Add API key support

Author: mevdschee

README.md

@@ -132,7 +132,7 @@ The following features are supported:
   - Binary fields supported with base64 encoding
   - Spatial/GIS fields and filters supported with WKT and GeoJSON
   - Generate API documentation using OpenAPI tools
-  - Authentication via JWT token or username/password
+  - Authentication via API key, JWT token or username/password
   - Database connection parameters may depend on authentication
   - Support for reading database structure in JSON
   - Support for modifying database structure using REST endpoint
@@ -627,6 +627,8 @@ You can enable the following middleware using the "middlewares" config parameter
 - "cors": Support for CORS requests (enabled by default)
 - "xsrf": Block XSRF attacks using the 'Double Submit Cookie' method
 - "ajaxOnly": Restrict non-AJAX requests to prevent XSRF attacks
+- "apiKeyAuth": Support for "API Key Authentication"
+- "apiKeyDbAuth": Support for "API Key Database Authentication"
 - "dbAuth": Support for "Database Authentication"
 - "jwtAuth": Support for "JWT Authentication"
 - "basicAuth": Support for "Basic Authentication"
@@ -659,6 +661,13 @@ You can tune the middleware behavior using middleware specific configuration par
 - "ajaxOnly.excludeMethods": The methods that do not require AJAX ("OPTIONS,GET")
 - "ajaxOnly.headerName": The name of the required header ("X-Requested-With")
 - "ajaxOnly.headerValue": The value of the required header ("XMLHttpRequest")
+- "apiKeyAuth.mode": Set to "optional" if you want to allow anonymous access ("required")
+- "apiKeyAuth.header": The name of the API key header ("X-API-Key")
+- "apiKeyAuth.keys": List of API keys that are valid ("")
+- "apiKeyDbAuth.mode": Set to "optional" if you want to allow anonymous access ("required")
+- "apiKeyDbAuth.header": The name of the API key header ("X-API-Key")
+- "apiKeyDbAuth.usersTable": The table that is used to store the users in ("users")
+- "apiKeyDbAuth.apiKeyColumn": The users table column that holds the API key ("api_key")
 - "dbAuth.mode": Set to "optional" if you want to allow anonymous access ("required")
 - "dbAuth.usersTable": The table that is used to store the users in ("users")
 - "dbAuth.usernameColumn": The users table column that holds usernames ("username")
@@ -718,18 +727,43 @@ In the sections below you find more information on the built-in middleware.
 
 ### Authentication
 
-Currently there are three types of authentication supported. They all store the authenticated user in the `$_SESSION` super global.
+Currently there are five types of authentication supported. They all store the authenticated user in the `$_SESSION` super global.
 This variable can be used in the authorization handlers to decide wether or not sombeody should have read or write access to certain tables, columns or records.
 The following overview shows the kinds of authentication middleware that you can enable.
 
-| Name     | Middleware | Authenticated via      | Users are stored in | Session variable        |
-| -------- | ---------- | ---------------------- | ------------------- | ----------------------- |
-| Database | dbAuth     | '/login' endpoint      | database table      | `$_SESSION['user']`     |
-| Basic    | basicAuth  | 'Authorization' header | '.htpasswd' file    | `$_SESSION['username']` |
-| JWT      | jwtAuth    | 'Authorization' header | identity provider   | `$_SESSION['claims']`   |
+| Name       | Middleware   | Authenticated via      | Users are stored in | Session variable        |
+| ---------- | ------------ | ---------------------- | ------------------- | ----------------------- |
+| API key    | apiKeyAuth   | 'X-API-Key' header     | configuration       | `$_SESSION['apiKey']`   |
+| API key DB | apiKeyDbAuth | 'X-API-Key' header     | database table      | `$_SESSION['apiUser']`  |
+| Database   | dbAuth       | '/login' endpoint      | database table      | `$_SESSION['user']`     |
+| Basic      | basicAuth    | 'Authorization' header | '.htpasswd' file    | `$_SESSION['username']` |
+| JWT        | jwtAuth      | 'Authorization' header | identity provider   | `$_SESSION['claims']`   |
 
 Below you find more information on each of the authentication types.
 
