forked from projects/fipamo
reorganized api, added token validation
regrouped api calls for better organization and to add a bit more security. it now checks to make sure the incoming token matches the current session to authorize requests
This commit is contained in:
parent
ac543f3856
commit
4113418c83
4 changed files with 56 additions and 21 deletions
|
@ -70,5 +70,6 @@ class Kernel extends HttpKernel
|
||||||
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
|
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
|
||||||
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
|
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
|
||||||
'member.check' => \App\Http\Middleware\MemberCheck::class,
|
'member.check' => \App\Http\Middleware\MemberCheck::class,
|
||||||
|
'validate.token' => \App\Http\Middleware\ValidateAPIToken::class,
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
29
app/Http/Middleware/ValidateAPIToken.php
Normal file
29
app/Http/Middleware/ValidateAPIToken.php
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Http\Middleware;
|
||||||
|
|
||||||
|
use Closure;
|
||||||
|
use Illuminate\Http\Request;
|
||||||
|
use Symfony\Component\HttpFoundation\Response;
|
||||||
|
|
||||||
|
class ValidateAPIToken
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Handle an incoming request.
|
||||||
|
*
|
||||||
|
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
|
||||||
|
*/
|
||||||
|
public function handle(Request $request, Closure $next): Response
|
||||||
|
{
|
||||||
|
$token = $request->header('fipamo-access-token');
|
||||||
|
if ($token == session('token')) {
|
||||||
|
return $next($request);
|
||||||
|
} else {
|
||||||
|
$response = [
|
||||||
|
'message' => "API Auth Fail",
|
||||||
|
'type' => 'postError',
|
||||||
|
];
|
||||||
|
return response()->json($response)->header('Content-Type', 'application/json');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -155,10 +155,7 @@ export default class PostEditor {
|
||||||
) {
|
) {
|
||||||
notify.alert(r.message, false);
|
notify.alert(r.message, false);
|
||||||
} else {
|
} else {
|
||||||
if (
|
if (r.type === DataEvent.PAGE_UPDATED) {
|
||||||
r.type === DataEvent.PAGE_UPDATED ||
|
|
||||||
r.type === DataEvent.API_TESTING
|
|
||||||
) {
|
|
||||||
notify.alert(r.message, true);
|
notify.alert(r.message, true);
|
||||||
} else {
|
} else {
|
||||||
notify.alert(r.message, true);
|
notify.alert(r.message, true);
|
||||||
|
|
|
@ -21,24 +21,32 @@ use App\Http\Controllers\API\MailAPIController;
|
||||||
|
|
||||||
//check if session is active
|
//check if session is active
|
||||||
Route::get("/v1/status", [AuthAPIController::class, 'status']);
|
Route::get("/v1/status", [AuthAPIController::class, 'status']);
|
||||||
|
|
||||||
//handle page editing actions
|
//handle page editing actions
|
||||||
Route::put("/v1/page/write", [PageAPIController::class, 'write']);
|
Route::group(['prefix' => '/v1/page', 'middleware' => 'validate.token'], function () {
|
||||||
Route::post("/v1/page/create", [PageAPIController::class, 'create']);
|
Route::put("/write", [PageAPIController::class, 'write']);
|
||||||
Route::delete("/v1/page/delete", [PageAPIController::class, 'delete']);
|
Route::post("/create", [PageAPIController::class, 'create']);
|
||||||
|
Route::delete("/delete", [PageAPIController::class, 'delete']);
|
||||||
|
});
|
||||||
|
|
||||||
//handle file uploads
|
|
||||||
Route::post("/v1/files", [FileUploadAPIController::class, 'upload']);
|
|
||||||
//settings
|
//settings
|
||||||
Route::put("/v1/settings/publish", [SettingsAPIController::class, 'publish']);
|
Route::group(['prefix' => '/v1/settings', 'middleware' => 'validate.token'], function () {
|
||||||
Route::put("/v1/settings/sync", [SettingsAPIController::class, 'sync']);
|
Route::put("/publish", [SettingsAPIController::class, 'publish']);
|
||||||
Route::put("/v1/settings/nav-sync", [SettingsAPIController::class, 'navSync']);
|
Route::put("/sync", [SettingsAPIController::class, 'sync']);
|
||||||
Route::put("/v1/backup/create", [SettingsAPIController::class, 'createBackup']);
|
Route::put("/nav-sync", [SettingsAPIController::class, 'navSync']);
|
||||||
Route::get("/v1/backup/content-download", [SettingsAPIController::class, 'downloadBackup']);
|
});
|
||||||
Route::get("/v1/backup/files-download", [SettingsAPIController::class, 'downloadBackup']);
|
//backups
|
||||||
//init
|
Route::group(['prefix' => '/v1/backup', 'middleware' => 'validate.token'], function () {
|
||||||
Route::post("/v1/init", [InitAPIController::class, 'setupFresh']);
|
Route::put("/create", [SettingsAPIController::class, 'createBackup']);
|
||||||
Route::post("/v1/restore", [InitAPIController::class, 'setupRestore']);
|
Route::get("/content-download", [SettingsAPIController::class, 'downloadBackup']);
|
||||||
Route::post("/v1/reset", [InitAPIController::class, 'setupReset']);
|
Route::get("/files-download", [SettingsAPIController::class, 'downloadBackup']);
|
||||||
|
});
|
||||||
|
|
||||||
//mail
|
//other
|
||||||
Route::post("/v1/mailer", [MailAPIController::class, 'sendNotify']);
|
Route::group(['prefix' => '/v1', 'middleware' => 'validate.token'], function () {
|
||||||
|
Route::post("/files", [FileUploadAPIController::class, 'upload']);
|
||||||
|
Route::post("/init", [InitAPIController::class, 'setupFresh']);
|
||||||
|
Route::post("/restore", [InitAPIController::class, 'setupRestore']);
|
||||||
|
Route::post("/reset", [InitAPIController::class, 'setupReset']);
|
||||||
|
Route::post("/mailer", [MailAPIController::class, 'sendNotify']);
|
||||||
|
});
|
||||||
|
|
Loading…
Reference in a new issue