Updated CheckAuthenticationMiddleware to work with JWT and the Authorization header

2026-03-09 16:53:11 +08:00 · 2016-08-07 19:53:14 +02:00
parent 9573e9f4ef
commit 7b0beb3b8c
3 changed files with 91 additions and 32 deletions
--- a/module/Rest/src/Middleware/CheckAuthenticationMiddleware.php
+++ b/module/Rest/src/Middleware/CheckAuthenticationMiddleware.php
@@ -4,9 +4,9 @@ namespace Shlinkio\Shlink\Rest\Middleware;
 use Acelaya\ZsmAnnotatedServices\Annotation\Inject;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
-use Shlinkio\Shlink\Common\Exception\InvalidArgumentException;
-use Shlinkio\Shlink\Rest\Service\RestTokenService;
-use Shlinkio\Shlink\Rest\Service\RestTokenServiceInterface;
+use Shlinkio\Shlink\Rest\Authentication\JWTService;
+use Shlinkio\Shlink\Rest\Authentication\JWTServiceInterface;
+use Shlinkio\Shlink\Rest\Exception\AuthenticationException;
 use Shlinkio\Shlink\Rest\Util\RestUtils;
 use Zend\Diactoros\Response\JsonResponse;
 use Zend\Expressive\Router\RouteResult;
@@ -15,28 +15,28 @@ use Zend\Stratigility\MiddlewareInterface;

 class CheckAuthenticationMiddleware implements MiddlewareInterface
 {
-    const AUTH_TOKEN_HEADER = 'X-Auth-Token';
+    const AUTHORIZATION_HEADER = 'Authorization';

-    /**
-     * @var RestTokenServiceInterface
-     */
-    private $restTokenService;
    /**
     * @var TranslatorInterface
     */
    private $translator;
+    /**
+     * @var JWTServiceInterface
+     */
+    private $jwtService;

    /**
     * CheckAuthenticationMiddleware constructor.
-     * @param RestTokenServiceInterface|RestTokenService $restTokenService
+     * @param JWTServiceInterface|JWTService $jwtService
     * @param TranslatorInterface $translator
     *
-     * @Inject({RestTokenService::class, "translator"})
+     * @Inject({JWTService::class, "translator"})
     */
-    public function __construct(RestTokenServiceInterface $restTokenService, TranslatorInterface $translator)
+    public function __construct(JWTServiceInterface $jwtService, TranslatorInterface $translator)
    {
-        $this->restTokenService = $restTokenService;
        $this->translator = $translator;
+        $this->jwtService = $jwtService;
    }

    /**
@@ -78,21 +78,46 @@ class CheckAuthenticationMiddleware implements MiddlewareInterface
        }

        // Check that the auth header was provided, and that it belongs to a non-expired token
-        if (! $request->hasHeader(self::AUTH_TOKEN_HEADER)) {
+        if (! $request->hasHeader(self::AUTHORIZATION_HEADER)) {
            return $this->createTokenErrorResponse();
        }

-        $authToken = $request->getHeaderLine(self::AUTH_TOKEN_HEADER);
+        // Get token making sure the an authorization type is provided
+        $authToken = $request->getHeaderLine(self::AUTHORIZATION_HEADER);
+        $authTokenParts = explode(' ', $authToken);
+        if (count($authTokenParts) === 1) {
+            return new JsonResponse([
+                'error' => RestUtils::INVALID_AUTHORIZATION_ERROR,
+                'message' => sprintf($this->translator->translate(
+                    'You need to provide the Bearer type in the %s header.'
+                ), self::AUTHORIZATION_HEADER),
+            ], 401);
+        }
+
+        // Make sure the authorization type is Bearer
+        list($authType, $jwt) = $authTokenParts;
+        if (strtolower($authType) !== 'bearer') {
+            return new JsonResponse([
+                'error' => RestUtils::INVALID_AUTHORIZATION_ERROR,
+                'message' => sprintf($this->translator->translate(
+                    'Provided authorization type %s is not supported. Use Bearer instead.'
+                ), $authType),
+            ], 401);
+        }
+
        try {
-            $restToken = $this->restTokenService->getByToken($authToken);
-            if ($restToken->isExpired()) {
+            if (! $this->jwtService->verify($jwt)) {
                return $this->createTokenErrorResponse();
            }

            // Update the token expiration and continue to next middleware
-            $this->restTokenService->updateExpiration($restToken);
-            return $out($request, $response);
-        } catch (InvalidArgumentException $e) {
+            $jwt = $this->jwtService->refresh($jwt);
+            /** @var Response $response */
+            $response = $out($request, $response);
+
+            // Return the response with the updated token on it
+            return $response->withHeader(self::AUTHORIZATION_HEADER, 'Bearer ' . $jwt);
+        } catch (AuthenticationException $e) {
            return $this->createTokenErrorResponse();
        }
    }
@@ -106,7 +131,7 @@ class CheckAuthenticationMiddleware implements MiddlewareInterface
                    'Missing or invalid auth token provided. Perform a new authentication request and send provided '
                    . 'token on every new request on the "%s" header'
                ),
-                self::AUTH_TOKEN_HEADER
+                self::AUTHORIZATION_HEADER
            ),
        ], 401);
    }