+#### API key authentication
+
+API key authentication works by sending an API key in a request header.
+The header name defaults to "X-API-Key" and can be configured using the 'apiKeyAuth.header' configuration parameter.
+Valid API keys must be configured using the 'apiKeyAuth.keys' configuration parameter (comma seperated list).
+
+    X-API-Key: 02c042aa-c3c2-4d11-9dae-1a6e230ea95e
+
+The authenticated API key will be stored in the `$_SESSION['apiKey']` variable.
+
+Note that the API key authentication does not require or use sessions (cookies).
+
+#### API key database authentication
+
+API key database authentication works by sending an API key in a request header "X-API-Key" (the name is configurable).
+Valid API keys are read from the database from the column "api_key" of the "users" table (both names are configurable).
+
+    X-API-Key: 02c042aa-c3c2-4d11-9dae-1a6e230ea95e
+
+The authenticated user will be stored in the `$_SESSION['apiUser']` variable.
+
+Note that the API key database authentication does not require or use sessions (cookies).
+
 #### Database authentication
 
 The database authentication middleware defines three new routes:
@@ -746,7 +780,7 @@ A user can be logged in by sending it's username and password to the login endpo
 The authenticated user (with all it's properties) will be stored in the `$_SESSION['user']` variable.
 The user can be logged out by sending a POST request with an empty body to the logout endpoint.
 The passwords are stored as hashes in the password column in the users table. You can register a new user
-using the register endpoint, but this functionality must be turned on using the "dbAuth.regsiterUser"
+using the register endpoint, but this functionality must be turned on using the "dbAuth.registerUser"
 configuration parameter.
 
 It is IMPORTANT to restrict access to the users table using the 'authorization' middleware, otherwise all 
@@ -762,7 +796,7 @@ Note that this middleware uses session cookies and stores the logged in state on
 #### Basic authentication
 
 The Basic type supports a file (by default '.htpasswd') that holds the users and their (hashed) passwords separated by a colon (':'). 
-When the passwords are entered in plain text they fill be automatically hashed.
+When the passwords are entered in plain text they will be automatically hashed.
 The authenticated username will be stored in the `$_SESSION['username']` variable.
 You need to send an "Authorization" header containing a base64 url encoded version of your colon separated username and password, after the word "Basic".
 

src/Tqdev/PhpCrudApi/Api.php

@@ -17,6 +17,8 @@
 use Tqdev\PhpCrudApi\Controller\StatusController;
 use Tqdev\PhpCrudApi\Database\GenericDB;
 use Tqdev\PhpCrudApi\GeoJson\GeoJsonService;
+use Tqdev\PhpCrudApi\Middleware\ApiKeyAuthMiddleware;
+use Tqdev\PhpCrudApi\Middleware\ApiKeyDbAuthMiddleware;
 use Tqdev\PhpCrudApi\Middleware\AuthorizationMiddleware;
 use Tqdev\PhpCrudApi\Middleware\BasicAuthMiddleware;
 use Tqdev\PhpCrudApi\Middleware\CorsMiddleware;
@@ -74,6 +76,12 @@ public function __construct(Config $config)
                 case 'firewall':
                     new FirewallMiddleware($router, $responder, $properties);
                     break;
+                case 'apiKeyAuth':
+                    new ApiKeyAuthMiddleware($router, $responder, $properties);
+                    break;
+                case 'apiKeyDbAuth':
+                    new ApiKeyDbAuthMiddleware($router, $responder, $properties, $reflection, $db);
+                    break;
                 case 'basicAuth':
                     new BasicAuthMiddleware($router, $responder, $properties);
                     break;

