Created system of authentication plugins

2026-03-06 23:33:13 +08:00 · 2018-09-28 22:08:01 +02:00
parent e88468d867
commit 8e61639598
18 changed files with 675 additions and 242 deletions
--- a/module/Rest/src/Middleware/AuthenticationMiddleware.php
+++ b/module/Rest/src/Middleware/AuthenticationMiddleware.php
@@ -5,19 +5,24 @@ namespace Shlinkio\Shlink\Rest\Middleware;

 use Fig\Http\Message\RequestMethodInterface;
 use Fig\Http\Message\StatusCodeInterface;
+use Psr\Container\ContainerExceptionInterface;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Psr\Http\Server\MiddlewareInterface;
 use Psr\Http\Server\RequestHandlerInterface;
 use Psr\Log\LoggerInterface;
 use Psr\Log\NullLogger;
-use Shlinkio\Shlink\Rest\Authentication\JWTServiceInterface;
-use Shlinkio\Shlink\Rest\Exception\AuthenticationException;
+use Shlinkio\Shlink\Rest\Authentication\AuthenticationPluginManager;
+use Shlinkio\Shlink\Rest\Authentication\AuthenticationPluginManagerInterface;
+use Shlinkio\Shlink\Rest\Exception\NoAuthenticationException;
+use Shlinkio\Shlink\Rest\Exception\VerifyAuthenticationException;
 use Shlinkio\Shlink\Rest\Util\RestUtils;
 use Zend\Diactoros\Response\JsonResponse;
 use Zend\Expressive\Router\RouteResult;
 use Zend\I18n\Translator\TranslatorInterface;
-use Zend\Stdlib\ErrorHandler;
+use function implode;
+use function in_array;
+use function sprintf;

 class AuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterface, RequestMethodInterface
 {
@@ -28,10 +33,6 @@ class AuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterfa
     * @var TranslatorInterface
     */
    private $translator;
-    /**
-     * @var JWTServiceInterface
-     */
-    private $jwtService;
    /**
     * @var LoggerInterface
     */
@@ -40,17 +41,21 @@ class AuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterfa
     * @var array
     */
    private $routesWhitelist;
+    /**
+     * @var AuthenticationPluginManagerInterface
+     */
+    private $authPluginManager;

    public function __construct(
-        JWTServiceInterface $jwtService,
+        AuthenticationPluginManagerInterface $authPluginManager,
        TranslatorInterface $translator,
        array $routesWhitelist,
        LoggerInterface $logger = null
    ) {
        $this->translator = $translator;
-        $this->jwtService = $jwtService;
        $this->routesWhitelist = $routesWhitelist;
        $this->logger = $logger ?: new NullLogger();
+        $this->authPluginManager = $authPluginManager;
    }

    /**
@@ -62,7 +67,6 @@ class AuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterfa
     *
     * @return Response
     * @throws \InvalidArgumentException
-     * @throws \ErrorException
     */
    public function process(Request $request, RequestHandlerInterface $handler): Response
    {
@@ -71,75 +75,37 @@ class AuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterfa
        if ($routeResult === null
            || $routeResult->isFailure()
            || $request->getMethod() === self::METHOD_OPTIONS
-            || \in_array($routeResult->getMatchedRouteName(), $this->routesWhitelist, true)
+            || in_array($routeResult->getMatchedRouteName(), $this->routesWhitelist, true)
        ) {
            return $handler->handle($request);
        }

-        // Check that the auth header was provided, and that it belongs to a non-expired token
-        if (! $request->hasHeader(self::AUTHORIZATION_HEADER)) {
-            return $this->createTokenErrorResponse();
-        }
-
-        // Get token making sure the an authorization type is provided
-        $authToken = $request->getHeaderLine(self::AUTHORIZATION_HEADER);
-        $authTokenParts = \explode(' ', $authToken);
-        if (\count($authTokenParts) === 1) {
-            return new JsonResponse([
-                'error' => RestUtils::INVALID_AUTHORIZATION_ERROR,
-                'message' => \sprintf($this->translator->translate(
-                    'You need to provide the Bearer type in the %s header.'
-                ), self::AUTHORIZATION_HEADER),
-            ], self::STATUS_UNAUTHORIZED);
-        }
-
-        // Make sure the authorization type is Bearer
-        [$authType, $jwt] = $authTokenParts;
-        if (\strtolower($authType) !== 'bearer') {
-            return new JsonResponse([
-                'error' => RestUtils::INVALID_AUTHORIZATION_ERROR,
-                'message' => \sprintf($this->translator->translate(
-                    'Provided authorization type %s is not supported. Use Bearer instead.'
-                ), $authType),
-            ], self::STATUS_UNAUTHORIZED);
+        try {
+            $plugin = $this->authPluginManager->fromRequest($request);
+        } catch (ContainerExceptionInterface | NoAuthenticationException $e) {
+            $this->logger->warning('Invalid or no authentication provided.' . PHP_EOL . $e);
+            return $this->createErrorResponse(sprintf($this->translator->translate(
+                'Expected one of the following authentication headers, but none were provided, ["%s"]'
+            ), implode('", "', AuthenticationPluginManager::SUPPORTED_AUTH_HEADERS)));
        }

        try {
-            ErrorHandler::start();
-            if (! $this->jwtService->verify($jwt)) {
-                return $this->createTokenErrorResponse();
-            }
-            ErrorHandler::stop(true);
-
-            // Update the token expiration and continue to next middleware
-            $jwt = $this->jwtService->refresh($jwt);
+            $plugin->verify($request);
            $response = $handler->handle($request);
-
-            // Return the response with the updated token on it
-            return $response->withHeader(self::AUTHORIZATION_HEADER, 'Bearer ' . $jwt);
-        } catch (AuthenticationException $e) {
-            $this->logger->warning('Tried to access API with an invalid JWT.' . PHP_EOL . $e);
-            return $this->createTokenErrorResponse();
-        } finally {
-            ErrorHandler::clean();
+            return $plugin->update($request, $response);
+        } catch (VerifyAuthenticationException $e) {
+            $this->logger->warning('Authentication verification failed.' . PHP_EOL . $e);
+            return $this->createErrorResponse($e->getPublicMessage(), $e->getErrorCode());
        }
    }

-    /**
-     * @return JsonResponse
-     * @throws \InvalidArgumentException
-     */
-    private function createTokenErrorResponse(): JsonResponse
-    {
+    private function createErrorResponse(
+        string $message,
+        string $errorCode = RestUtils::INVALID_AUTHORIZATION_ERROR
+    ): JsonResponse {
        return new JsonResponse([
-            'error' => RestUtils::INVALID_AUTH_TOKEN_ERROR,
-            'message' => \sprintf(
-                $this->translator->translate(
-                    'Missing or invalid auth token provided. Perform a new authentication request and send provided '
-                    . 'token on every new request on the "%s" header'
-                ),
-                self::AUTHORIZATION_HEADER
-            ),
+            'error' => $errorCode,
+            'message' => $message,
        ], self::STATUS_UNAUTHORIZED);
    }
 }