[b8] master token fix (#1622)

* fixed not being able to use master token because id column no longer holds key * added flexibility of user_id column * added tests to confirm the api keys actually work as intended
2025-10-17 17:56:14 +02:00 · 2018-11-07 22:34:09 +01:00
parent fb185f70cd
commit bb0fc165af
4 changed files with 174 additions and 6 deletions
--- a/src/Api/ApiKey.php
+++ b/src/Api/ApiKey.php
@@ -11,7 +11,9 @@

 namespace Flarum\Api;

+use Carbon\Carbon;
 use Flarum\Database\AbstractModel;
+use Flarum\User\User;

 /**
 * @property int $id
@@ -19,11 +21,14 @@ use Flarum\Database\AbstractModel;
 * @property string|null $allowed_ips
 * @property string|null $scopes
 * @property int|null $user_id
+ * @property \Flarum\User\User|null $user
 * @property \Carbon\Carbon $created_at
 * @property \Carbon\Carbon|null $last_activity_at
 */
 class ApiKey extends AbstractModel
 {
+    protected $dates = ['last_activity_at'];
+
    /**
     * Generate an API key.
     *
@@ -37,4 +42,16 @@ class ApiKey extends AbstractModel

        return $key;
    }
+
+    public function touch()
+    {
+        $this->last_activity_at = Carbon::now();
+
+        return $this->save();
+    }
+
+    public function user()
+    {
+        return $this->belongsTo(User::class);
+    }
 }
--- a/src/Http/Middleware/AuthenticateWithHeader.php
+++ b/src/Http/Middleware/AuthenticateWithHeader.php
@@ -32,13 +32,14 @@ class AuthenticateWithHeader implements Middleware
        if (isset($parts[0]) && starts_with($parts[0], self::TOKEN_PREFIX)) {
            $id = substr($parts[0], strlen(self::TOKEN_PREFIX));

-            if (isset($parts[1])) {
-                if ($key = ApiKey::find($id)) {
-                    $actor = $this->getUser($parts[1]);
+            if ($key = ApiKey::where('key', $id)->first()) {
+                $key->touch();

-                    $request = $request->withAttribute('apiKey', $key);
-                    $request = $request->withAttribute('bypassFloodgate', true);
-                }
+                $userId = $parts[1] ?? '';
+                $actor = $key->user ?? $this->getUser($userId);
+
+                $request = $request->withAttribute('apiKey', $key);
+                $request = $request->withAttribute('bypassFloodgate', true);
            } elseif ($token = AccessToken::find($id)) {
                $token->touch();