Created system of authentication plugins

module/Rest/src/Action/ShortUrl/SingleStepCreateShortUrlAction.php

@@ -43,9 +43,7 @@ class SingleStepCreateShortUrlAction extends AbstractCreateShortUrlAction
     {
         $query = $request->getQueryParams();
 
-        // Check provided API key
-        $apiKey = $this->apiKeyService->getByKey($query['apiKey'] ?? '');
-        if ($apiKey === null || ! $apiKey->isValid()) {
+        if (! $this->apiKeyService->check($query['apiKey'] ?? '')) {
             throw new InvalidArgumentException(
                 $this->translator->translate('No API key was provided or it is not valid')
             );

module/Rest/src/Authentication/AuthenticationPluginManager.php

@@ -0,0 +1,57 @@
+<?php
+declare(strict_types=1);
+
+namespace Shlinkio\Shlink\Rest\Authentication;
+
+use Psr\Container\ContainerExceptionInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Shlinkio\Shlink\Rest\Authentication\Plugin\ApiKeyHeaderPlugin;
+use Shlinkio\Shlink\Rest\Authentication\Plugin\AuthorizationHeaderPlugin;
+use Shlinkio\Shlink\Rest\Exception\NoAuthenticationException;
+use Zend\ServiceManager\AbstractPluginManager;
+use function array_filter;
+use function array_reduce;
+use function array_shift;
+
+class AuthenticationPluginManager extends AbstractPluginManager implements AuthenticationPluginManagerInterface
+{
+    // Headers here have to be defined in order of priority.
+    // When more than one is matched, the first one will take precedence
+    public const SUPPORTED_AUTH_HEADERS = [
+        ApiKeyHeaderPlugin::HEADER_NAME,
+        AuthorizationHeaderPlugin::HEADER_NAME,
+    ];
+
+    /**
+     * @throws ContainerExceptionInterface
+     * @throws NoAuthenticationException
+     */
+    public function fromRequest(ServerRequestInterface $request): Plugin\AuthenticationPluginInterface
+    {
+        if (! $this->hasAnySupportedHeader($request)) {
+            throw NoAuthenticationException::fromExpectedTypes([
+                ApiKeyHeaderPlugin::HEADER_NAME,
+                AuthorizationHeaderPlugin::HEADER_NAME,
+            ]);
+        }
+
+        return $this->get($this->getFirstAvailableHeader($request));
+    }
+
+    private function hasAnySupportedHeader(ServerRequestInterface $request): bool
+    {
+        return array_reduce(
+            self::SUPPORTED_AUTH_HEADERS,
+            function (bool $carry, string $header) use ($request) {
+                return $carry || $request->hasHeader($header);
+            },
+            false
+        );
+    }
+
+    private function getFirstAvailableHeader(ServerRequestInterface $request): string
+    {
+        $foundHeaders = array_filter(self::SUPPORTED_AUTH_HEADERS, [$request, 'hasHeader']);
+        return array_shift($foundHeaders) ?? '';
+    }
+}

module/Rest/src/Authentication/AuthenticationPluginManagerFactory.php

@@ -0,0 +1,31 @@
+<?php
+declare(strict_types=1);
+
+namespace Shlinkio\Shlink\Rest\Authentication;
+
+use Interop\Container\ContainerInterface;
+use Interop\Container\Exception\ContainerException;
+use Zend\ServiceManager\Exception\ServiceNotCreatedException;
+use Zend\ServiceManager\Exception\ServiceNotFoundException;
+use Zend\ServiceManager\Factory\FactoryInterface;
+
+class AuthenticationPluginManagerFactory implements FactoryInterface
+{
+    /**
+     * Create an object
+     *
+     * @param  ContainerInterface $container
+     * @param  string $requestedName
+     * @param  null|array $options
+     * @return object
+     * @throws ServiceNotFoundException if unable to resolve the service.
+     * @throws ServiceNotCreatedException if an exception is raised when
+     *     creating a service.
+     * @throws ContainerException if any other error occurs
+     */
+    public function __invoke(ContainerInterface $container, $requestedName, array $options = null)
+    {
+        $config = $container->get('config') ?? [];
+        return new AuthenticationPluginManager($container, $config['auth']['plugins'] ?? []);
+    }
+}

