationException('JWT token not provided');
 115         }
 116
 117         if (empty($this->conf->get('api.secret'))) {
 118             throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration');
 119         }
 120
 121         if (isset($this->container->environment['REDIRECT_HTTP_AUTHORIZATION'])) {
 122             $authorization = $this->container->environment['REDIRECT_HTTP_AUTHORIZATION'];
 123         } else {
 124             $authorization = $request->getHeaderLine('Authorization');
 125         }
 126
 127         if (! preg_match('/^Bearer (.*)/i', $authorization, $matches)) {
 128             throw new ApiAuthorizationException('Invalid JWT header');
 129         }
 130
 131         ApiUtils::validateJwtToken($matches[1], $this->conf->get('api.secret'));
 132     }
 133
 134     /**
 135      * Instantiate a new LinkDB including private bookmarks,
 136      * and load in the Slim container.
 137      *
 138      * FIXME! LinkDB could use a refactoring to avoid this trick.
 139      *
 140      * @param ConfigManager $conf instance.
 141      */
 142     protected function setLinkDb($conf)
 143     {
 144         $linkDb = new BookmarkFileService(
 145             $conf,
 146             $this->container->get('history'),
 147             new FlockMutex(fopen(SHAARLI_MUTEX_FILE, 'r'), 2),
 148             true
 149         );
 150         $this->container['db'] = $linkDb;
 151     }
 152 }