application/api/ApiMiddleware.php

   1 <?php
   2
   3 namespace Shaarli\Api;
   4
   5 use malkusch\lock\mutex\FlockMutex;
   6 use Shaarli\Api\Exceptions\ApiAuthorizationException;
   7 use Shaarli\Api\Exceptions\ApiException;
   8 use Shaarli\Bookmark\BookmarkFileService;
   9 use Shaarli\Config\ConfigManager;
  10 use Slim\Container;
  11 use Slim\Http\Request;
  12 use Slim\Http\Response;
  13
  14 /**
  15  * Class ApiMiddleware
  16  *
  17  * This will be called before accessing any API Controller.
  18  * Its role is to make sure that the API is enabled, configured, and to validate the JWT token.
  19  *
  20  * If the request is validated, the controller is called, otherwise a JSON error response is returned.
  21  *
  22  * @package Api
  23  */
  24 class ApiMiddleware
  25 {
  26     /**
  27      * @var int JWT token validity in seconds (9 min).
  28      */
  29     public static $TOKEN_DURATION = 540;
  30
  31     /**
  32      * @var Container: contains conf, plugins, etc.
  33      */
  34     protected $container;
  35
  36     /**
  37      * @var ConfigManager instance.
  38      */
  39     protected $conf;
  40
  41     /**
  42      * ApiMiddleware constructor.
  43      *
  44      * @param Container $container instance.
  45      */
  46     public function __construct($container)
  47     {
  48         $this->container = $container;
  49         $this->conf = $this->container->get('conf');
  50         $this->setLinkDb($this->conf);
  51     }
  52
  53     /**
  54      * Middleware execution:
  55      *   - check the API request
  56      *   - execute the controller
  57      *   - return the response
  58      *
  59      * @param  Request  $request  Slim request
  60      * @param  Response $response Slim response
  61      * @param  callable $next     Next action
  62      *
  63      * @return Response response.
  64      */
  65     public function __invoke($request, $response, $next)
  66     {
  67         try {
  68             $this->checkRequest($request);
  69             $response = $next($request, $response);
  70         } catch (ApiException $e) {
  71             $e->setResponse($response);
  72             $e->setDebug($this->conf->get('dev.debug', false));
  73             $response = $e->getApiResponse();
  74         }
  75
  76         return $response
  77             ->withHeader('Access-Control-Allow-Origin', '*')
  78             ->withHeader(
  79                 'Access-Control-Allow-Headers',
  80                 'X-Requested-With, Content-Type, Accept, Origin, Authorization'
  81             )
  82             ->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
  83         ;
  84     }
  85
  86     /**
  87      * Check the request validity (HTTP method, request value, etc.),
  88      * that the API is enabled, and the JWT token validity.
  89      *
  90      * @param  Request $request  Slim request
  91      *
  92      * @throws ApiAuthorizationException The API is disabled or the token is invalid.
  93      */
  94     protected function checkRequest($request)
  95     {
  96         if (! $this->conf->get('api.enabled', true)) {
  97             throw new ApiAuthorizationException('API is disabled');
  98         }
  99         $this->checkToken($request);
 100     }
 101
 102     /**
 103      * Check that the JWT token is set and valid.
 104      * The API secret setting must be set.
 105      *
 106      * @param  Request $request  Slim request
 107      *
 108      * @throws ApiAuthorizationException The token couldn't be validated.
 109      */
 110     protected function checkToken($request)
 111     {
 112         if (
 113             !$request->hasHeader('Authorization')
 114             && !isset($this->container->environment['REDIRECT_HTTP_AUTHORIZATION'])
 115         ) {
 116             throw new ApiAuthorizationException('JWT token not provided');
 117         }
 118
 119         if (empty($this->conf->get('api.secret'))) {
 120             throw new ApiAuthorizationException('Token secret must be set in Shaarli\'s administration');
 121         }
 122
 123         if (isset($this->container->environment['REDIRECT_HTTP_AUTHORIZATION'])) {
 124             $authorization = $this->container->environment['REDIRECT_HTTP_AUTHORIZATION'];
 125         } else {
 126             $authorization = $request->getHeaderLine('Authorization');
 127         }
 128
 129         if (! preg_match('/^Bearer (.*)/i', $authorization, $matches)) {
 130             throw new ApiAuthorizationException('Invalid JWT header');
 131         }
 132
 133         ApiUtils::validateJwtToken($matches[1], $this->conf->get('api.secret'));
 134     }
 135
 136     /**
 137      * Instantiate a new LinkDB including private bookmarks,
 138      * and load in the Slim container.
 139      *
 140      * FIXME! LinkDB could use a refactoring to avoid this trick.
 141      *
 142      * @param ConfigManager $conf instance.
 143      */
 144     protected function setLinkDb($conf)
 145     {
 146         $linkDb = new BookmarkFileService(
 147             $conf,
 148             $this->container->get('pluginManager'),
 149             $this->container->get('history'),
 150             new FlockMutex(fopen(SHAARLI_MUTEX_FILE, 'r'), 2),
 151             true
 152         );
 153         $this->container['db'] = $linkDb;
 154     }
 155 }