module/Rest/src/Authentication/AuthenticationPluginManagerInterface.php

@@ -0,0 +1,17 @@
+<?php
+declare(strict_types=1);
+
+namespace Shlinkio\Shlink\Rest\Authentication;
+
+use Psr\Container;
+use Psr\Http\Message\ServerRequestInterface;
+use Shlinkio\Shlink\Rest\Exception\NoAuthenticationException;
+
+interface AuthenticationPluginManagerInterface extends Container\ContainerInterface
+{
+    /**
+     * @throws Container\ContainerExceptionInterface
+     * @throws NoAuthenticationException
+     */
+    public function fromRequest(ServerRequestInterface $request): Plugin\AuthenticationPluginInterface;
+}

module/Rest/src/Authentication/JWTService.php

@@ -7,6 +7,7 @@ use Firebase\JWT\JWT;
 use Shlinkio\Shlink\Core\Options\AppOptions;
 use Shlinkio\Shlink\Rest\Entity\ApiKey;
 use Shlinkio\Shlink\Rest\Exception\AuthenticationException;
+use function time;
 
 class JWTService implements JWTServiceInterface
 {
@@ -32,7 +33,7 @@ class JWTService implements JWTServiceInterface
         $currentTimestamp = time();
 
         return $this->encode([
-            'iss' => $this->appOptions->__toString(),
+            'iss' => (string) $this->appOptions,
             'iat' => $currentTimestamp,
             'exp' => $currentTimestamp + $lifetime,
             'sub' => 'auth',

module/Rest/src/Authentication/Plugin/ApiKeyHeaderPlugin.php

@@ -0,0 +1,26 @@
+<?php
+declare(strict_types=1);
+
+namespace Shlinkio\Shlink\Rest\Authentication\Plugin;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Shlinkio\Shlink\Rest\Exception\VerifyAuthenticationException;
+
+class ApiKeyHeaderPlugin implements AuthenticationPluginInterface
+{
+    public const HEADER_NAME = 'X-Api-Key';
+
+    /**
+     * @throws VerifyAuthenticationException
+     */
+    public function verify(ServerRequestInterface $request): void
+    {
+        // TODO: Implement check() method.
+    }
+
+    public function update(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
+    {
+        return $response;
+    }
+}

module/Rest/src/Authentication/Plugin/AuthenticationPluginInterface.php

@@ -0,0 +1,18 @@
+<?php
+declare(strict_types=1);
+
+namespace Shlinkio\Shlink\Rest\Authentication\Plugin;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Shlinkio\Shlink\Rest\Exception\VerifyAuthenticationException;
+
+interface AuthenticationPluginInterface
+{
+    /**
+     * @throws VerifyAuthenticationException
+     */
+    public function verify(ServerRequestInterface $request): void;
+
+    public function update(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface;
+}

