Authorizator: Check API token only for endpoints where is token requi…

…red by PublicEndpoint attribute.
baraja-core · Jan 31, 2022 · 81a2a90 · 81a2a90
1 parent c85e9be
commit 81a2a90
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -54,6 +54,22 @@ tokenAuthorizator:
 
 This configuration accepts requests as: `/api/v1/user?token=abcd`.
 
+Token verification at the endpoint level
+----------------------------------------
+
+Token usage is verified at the endpoint level. By default, all endpoints have access enabled and are governed by the `PublicEndpoint` attribute defined by the baraja-core/structured-api package.
+
+If you want to require token authentication in your endpoint, set the attribute directly above the endpoint definition.
+
+For example:
+
+```php
+#[PublicEndpoint(requireToken: true)]
+class ArticleEndpoint extends BaseEndpoint
+{
+}
+```
+
 Custom authentication
 ---------------------
 

diff --git a/composer.json b/composer.json
@@ -10,7 +10,7 @@
 	],
 	"require": {
 		"php": "^8.0",
-		"baraja-core/structured-api": "^3.0"
+		"baraja-core/structured-api": "^3.0 >=3.3.2"
 	},
 	"require-dev": {
 		"phpstan/phpstan": "^1.0",

diff --git a/src/TokenAuthorizator.php b/src/TokenAuthorizator.php
@@ -5,6 +5,7 @@
 namespace Baraja\TokenAuthorizator;
 
 
+use Baraja\StructuredApi\Attributes\PublicEndpoint;
 use Baraja\StructuredApi\Endpoint;
 use Baraja\StructuredApi\Middleware\MatchExtension;
 use Baraja\StructuredApi\Response;
@@ -44,19 +45,26 @@ public function beforeProcess(Endpoint $endpoint, array $params, string $action,
 		if (is_string($token) === false) {
 			throw new \InvalidArgumentException(sprintf('Parameter "token" must be string, but type "%s" given.', get_debug_type($token)));
 		}
+		$requireToken = false;
 		try {
-			$docComment = trim((string) (new \ReflectionClass($endpoint))->getDocComment());
+			$ref = new \ReflectionClass($endpoint);
+			$docComment = trim((string) $ref->getDocComment());
 			if (preg_match('/@public(?:$|\s|\n)/', $docComment) === 1) {
 				return null;
 			}
+			foreach ($ref->getAttributes(PublicEndpoint::class) as $publicEndpointAttribute) {
+				if (($publicEndpointAttribute->getArguments()['requireToken'] ?? false) === true) {
+					$requireToken = true;
+				}
+			}
 		} catch (\ReflectionException $e) {
 			throw new \InvalidArgumentException(
 				sprintf('Endpoint "%s" can not be reflected: %s', $endpoint::class, $e->getMessage()),
 				500,
 				$e,
 			);
 		}
-		if ($this->strategy->verify($token)) {
+		if ($requireToken === false || $this->strategy->verify($token)) {
 			return null;
 		}
 		throw new \InvalidArgumentException('Token is invalid or expired, please contact your administrator.');