mirror of
https://github.com/nextcloud/app_api.git
synced 2026-01-13 20:19:21 +00:00
e0779c9b88
1. In `AppAPIAuthMiddleware` we should check for `AUTHORIZATION-APP-API` header to not first perform request to DB. 2. In `validateExAppRequestToNC` we should do the same but for 'EX-APP-ID' header. 3. Removed debug log from `getExApp`, to not spam logs. --------- Signed-off-by: Alexander Piskun <bigcat88@icloud.com>
71 lines
2.2 KiB
PHP
71 lines
2.2 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace OCA\AppAPI\Middleware;
|
|
|
|
use Exception;
|
|
use OCA\AppAPI\Attribute\AppAPIAuth;
|
|
use OCA\AppAPI\Exceptions\AppAPIAuthNotValidException;
|
|
use OCA\AppAPI\Service\AppAPIService;
|
|
|
|
use OCP\AppFramework\Controller;
|
|
use OCP\AppFramework\Http;
|
|
use OCP\AppFramework\Http\JSONResponse;
|
|
use OCP\AppFramework\Http\Response;
|
|
use OCP\AppFramework\Middleware;
|
|
use OCP\IL10N;
|
|
use OCP\IRequest;
|
|
use Psr\Log\LoggerInterface;
|
|
use ReflectionMethod;
|
|
|
|
class AppAPIAuthMiddleware extends Middleware {
|
|
|
|
public function __construct(
|
|
private AppAPIService $service,
|
|
protected IRequest $request,
|
|
private IL10N $l,
|
|
private LoggerInterface $logger,
|
|
) {
|
|
}
|
|
|
|
/**
|
|
* @throws AppAPIAuthNotValidException when a security check fails
|
|
* @throws \ReflectionException
|
|
*/
|
|
public function beforeController($controller, $methodName) {
|
|
$reflectionMethod = new ReflectionMethod($controller, $methodName);
|
|
|
|
$isAppAPIAuth = !empty($reflectionMethod->getAttributes(AppAPIAuth::class));
|
|
if ($isAppAPIAuth) {
|
|
if (!$this->request->getHeader('AUTHORIZATION-APP-API')) {
|
|
throw new AppAPIAuthNotValidException($this->l->t('AppAPI authentication failed'), Http::STATUS_UNAUTHORIZED);
|
|
}
|
|
if (!$this->service->validateExAppRequestToNC($this->request)) {
|
|
throw new AppAPIAuthNotValidException($this->l->t('AppAPI authentication failed'), Http::STATUS_UNAUTHORIZED);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* If an AppAPIAuthNotValidException is being caught
|
|
*
|
|
* @param Controller $controller the controller that is being called
|
|
* @param string $methodName the name of the method that will be called on
|
|
* the controller
|
|
* @param Exception $exception the thrown exception
|
|
* @return Response a Response object or null in case that the exception could not be handled
|
|
* @throws Exception the passed in exception if it can't handle it
|
|
*/
|
|
public function afterException($controller, $methodName, Exception $exception): Response {
|
|
if ($exception instanceof AppAPIAuthNotValidException) {
|
|
$this->logger->debug($exception->getMessage(), [
|
|
'exception' => $exception,
|
|
]);
|
|
return new JSONResponse(['message' => $exception->getMessage()], $exception->getCode());
|
|
}
|
|
|
|
throw $exception;
|
|
}
|
|
}
|