module/Rest/src/Authentication/Plugin/AuthorizationHeaderPlugin.php

@@ -0,0 +1,95 @@
+<?php
+declare(strict_types=1);
+
+namespace Shlinkio\Shlink\Rest\Authentication\Plugin;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Shlinkio\Shlink\Rest\Authentication\JWTServiceInterface;
+use Shlinkio\Shlink\Rest\Exception\VerifyAuthenticationException;
+use Shlinkio\Shlink\Rest\Util\RestUtils;
+use Throwable;
+use Zend\I18n\Translator\TranslatorInterface;
+use function count;
+use function explode;
+use function sprintf;
+use function strtolower;
+
+class AuthorizationHeaderPlugin implements AuthenticationPluginInterface
+{
+    public const HEADER_NAME = 'Authorization';
+
+    /**
+     * @var JWTServiceInterface
+     */
+    private $jwtService;
+    /**
+     * @var TranslatorInterface
+     */
+    private $translator;
+
+    public function __construct(JWTServiceInterface $jwtService, TranslatorInterface $translator)
+    {
+        $this->jwtService = $jwtService;
+        $this->translator = $translator;
+    }
+
+    /**
+     * @throws VerifyAuthenticationException
+     */
+    public function verify(ServerRequestInterface $request): void
+    {
+        // Get token making sure the an authorization type is provided
+        $authToken = $request->getHeaderLine(self::HEADER_NAME);
+        $authTokenParts = explode(' ', $authToken);
+        if (count($authTokenParts) === 1) {
+            throw VerifyAuthenticationException::withError(
+                RestUtils::INVALID_AUTHORIZATION_ERROR,
+                sprintf(
+                    $this->translator->translate('You need to provide the Bearer type in the %s header.'),
+                    self::HEADER_NAME
+                )
+            );
+        }
+
+        // Make sure the authorization type is Bearer
+        [$authType, $jwt] = $authTokenParts;
+        if (strtolower($authType) !== 'bearer') {
+            throw VerifyAuthenticationException::withError(
+                RestUtils::INVALID_AUTHORIZATION_ERROR,
+                sprintf($this->translator->translate(
+                    'Provided authorization type %s is not supported. Use Bearer instead.'
+                ), $authType)
+            );
+        }
+
+        try {
+            if (! $this->jwtService->verify($jwt)) {
+                throw $this->createInvalidTokenError();
+            }
+        } catch (Throwable $e) {
+            throw $this->createInvalidTokenError($e);
+        }
+    }
+
+    private function createInvalidTokenError(Throwable $prev = null): VerifyAuthenticationException
+    {
+        return VerifyAuthenticationException::withError(
+            RestUtils::INVALID_AUTH_TOKEN_ERROR,
+            sprintf($this->translator->translate(
+                'Missing or invalid auth token provided. Perform a new authentication request and send provided '
+                . 'token on every new request on the %s header'
+            ), self::HEADER_NAME),
+            $prev
+        );
+    }
+
+    public function update(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
+    {
+        $authToken = $request->getHeaderLine(self::HEADER_NAME);
+        [, $jwt] = explode(' ', $authToken);
+        $jwt = $this->jwtService->refresh($jwt);
+
+        return $response->withHeader(self::HEADER_NAME, sprintf('Bearer %s', $jwt));
+    }
+}

module/Rest/src/Exception/AuthenticationException.php

@@ -5,12 +5,7 @@ namespace Shlinkio\Shlink\Rest\Exception;
 
 class AuthenticationException extends RuntimeException
 {
-    public static function fromCredentials($username, $password)
-    {
-        return new self(sprintf('Invalid credentials. Username -> "%s". Password -> "%s"', $username, $password));
-    }
-
-    public static function expiredJWT(\Exception $prev = null)
+    public static function expiredJWT(\Exception $prev = null): self
     {
         return new self('The token has expired.', -1, $prev);
     }

module/Rest/src/Exception/NoAuthenticationException.php

@@ -0,0 +1,18 @@
+<?php
+declare(strict_types=1);
+
+namespace Shlinkio\Shlink\Rest\Exception;
+
+use function implode;
+use function sprintf;
+
+class NoAuthenticationException extends RuntimeException
+{
+    public static function fromExpectedTypes(array $expectedTypes): self
+    {
+        return new self(sprintf(
+            'None of the valid authentication mechanisms where provided. Expected one of ["%s"]',
+            implode('", "', $expectedTypes)
+        ));
+    }
+}

