Added middleware

Author: TomHAnderson

src/Http/Middleware/AuthorizeApiKey.php

@@ -0,0 +1,53 @@
+<?php
+
+namespace ApiSkeletons\Laravel\Doctrine\ApiKey\Http\Middleware;
+
+use ApiSkeletons\Laravel\Doctrine\ApiKey\Service\ApiKeyService;
+use Illuminate\Http\Request;
+
+class AuthorizeApiKey
+{
+    private ApiKeyService $apiKeyService;
+
+    public function __construct(ApiKeyService $apiKeyService)
+    {
+        $this->apiKeyService = $apiKeyService;
+    }
+
+    /**
+     * Handle request
+     *
+     * @param Request $request
+     * @param Closure $next
+     * @return mixed
+     */
+    public function handle(Request $request, \Closure $next, string $scope = null)
+    {
+        $header = $request->header('Authorization');
+        // Remove Bearer from key prefix
+        $key = substr($header, 7);
+
+        $apiKey = $this->apiKeyService->isActive($key);
+        if ($apiKey) {
+            if ($scope) {
+                // If a scope is passed then verify it exists for the key
+                if ($this->apiKeyService->hasScope($key, $scope)) {
+                    $this->apiKeyService->logAccessEvent($request, $apiKey);
+
+                    return $next($request);
+                }
+            } else {
+                $this->apiKeyService->logAccessEvent($request, $apiKey);
+
+                return $next($request);
+            }
+        }
+
+        return response([
+            'errors' => [[
+                'message' => 'Unauthorized'
+            ]]
+        ], 401);
+    }
+}
+

src/Service/ApiKeyService.php

@@ -2,10 +2,12 @@
 
 namespace ApiSkeletons\Laravel\Doctrine\ApiKey\Service;
 
+use ApiSkeletons\Laravel\Doctrine\ApiKey\Entity\AccessEvent;
 use ApiSkeletons\Laravel\Doctrine\ApiKey\Entity\ApiKey;
 use ApiSkeletons\Laravel\Doctrine\ApiKey\Entity\Scope;
 use Doctrine\ORM\EntityManager;
 use Doctrine\ORM\Mapping\Driver\XmlDriver;
+use Illuminate\Http\Request;
 
 class ApiKeyService
 {
@@ -35,18 +37,18 @@ public function init(EntityManager $entityManager): self|bool
         return $this;
     }
 
-    public function isActive(string $key): bool
+    public function isActive(string $key): ApiKey|bool
     {
         $apiKey = $this->entityManager->getRepository(ApiKey::class)
             ->findOneBy([
                 'key' => $key,
             ]);
 
-        if (! $apiKey) {
+        if (! $apiKey || ! $apiKey->getIsActive()) {
             return false;
         }
 
-        return $apiKey->getIsActive();
+        return $apiKey;
     }
 
     public function hasScope(string $key, string $scopeName): bool
@@ -76,4 +78,22 @@ public function hasScope(string $key, string $scopeName): bool
         return $found;
     }
 
+    /**
+     * Log an access event
+     *
+     * @param Request $request
+     * @param ApiKey $apiKey
+     */
+    public function logAccessEvent(Request $request, ApiKey $apiKey)
+    {
+        $event = (new AccessEvent())
+            ->setCreatedAt(new \DateTime())
+            ->setApiKey($apiKey)
+            ->setIpAddress($request->ip())
+            ->setUrl($request->fullUrl())
+        ;
+
+        $this->getEntityManager()->persist($event);
+        $this->getEntityManager()->flush();
+    }
 }

test/Feature/Http/Middleware/AuthorizeApiKeyTest.php

@@ -0,0 +1,83 @@
+<?php
+
+namespace ApiSkeletonsTest\Laravel\Doctrine\ApiKey\Feature\Http\Middleware;
+
+use ApiSkeletons\Laravel\Doctrine\ApiKey\Entity\ApiKey;
+use ApiSkeletons\Laravel\Doctrine\ApiKey\Entity\Scope;
+use ApiSkeletons\Laravel\Doctrine\ApiKey\Http\Middleware\AuthorizeApiKey;
+use ApiSkeletons\Laravel\Doctrine\ApiKey\Service\ApiKeyService;
+use ApiSkeletonsTest\Laravel\Doctrine\ApiKey\TestCase;
+use Illuminate\Http\Request;
+
+final class AuthorizeApiKeyTest extends TestCase
+{
+    public function testApiKeyAuthorizesRequest(): void
+    {
+        $entityManager = $this->createDatabase(app('em'));
+        $apiKeyRepository = $entityManager->getRepository(ApiKey::class);
+
+        $apiKey = $apiKeyRepository->generate('testing');
+        $entityManager->flush();
+
+        $request = Request::create('/apiresource', 'GET');
+        $request->headers->set('Authorization', 'Bearer ' . $apiKey->getKey());
+
+        $middleware = new AuthorizeApiKey(app(ApiKeyService::class));
+
+        $response = $middleware->handle($request, function() {});
+        $this->assertNull($response);
+    }
+
+    public function testApiKeyDoesNotAuthorizeRequest(): void
+    {
+        $entityManager = $this->createDatabase(app('em'));
+
+        $request = Request::create('/apiresource', 'GET');
+
+        $middleware = new AuthorizeApiKey(app(ApiKeyService::class));
+
+        $response = $middleware->handle($request, function() {});
+        $this->assertNotNull($response);
+    }
+
+    public function testApiKeyAuthorizesRequestWithScope(): void
+    {
+        $entityManager = $this->createDatabase(app('em'));
+        $apiKeyRepository = $entityManager->getRepository(ApiKey::class);
+        $scopeRepository = $entityManager->getRepository(Scope::class);
+
+        $apiKey = $apiKeyRepository->generate('testing');
+        $scope = $scopeRepository->generate('scopetest');
+        $entityManager->flush();
+
+        $apiKeyRepository->addScope($apiKey, $scope);
+        $entityManager->flush();
+
+        $request = Request::create('/apiresource', 'GET');
+        $request->headers->set('Authorization', 'Bearer ' . $apiKey->getKey());
+
+        $middleware = new AuthorizeApiKey(app(ApiKeyService::class));
+
+        $response = $middleware->handle($request, function() {}, $scope->getName());
+        $this->assertNull($response);
+    }
+
+    public function testApiKeyDoesNotAuthorizeRequestWithInvalidScope(): void
+    {
+        $entityManager = $this->createDatabase(app('em'));
+        $apiKeyRepository = $entityManager->getRepository(ApiKey::class);
+        $scopeRepository = $entityManager->getRepository(Scope::class);
+
+        $apiKey = $apiKeyRepository->generate('testing');
+        $scope = $scopeRepository->generate('scopetest');
+        $entityManager->flush();
+
+        $request = Request::create('/apiresource', 'GET');
+        $request->headers->set('Authorization', 'Bearer ' . $apiKey->getKey());
+
+        $middleware = new AuthorizeApiKey(app(ApiKeyService::class));
+
+        $response = $middleware->handle($request, function() {}, $scope->getName());
+        $this->assertNotNull($response);
+    }
+}

test/Feature/Service/ApiKeyServiceTest.php

@@ -38,7 +38,8 @@ public function testIsActive(): void
         $apiKey = $apiKeyRepository->generate('testing');
         $entityManager->flush();
 
-        $this->assertTrue($apiKeyService->isActive($apiKey->getKey()));
+        $apiKey = $apiKeyService->isActive($apiKey->getKey());
+        $this->assertInstanceOf(ApiKey::class, $apiKey);
     }
 
     public function testIsActiveReturnsFalseForInvalidKey(): void