diff options
| -rw-r--r-- | application/api/ApiMiddleware.php | 24 | ||||
| -rw-r--r-- | tests/api/ApiMiddlewareTest.php | 47 |
2 files changed, 64 insertions, 7 deletions
diff --git a/application/api/ApiMiddleware.php b/application/api/ApiMiddleware.php index 7f1e7fca..f5b53b01 100644 --- a/application/api/ApiMiddleware.php +++ b/application/api/ApiMiddleware.php | |||
| @@ -3,6 +3,7 @@ namespace Shaarli\Api; | |||
| 3 | 3 | ||
| 4 | use Shaarli\Api\Exceptions\ApiAuthorizationException; | 4 | use Shaarli\Api\Exceptions\ApiAuthorizationException; |
| 5 | use Shaarli\Api\Exceptions\ApiException; | 5 | use Shaarli\Api\Exceptions\ApiException; |
| 6 | use Shaarli\Bookmark\BookmarkFileService; | ||
| 6 | use Shaarli\Config\ConfigManager; | 7 | use Shaarli\Config\ConfigManager; |
| 7 | use Slim\Container; | 8 | use Slim\Container; |
| 8 | use Slim\Http\Request; | 9 | use Slim\Http\Request; |
| @@ -70,7 +71,14 @@ class ApiMiddleware | |||
| 70 | $response = $e->getApiResponse(); | 71 | $response = $e->getApiResponse(); |
| 71 | } | 72 | } |
| 72 | 73 | ||
| 73 | return $response; | 74 | return $response |
| 75 | ->withHeader('Access-Control-Allow-Origin', '*') | ||
| 76 | ->withHeader( | ||
| 77 | 'Access-Control-Allow-Headers', | ||
| 78 | 'X-Requested-With, Content-Type, Accept, Origin, Authorization' | ||
| 79 | ) | ||
| 80 | ->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS') | ||
| 81 | ; | ||
| 74 | } | 82 | } |
| 75 | 83 | ||
| 76 | /** | 84 | /** |
| @@ -99,7 +107,9 @@ class ApiMiddleware | |||
| 99 | */ | 107 | */ |
| 100 | protected function checkToken($request) | 108 | protected function checkToken($request) |
| 101 | { | 109 | { |
| 102 | if (! $request->hasHeader('Authorization') && !isset($this->container->environment['REDIRECT_HTTP_AUTHORIZATION'])) { | 110 | if (!$request->hasHeader('Authorization') |
| 111 | && !isset($this->container->environment['REDIRECT_HTTP_AUTHORIZATION']) | ||
| 112 | ) { | ||
| 103 | throw new ApiAuthorizationException('JWT token not provided'); | 113 | throw new ApiAuthorizationException('JWT token not provided'); |
| 104 | } | 114 | } |
| 105 | 115 | ||
| @@ -121,7 +131,7 @@ class ApiMiddleware | |||
| 121 | } | 131 | } |
| 122 | 132 | ||
| 123 | /** | 133 | /** |
| 124 | * Instantiate a new LinkDB including private links, | 134 | * Instantiate a new LinkDB including private bookmarks, |
| 125 | * and load in the Slim container. | 135 | * and load in the Slim container. |
| 126 | * | 136 | * |
| 127 | * FIXME! LinkDB could use a refactoring to avoid this trick. | 137 | * FIXME! LinkDB could use a refactoring to avoid this trick. |
| @@ -130,10 +140,10 @@ class ApiMiddleware | |||
| 130 | */ | 140 | */ |
| 131 | protected function setLinkDb($conf) | 141 | protected function setLinkDb($conf) |
| 132 | { | 142 | { |
| 133 | $linkDb = new \Shaarli\Bookmark\LinkDB( | 143 | $linkDb = new BookmarkFileService( |
| 134 | $conf->get('resource.datastore'), | 144 | $conf, |
| 135 | true, | 145 | $this->container->get('history'), |
| 136 | $conf->get('privacy.hide_public_links') | 146 | true |
| 137 | ); | 147 | ); |
| 138 | $this->container['db'] = $linkDb; | 148 | $this->container['db'] = $linkDb; |
| 139 | } | 149 | } |
diff --git a/tests/api/ApiMiddlewareTest.php b/tests/api/ApiMiddlewareTest.php index b157e4a7..32031750 100644 --- a/tests/api/ApiMiddlewareTest.php +++ b/tests/api/ApiMiddlewareTest.php | |||
| @@ -67,6 +67,53 @@ class ApiMiddlewareTest extends \PHPUnit\Framework\TestCase | |||
| 67 | } | 67 | } |
| 68 | 68 | ||
| 69 | /** | 69 | /** |
| 70 | * Invoke the middleware with a valid token | ||
| 71 | */ | ||
| 72 | public function testInvokeMiddlewareWithValidToken(): void | ||
| 73 | { | ||
| 74 | $next = function (Request $request, Response $response): Response { | ||
| 75 | return $response; | ||
| 76 | }; | ||
| 77 | $mw = new ApiMiddleware($this->container); | ||
| 78 | $env = Environment::mock([ | ||
| 79 | 'REQUEST_METHOD' => 'GET', | ||
| 80 | 'REQUEST_URI' => '/echo', | ||
| 81 | 'HTTP_AUTHORIZATION'=> 'Bearer ' . ApiUtilsTest::generateValidJwtToken('NapoleonWasALizard'), | ||
| 82 | ]); | ||
| 83 | $request = Request::createFromEnvironment($env); | ||
| 84 | $response = new Response(); | ||
| 85 | /** @var Response $response */ | ||
| 86 | $response = $mw($request, $response, $next); | ||
| 87 | |||
| 88 | $this->assertEquals(200, $response->getStatusCode()); | ||
| 89 | } | ||
| 90 | |||
| 91 | /** | ||
| 92 | * Invoke the middleware with a valid token | ||
| 93 | * Using specific Apache CGI redirected authorization. | ||
| 94 | */ | ||
| 95 | public function testInvokeMiddlewareWithValidTokenFromRedirectedHeader(): void | ||
| 96 | { | ||
| 97 | $next = function (Request $request, Response $response): Response { | ||
| 98 | return $response; | ||
| 99 | }; | ||
| 100 | |||
| 101 | $token = 'Bearer ' . ApiUtilsTest::generateValidJwtToken('NapoleonWasALizard'); | ||
| 102 | $this->container->environment['REDIRECT_HTTP_AUTHORIZATION'] = $token; | ||
| 103 | $mw = new ApiMiddleware($this->container); | ||
| 104 | $env = Environment::mock([ | ||
| 105 | 'REQUEST_METHOD' => 'GET', | ||
| 106 | 'REQUEST_URI' => '/echo', | ||
| 107 | ]); | ||
| 108 | $request = Request::createFromEnvironment($env); | ||
| 109 | $response = new Response(); | ||
| 110 | /** @var Response $response */ | ||
| 111 | $response = $mw($request, $response, $next); | ||
| 112 | |||
| 113 | $this->assertEquals(200, $response->getStatusCode()); | ||
| 114 | } | ||
| 115 | |||
| 116 | /** | ||
| 70 | * Invoke the middleware with the API disabled: | 117 | * Invoke the middleware with the API disabled: |
| 71 | * should return a 401 error Unauthorized. | 118 | * should return a 401 error Unauthorized. |
| 72 | */ | 119 | */ |