module/Rest/src/Exception/VerifyAuthenticationException.php

@@ -0,0 +1,52 @@
+<?php
+declare(strict_types=1);
+
+namespace Shlinkio\Shlink\Rest\Exception;
+
+use Throwable;
+use function sprintf;
+
+class VerifyAuthenticationException extends RuntimeException
+{
+    /**
+     * @var string
+     */
+    private $errorCode;
+    /**
+     * @var string
+     */
+    private $publicMessage;
+
+    public function __construct(
+        string $errorCode,
+        string $publicMessage,
+        string $message = '',
+        int $code = 0,
+        Throwable $previous = null
+    ) {
+        parent::__construct($message, $code, $previous);
+        $this->errorCode = $errorCode;
+        $this->publicMessage = $publicMessage;
+    }
+
+    public static function withError(string $errorCode, string $publicMessage, Throwable $prev = null): self
+    {
+        return new self(
+            $errorCode,
+            $publicMessage,
+            sprintf('Authentication verification failed with the public message "%s"', $publicMessage),
+            0,
+            $prev
+        );
+    }
+
+    public function getErrorCode(): string
+    {
+        return $this->errorCode;
+    }
+
+    public function getPublicMessage(): string
+    {
+        return $this->publicMessage;
+    }
+}

module/Rest/src/Middleware/AuthenticationMiddleware.php

@@ -5,19 +5,24 @@ namespace Shlinkio\Shlink\Rest\Middleware;
 
 use Fig\Http\Message\RequestMethodInterface;
 use Fig\Http\Message\StatusCodeInterface;
+use Psr\Container\ContainerExceptionInterface;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Psr\Http\Server\MiddlewareInterface;
 use Psr\Http\Server\RequestHandlerInterface;
 use Psr\Log\LoggerInterface;
 use Psr\Log\NullLogger;
-use Shlinkio\Shlink\Rest\Authentication\JWTServiceInterface;
-use Shlinkio\Shlink\Rest\Exception\AuthenticationException;
+use Shlinkio\Shlink\Rest\Authentication\AuthenticationPluginManager;
+use Shlinkio\Shlink\Rest\Authentication\AuthenticationPluginManagerInterface;
+use Shlinkio\Shlink\Rest\Exception\NoAuthenticationException;
+use Shlinkio\Shlink\Rest\Exception\VerifyAuthenticationException;
 use Shlinkio\Shlink\Rest\Util\RestUtils;
 use Zend\Diactoros\Response\JsonResponse;
 use Zend\Expressive\Router\RouteResult;
 use Zend\I18n\Translator\TranslatorInterface;
-use Zend\Stdlib\ErrorHandler;
+use function implode;
+use function in_array;
+use function sprintf;
 
 class AuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterface, RequestMethodInterface
 {
@@ -28,10 +33,6 @@ class AuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterfa
      * @var TranslatorInterface
      */
     private $translator;
-    /**
-     * @var JWTServiceInterface
-     */
-    private $jwtService;
     /**
      * @var LoggerInterface
      */
@@ -40,17 +41,21 @@ class AuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterfa
      * @var array
      */
     private $routesWhitelist;
+    /**
+     * @var AuthenticationPluginManagerInterface
+     */
+    private $authPluginManager;
 
     public function __construct(
-        JWTServiceInterface $jwtService,
+        AuthenticationPluginManagerInterface $authPluginManager,
         TranslatorInterface $translator,
         array $routesWhitelist,
         LoggerInterface $logger = null
     ) {
         $this->translator = $translator;
-        $this->jwtService = $jwtService;
         $this->routesWhitelist = $routesWhitelist;
         $this->logger = $logger ?: new NullLogger();
+        $this->authPluginManager = $authPluginManager;
     }
 
     /**
@@ -62,7 +67,6 @@ class AuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterfa
      *
      * @return Response
      * @throws \InvalidArgumentException
-     * @throws \ErrorException
      */
     public function process(Request $request, RequestHandlerInterface $handler): Response
     {
@@ -71,75 +75,37 @@ class AuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterfa
         if ($routeResult === null
             || $routeResult->isFailure()
             || $request->getMethod() === self::METHOD_OPTIONS
-            || \in_array($routeResult->getMatchedRouteName(), $this->routesWhitelist, true)
+            || in_array($routeResult->getMatchedRouteName(), $this->routesWhitelist, true)
         ) {
             return $handler->handle($request);
         }
 
