/**
* {@inheritdoc}
*/
public function authenticate(RequestInterface $request)
{
if (!drupal_session_started() && !$this->isCli($request)) {
return NULL;
}
global $user;
$account = user_load($user->uid);
if (!$request::isWriteMethod($request->getMethod()) || $request->getApplicationData('rest_call')) {
// Request is done via API not CURL, or not a write operation, so we don't
// need to check for a CSRF token.
return $account;
}
if (!RestfulManager::isRestfulPath($request)) {
return $account;
}
if (!$request->getCsrfToken()) {
throw new BadRequestException('No CSRF token passed in the HTTP header.');
}
if (!drupal_valid_token($request->getCsrfToken(), Authentication::TOKEN_VALUE)) {
throw new ForbiddenException('CSRF token validation failed.');
}
// CSRF validation passed.
return $account;
}
/**
* {@inheritdoc}
*/
public function getAccount(RequestInterface $request, $cache = TRUE)
{
global $user;
// Return the previously resolved user, if any.
if (!empty($this->account)) {
return $this->account;
}
// Resolve the user based on the providers in the manager.
$account = NULL;
foreach ($this->plugins as $provider) {
/* @var \Drupal\restful\Plugin\authentication\AuthenticationInterface $provider */
if ($provider->applies($request) && ($account = $provider->authenticate($request))) {
// The account has been loaded, we can stop looking.
break;
}
}
if (!$account) {
if (RestfulManager::isRestfulPath($request) && $this->plugins->count() && !$this->getIsOptional()) {
// Allow caching pages for anonymous users.
drupal_page_is_cacheable(variable_get('restful_page_cache', FALSE));
// User didn't authenticate against any provider, so we throw an error.
throw new UnauthorizedException('Bad credentials. Anonymous user resolved for a resource that requires authentication.');
}
// If the account could not be authenticated default to the global user.
// Most of the cases the cookie provider will do this for us.
$account = drupal_anonymous_user();
if (!$request->isViaRouter()) {
// If we are using the API from within Drupal and we have not tried to
// authenticate using the 'cookie' provider, then we expect to be logged
// in using the cookie authentication as a last resort.
$account = $user->uid ? user_load($user->uid) : $account;
}
}
if ($cache) {
$this->setAccount($account);
}
// Disable page caching for security reasons so that an authenticated user
// response never gets into the page cache for anonymous users.
// This is necessary because the page cache system only looks at session
// cookies, but not at HTTP Basic Auth headers.
drupal_page_is_cacheable(!$account->uid && variable_get('restful_page_cache', FALSE));
// Record the access time of this request.
$this->setAccessTime($account);
return $account;
}
