User-based API key. Closes #256.

2025-01-17 13:38:20 +01:00 · 2015-01-03 17:51:35 +00:00 · 2015-01-03 17:51:35 +00:00 · 3d4c38c7ee
commit 3d4c38c7ee
parent 1d30133851
9 changed files with 187 additions and 1 deletions
--- a/app/config/app.php
+++ b/app/config/app.php
@ -128,9 +128,10 @@ return [
        'Roumen\Feed\FeedServiceProvider',
        'Thujohn\Rss\RssServiceProvider',

+        'CachetHQ\Cachet\Providers\AuthServiceProvider',
+        'CachetHQ\Cachet\Providers\ConsoleServiceProvider',
        'CachetHQ\Cachet\Providers\RepositoryServiceProvider',
        'CachetHQ\Cachet\Providers\RoutingServiceProvider',
-        'CachetHQ\Cachet\Providers\ConsoleServiceProvider',

    ],

--- a/app/config/packages/dingo/api/config.php
+++ b/app/config/packages/dingo/api/config.php
@ -76,9 +76,15 @@ return [
    */

    'auth' => [
+
        'basic' => function ($app) {
            return new Dingo\Api\Auth\BasicProvider($app['auth']);
        },
+
+        'api_key' => function ($app) {
+            return new CachetHQ\Cachet\Auth\ApiKeyAuthenticator();
+        },
+
    ],

    /*
--- a/app/database/migrations/2015_01_03_120438_AlterTableUsersAddApiKey.php
+++ b/app/database/migrations/2015_01_03_120438_AlterTableUsersAddApiKey.php
@ -0,0 +1,32 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+class AlterTableUsersAddApiKey extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->string('api_key')->after('email');
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->dropColumn();
+        });
+    }
+}
--- a/app/routes/dashboard.php
+++ b/app/routes/dashboard.php
@ -37,6 +37,7 @@ Route::group(['before' => 'auth', 'prefix' => 'dashboard', 'namespace' => 'Cache

    // User Settings
    Route::get('user', ['as' => 'dashboard.user', 'uses' => 'DashUserController@showUser']);
+    Route::get('/user/{user}/api/regen', 'DashUserController@regenerateApiKey');
    Route::post('user', 'DashUserController@postUser');

    // Internal API.
--- a/app/views/dashboard/user/index.blade.php
+++ b/app/views/dashboard/user/index.blade.php
@ -33,9 +33,16 @@
                            <label>Password</label>
                            <input type='password' class='form-control' name='password' value='' />
                        </div>
+                        <hr />
+                        <div class='form-group'>
+                            <label>API Key</label>
+                            <input type='text' class='form-control' name='api_key' disabled value='{{ Auth::user()->api_key }}' />
+                            <span class='help-block'>Regenerating your API key will revoke all existing applications.</span>
+                        </div>
                    </fieldset>

                    <button type="submit" class="btn btn-success">Update profile</button>
+                    <a href='/dashboard/user/{{ Auth::user()->id }}/api/regen' class='btn btn-warning'>Regenerate API Key</a>
                </form>
            </div>
        </div>
--- a/src/Auth/ApiKeyAuthenticator.php
+++ b/src/Auth/ApiKeyAuthenticator.php
@ -0,0 +1,48 @@
+<?php
+
+namespace CachetHQ\Cachet\Auth;
+
+use CachetHQ\Cachet\Models\User;
+use Dingo\Api\Auth\AuthorizationProvider;
+use Dingo\Api\Routing\Route;
+use Illuminate\Database\Eloquent\ModelNotFoundException;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
+
+class ApiKeyAuthenticator extends AuthorizationProvider
+{
+    /**
+     * Authenticate the request and return the authenticated user instance.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Dingo\Api\Routing\Route $route
+     *
+     * @throws \Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException
+     *
+     * @return \CachetHQ\Cachet\Models\User
+     */
+    public function authenticate(Request $request, Route $route)
+    {
+        $api_key = $request->input('api_key', false);
+
+        if ($api_key === false) {
+            throw new UnauthorizedHttpException(null, 'You did not provide an API key.');
+        }
+
+        try {
+            return User::findByApiKey($api_key);
+        } catch (ModelNotFoundException $e) {
+            throw new UnauthorizedHttpException(null, 'The API key you provided was not correct.');
+        }
+    }
+
+    /**
+     * Get the providers authorization method.
+     *
+     * @return string
+     */
+    public function getAuthorizationMethod()
+    {
+        return 'api_key';
+    }
+}
--- a/src/Http/Controllers/DashUserController.php
+++ b/src/Http/Controllers/DashUserController.php
@ -2,6 +2,7 @@