-        // Check that the auth header was provided, and that it belongs to a non-expired token
-        if (! $request->hasHeader(self::AUTHORIZATION_HEADER)) {
-            return $this->createTokenErrorResponse();
-        }
-
-        // Get token making sure the an authorization type is provided
-        $authToken = $request->getHeaderLine(self::AUTHORIZATION_HEADER);
-        $authTokenParts = \explode(' ', $authToken);
-        if (\count($authTokenParts) === 1) {
-            return new JsonResponse([
-                'error' => RestUtils::INVALID_AUTHORIZATION_ERROR,
-                'message' => \sprintf($this->translator->translate(
-                    'You need to provide the Bearer type in the %s header.'
-                ), self::AUTHORIZATION_HEADER),
-            ], self::STATUS_UNAUTHORIZED);
-        }
-
-        // Make sure the authorization type is Bearer
-        [$authType, $jwt] = $authTokenParts;
-        if (\strtolower($authType) !== 'bearer') {
-            return new JsonResponse([
-                'error' => RestUtils::INVALID_AUTHORIZATION_ERROR,
-                'message' => \sprintf($this->translator->translate(
-                    'Provided authorization type %s is not supported. Use Bearer instead.'
-                ), $authType),
-            ], self::STATUS_UNAUTHORIZED);
+        try {
+            $plugin = $this->authPluginManager->fromRequest($request);
+        } catch (ContainerExceptionInterface | NoAuthenticationException $e) {
+            $this->logger->warning('Invalid or no authentication provided.' . PHP_EOL . $e);
+            return $this->createErrorResponse(sprintf($this->translator->translate(
+                'Expected one of the following authentication headers, but none were provided, ["%s"]'
+            ), implode('", "', AuthenticationPluginManager::SUPPORTED_AUTH_HEADERS)));
         }
 
         try {
-            ErrorHandler::start();
-            if (! $this->jwtService->verify($jwt)) {
-                return $this->createTokenErrorResponse();
-            }
-            ErrorHandler::stop(true);
-
-            // Update the token expiration and continue to next middleware
-            $jwt = $this->jwtService->refresh($jwt);
+            $plugin->verify($request);
             $response = $handler->handle($request);
-
-            // Return the response with the updated token on it
-            return $response->withHeader(self::AUTHORIZATION_HEADER, 'Bearer ' . $jwt);
-        } catch (AuthenticationException $e) {
-            $this->logger->warning('Tried to access API with an invalid JWT.' . PHP_EOL . $e);
-            return $this->createTokenErrorResponse();
-        } finally {
-            ErrorHandler::clean();
+            return $plugin->update($request, $response);
+        } catch (VerifyAuthenticationException $e) {
+            $this->logger->warning('Authentication verification failed.' . PHP_EOL . $e);
+            return $this->createErrorResponse($e->getPublicMessage(), $e->getErrorCode());
         }
     }
 
-    /**
-     * @return JsonResponse
-     * @throws \InvalidArgumentException
-     */
-    private function createTokenErrorResponse(): JsonResponse
-    {
+    private function createErrorResponse(
+        string $message,
+        string $errorCode = RestUtils::INVALID_AUTHORIZATION_ERROR
+    ): JsonResponse {
         return new JsonResponse([
-            'error' => RestUtils::INVALID_AUTH_TOKEN_ERROR,
-            'message' => \sprintf(
-                $this->translator->translate(
-                    'Missing or invalid auth token provided. Perform a new authentication request and send provided '
-                    . 'token on every new request on the "%s" header'
-                ),
-                self::AUTHORIZATION_HEADER
-            ),
+            'error' => $errorCode,
+            'message' => $message,
         ], self::STATUS_UNAUTHORIZED);
     }
 }

module/Rest/src/Service/ApiKeyService.php

@@ -6,6 +6,7 @@ namespace Shlinkio\Shlink\Rest\Service;
 use Doctrine\ORM\EntityManagerInterface;
 use Shlinkio\Shlink\Common\Exception\InvalidArgumentException;
 use Shlinkio\Shlink\Rest\Entity\ApiKey;
+use function sprintf;
 
 class ApiKeyService implements ApiKeyServiceInterface
 {