Fix API authentication

PrestaShop · Feb 15, 2024 · d21b32e · d21b32e
1 parent b718044
commit d21b32e
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 15 deletions.
diff --git a/src/Core/Security/OAuth2/TokenAuthenticator.php b/src/Core/Security/OAuth2/TokenAuthenticator.php
@@ -59,14 +59,6 @@ public function start(Request $request, AuthenticationException $authException =
 
     public function supports(Request $request): bool
     {
-        $authorization = $request->headers->get('Authorization') ?? null;
-        if (null === $authorization) {
-            return false;
-        }
-        if (!str_starts_with(strtolower($authorization), 'bearer ')) {
-            return false;
-        }
-
         // Every request to the API should be handled by this Authenticator
         return true;
     }
@@ -79,6 +71,7 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
     public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
     {
         // No response returned here, the request should keep running
+        // A filter is already present for requests linked to the API in security.yml
         return null;
     }
 
@@ -89,6 +82,14 @@ private function returnWWWAuthenticateResponse(): Response
 
     public function authenticate(Request $request): Passport
     {
+        $authorization = $request->headers->get('Authorization') ?? null;
+        if (null === $authorization) {
+            throw new CustomUserMessageAuthenticationException('No Authorization header provided');
+        }
+        if (!str_starts_with($authorization, 'Bearer ')) {
+            throw new CustomUserMessageAuthenticationException('Bearer token missing');
+        }
+
         $authorization = $request->headers->get('Authorization');
         if (null === $authorization) {
             throw new CustomUserMessageAuthenticationException('No API token provided');

diff --git a/tests/Unit/Core/Security/TokenAuthenticatorTest.php b/tests/Unit/Core/Security/TokenAuthenticatorTest.php
@@ -77,12 +77,6 @@ public function testOnAuthenticationFailure(): void
 
     public function testSupports(): void
     {
-        $this->assertFalse($this->tokenAuthenticator->supports($this->request));
-
-        $this->request->headers->add(['Authorization' => 'toto']);
-        $this->assertFalse($this->tokenAuthenticator->supports($this->request));
-
-        $this->request->headers->add(['Authorization' => 'bearer ' . $this->buildTestToken()]);
         $this->assertTrue($this->tokenAuthenticator->supports($this->request));
     }
 
@@ -107,11 +101,20 @@ private function buildTestToken(): string
 
     public function testAuthenticate(): void
     {
+        $this->expectException(CustomUserMessageAuthenticationException::class);
+        $this->expectExceptionMessage('No Authorization header provided');
+        $this->tokenAuthenticator->authenticate($this->request);
+
+        $this->expectException(CustomUserMessageAuthenticationException::class);
+        $this->expectExceptionMessage('Bearer token missing');
+        $this->request->headers->add(['Authorization' => 'toto']);
+        $this->tokenAuthenticator->authenticate($this->request);
+
         $this->expectException(CustomUserMessageAuthenticationException::class);
         $this->expectExceptionMessage('No API token provided');
         $this->tokenAuthenticator->authenticate($this->request);
 
-        $this->request->headers->add(['Authorization' => 'bearer ' . $this->buildTestToken()]);
+        $this->request->headers->add(['Authorization' => 'Bearer ' . $this->buildTestToken()]);
         $this->expectException(CustomUserMessageAuthenticationException::class);
         $this->expectExceptionMessage('Invalid credentials');
         $this->tokenAuthenticator->authenticate($this->request);