/** * Authenticate an incoming request. * * @param \Illuminate\Http\Request $request * @param \Closure $next * * @return mixed */ public function handle(Request $request, Closure $next) { $_token = $request->input('access-token'); $_clientId = $request->input('client-id'); // Remove these arguments $request->offsetUnset('client-id'); $request->offsetUnset('access-token'); // Just plain ol' bad... if (empty($_token) || empty($_clientId)) { $this->error('bad request: no token or client-id present'); return ErrorPacket::create(Response::HTTP_BAD_REQUEST); } try { $_key = AppKey::byClientId($_clientId)->firstOrFail(); $this->setSigningCredentials($_clientId, $_key->client_secret); } catch (\Exception $_ex) { $this->error('forbidden: invalid "client-id" [' . $_clientId . ']'); return ErrorPacket::create(Response::HTTP_FORBIDDEN, 'Invalid "client-id"'); } if (!$this->verifySignature($_token, $_clientId, $_key->client_secret)) { $this->error('bad request: signature verification fail'); return ErrorPacket::create(Response::HTTP_BAD_REQUEST); } try { $_owner = $this->_locateOwner($_key->owner_id, $_key->owner_type_nbr); } catch (ModelNotFoundException $_ex) { $this->error('unauthorized: invalid "user" assigned to akt#' . $_key->id); return ErrorPacket::create(Response::HTTP_UNAUTHORIZED); } $request->setUserResolver(function () use($_owner) { return $_owner; }); //$this->debug('token validated for client "' . $_clientId . '"'); return parent::handle($request, $next); }
/** * Validates a client key pair and generates a signature for verification. * * @param string $clientId * @param string $clientSecret * * @return $this */ protected function setSigningCredentials($clientId, $clientSecret) { $_key = AppKey::byClientId($clientId)->first(); if (empty($_key) || $clientSecret != $_key->client_secret) { throw new \InvalidArgumentException('Invalid credentials.'); } // Looks good $this->vsClientId = $_key->client_id; $this->vsClientSecret = $_key->client_secret; $this->vsSignature = $this->generateSignature(); return $this; }