From 3f03d6b1d891836d654512d68c98370066becdb0 Mon Sep 17 00:00:00 2001 From: Igor Scheller Date: Tue, 2 Jan 2024 13:05:32 +0100 Subject: [PATCH] API: Set access-control-allow-origin header on api responses, trim bearer api key --- src/Helpers/Authenticator.php | 2 +- src/Middleware/ApiRouteHandler.php | 6 +++++- tests/Unit/Helpers/AuthenticatorTest.php | 20 +++++++++++++++++++ tests/Unit/Middleware/ApiRouteHandlerTest.php | 1 + 4 files changed, 27 insertions(+), 2 deletions(-) diff --git a/src/Helpers/Authenticator.php b/src/Helpers/Authenticator.php index 1c7e056f..01b733e5 100644 --- a/src/Helpers/Authenticator.php +++ b/src/Helpers/Authenticator.php @@ -165,7 +165,7 @@ class Authenticator { $header = $this->request->getHeader('authorization'); if (!empty($header) && Str::startsWith(Str::lower($header[0]), 'bearer ')) { - return $this->userByApiKey(Str::substr($header[0], 7)); + return $this->userByApiKey(trim(Str::substr($header[0], 7))); } $header = $this->request->getHeader('x-api-key'); diff --git a/src/Middleware/ApiRouteHandler.php b/src/Middleware/ApiRouteHandler.php index 5fe4f549..f2a42a16 100644 --- a/src/Middleware/ApiRouteHandler.php +++ b/src/Middleware/ApiRouteHandler.php @@ -61,7 +61,7 @@ class ApiRouteHandler implements MiddlewareInterface { try { $response = $handler->handle($request); - } catch (ModelNotFoundException $e) { + } catch (ModelNotFoundException) { $response = new Response('', 404); $response->setContent($response->getReasonPhrase()); } catch (HttpException $e) { @@ -85,6 +85,10 @@ class ApiRouteHandler implements MiddlewareInterface ->withBody($content); } + if (!$response->hasHeader('access-control-allow-origin')) { + $response = $response->withHeader('access-control-allow-origin', '*'); + } + $eTag = md5((string) $response->getBody()); $response->setEtag($eTag); diff --git a/tests/Unit/Helpers/AuthenticatorTest.php b/tests/Unit/Helpers/AuthenticatorTest.php index f2bf4d3c..1c03c0a6 100644 --- a/tests/Unit/Helpers/AuthenticatorTest.php +++ b/tests/Unit/Helpers/AuthenticatorTest.php @@ -184,6 +184,26 @@ class AuthenticatorTest extends ServiceProviderTest $this->assertEquals('F00Bar', $user->api_key); } + /** + * @covers \Engelsystem\Helpers\Authenticator::userByHeaders + */ + public function testUserByHeadersBearerTrimApiKey(): void + { + $this->initDatabase(); + + $request = new Request(); + $request = $request->withAttribute('route-api-accessible', true); + $session = new Session(new MockArraySessionStorage()); + $this->app->instance('request', $request); + + $request = $request->withHeader('authorization', 'bearer F00Bar '); + $auth = new Authenticator($request, $session, new User()); + User::factory()->create(['api_key' => 'F00Bar']); + $user = $auth->user(); + $this->assertInstanceOf(User::class, $user); + $this->assertEquals('F00Bar', $user->api_key); + } + /** * @covers \Engelsystem\Helpers\Authenticator::resetApiKey */ diff --git a/tests/Unit/Middleware/ApiRouteHandlerTest.php b/tests/Unit/Middleware/ApiRouteHandlerTest.php index 5cb35718..61b2eab3 100644 --- a/tests/Unit/Middleware/ApiRouteHandlerTest.php +++ b/tests/Unit/Middleware/ApiRouteHandlerTest.php @@ -67,6 +67,7 @@ class ApiRouteHandlerTest extends TestCase if ($isApi) { $this->assertEquals('application/json', $apiResponse->getHeaderLine('content-type')); + $this->assertEquals('*', $apiResponse->getHeaderLine('access-control-allow-origin')); $this->assertEquals('{"message":"response content"}', (string) $apiResponse->getBody()); $this->assertNotEmpty($apiResponse->getHeaderLine('Etag')); } else {