 namespace CachetHQ\Cachet\Http\Controllers;

+use CachetHQ\Cachet\Models\User;
 use GrahamCampbell\Binput\Facades\Binput;
 use Illuminate\Routing\Controller;
 use Illuminate\Support\Facades\Auth;
@ -35,4 +36,17 @@ class DashUserController extends Controller

        return Redirect::back()->with('updated', $updated);
    }
+
+    /**
+     * Regenerates the users API key.
+     *
+     * @return \Illuminate\View\View
+     */
+    public function regenerateApiKey(User $user)
+    {
+        $user->api_key = User::generateApiKey();
+        $user->save();
+
+        return Redirect::back();
+    }
 }
--- a/src/Models/User.php
+++ b/src/Models/User.php
@ -7,6 +7,7 @@ use Illuminate\Auth\Reminders\RemindableTrait;
 use Illuminate\Auth\UserInterface;
 use Illuminate\Auth\UserTrait;
 use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\ModelNotFoundException;
 use Illuminate\Support\Facades\Hash;

 /**
@ -47,6 +48,20 @@ class User extends Model implements UserInterface, RemindableInterface
     */
    protected $guarded = [];

+    /**
+     * Overrides the models boot method.
+     *
+     * @return void
+     */
+    public static function boot()
+    {
+        parent::boot();
+
+        self::creating(function ($user) {
+            $user->api_key = self::generateApiKey();
+        });
+    }
+
    /**
     * Hash any password being inserted by default.
     *
@ -72,4 +87,35 @@ class User extends Model implements UserInterface, RemindableInterface
    {
        return sprintf('https://www.gravatar.com/avatar/%s?size=%d', md5($this->email), $size);
    }
+
+    /**
+     * Find by api_key, or throw an exception.
+     *
+     * @param string   $api_key
+     * @param string[] $columns
+     *
+     * @throws \Illuminate\Database\Eloquent\ModelNotFoundException
+     *
+     * @return \CachetHQ\Cachet\Models\User
+     */
+    public static function findByApiKey($api_key, $columns = ['*'])
+    {
+        $user = static::where('api_key', $api_key)->first($columns);
+
+        if (!$user) {
+            throw new ModelNotFoundException();
+        }
+
+        return $user;
+    }
+
+    /**
+     * Returns an API key.
+     *
+     * @return string
+     */
+    public static function generateApiKey()
+    {
+        return str_random(20);
+    }
 }
--- a/src/Providers/AuthServiceProvider.php
+++ b/src/Providers/AuthServiceProvider.php
@ -0,0 +1,31 @@
+<?php
+
+namespace CachetHQ\Cachet\Providers;
+
+use CachetHQ\Cachet\Auth\ApiKeyAuthenticator;
+use Illuminate\Support\ServiceProvider;
+
+class AuthServiceProvider extends ServiceProvider
+{
+    /**
+     * Boot the service provider.
+     *
+     * @return void
+     */
+    public function boot()
+    {
+        //
+    }
+
+    /**
+     * Register the service provider.
+     *
+     * @return void
+     */
+    public function register()
+    {
+        $this->app->bindShared('CachetHQ\Cachet\Auth\ApiKeyAuthenticator', function () {
+            return new ApiKeyAuthenticator();
+        });
+    }
+}