src/Tqdev/PhpCrudApi/Middleware/ApiKeyAuthMiddleware.php

@@ -0,0 +1,33 @@
+<?php
+
+namespace Tqdev\PhpCrudApi\Middleware;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Tqdev\PhpCrudApi\Controller\Responder;
+use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
+use Tqdev\PhpCrudApi\Record\ErrorCode;
+use Tqdev\PhpCrudApi\RequestUtils;
+
+class ApiKeyAuthMiddleware extends Middleware
+{
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
+    {
+        $headerName = $this->getProperty('header', 'X-API-Key');
+        $apiKey = RequestUtils::getHeader($request, $headerName);
+        if ($apiKey) {
+            $apiKeys = $this->getArrayProperty('keys', '');
+            if (!in_array($apiKey, $apiKeys)) {
+                return $this->responder->error(ErrorCode::AUTHENTICATION_FAILED, $apiKey);
+            }
+        } else {
+            $authenticationMode = $this->getProperty('mode', 'required');
+            if ($authenticationMode == 'required') {
+                return $this->responder->error(ErrorCode::AUTHENTICATION_REQUIRED, '');
+            }
+        }
+        $_SESSION['apiKey'] = $apiKey;
+        return $next->handle($request);
+    }
+}

src/Tqdev/PhpCrudApi/Middleware/ApiKeyDbAuthMiddleware.php

@@ -0,0 +1,59 @@
+<?php
+
+namespace Tqdev\PhpCrudApi\Middleware;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Tqdev\PhpCrudApi\Column\ReflectionService;
+use Tqdev\PhpCrudApi\Controller\Responder;
+use Tqdev\PhpCrudApi\Database\GenericDB;
+use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
+use Tqdev\PhpCrudApi\Middleware\Router\Router;
+use Tqdev\PhpCrudApi\Record\Condition\ColumnCondition;
+use Tqdev\PhpCrudApi\Record\ErrorCode;
+use Tqdev\PhpCrudApi\Record\OrderingInfo;
+use Tqdev\PhpCrudApi\RequestUtils;
+
+class ApiKeyDbAuthMiddleware extends Middleware
+{
+    private $reflection;
+    private $db;
+    private $ordering;
+
+    public function __construct(Router $router, Responder $responder, array $properties, ReflectionService $reflection, GenericDB $db)
+    {
+        parent::__construct($router, $responder, $properties);
+        $this->reflection = $reflection;
+        $this->db = $db;
+        $this->ordering = new OrderingInfo();
+    }
+
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
+    {
+        $user = false;
+        $headerName = $this->getProperty('header', 'X-API-Key');
+        $apiKey = RequestUtils::getHeader($request, $headerName);
+        if ($apiKey) {
+            $tableName = $this->getProperty('usersTable', 'users');
+            $table = $this->reflection->getTable($tableName);
+            $apiKeyColumnName = $this->getProperty('apiKeyColumn', 'api_key');
+            $apiKeyColumn = $table->getColumn($apiKeyColumnName);
+            $condition = new ColumnCondition($apiKeyColumn, 'eq', $apiKey);
+            $columnNames = $table->getColumnNames();
+            $columnOrdering = $this->ordering->getDefaultColumnOrdering($table);
+            $users = $this->db->selectAll($table, $columnNames, $condition, $columnOrdering, 0, 1);
+            if (count($users) < 1) {
+                return $this->responder->error(ErrorCode::AUTHENTICATION_FAILED, $apiKey);
+            }
+            $user = $users[0];
+        } else {
+            $authenticationMode = $this->getProperty('mode', 'required');
+            if ($authenticationMode == 'required') {
+                return $this->responder->error(ErrorCode::AUTHENTICATION_REQUIRED, '');
+            }
+        }
+        $_SESSION['apiUser'] = $user;
+        return $next->handle($request);
+    }
+}

tests/config/base.php

@@ -4,7 +4,11 @@
     'username' => 'incorrect_username',
     'password' => 'incorrect_password',
     'controllers' => 'records,columns,cache,openapi,geojson,status',
-    'middlewares' => 'sslRedirect,xml,cors,json,reconnect,dbAuth,jwtAuth,basicAuth,authorization,sanitation,validation,ipAddress,multiTenancy,pageLimits,joinLimits,customization',
+    'middlewares' => 'sslRedirect,xml,cors,json,reconnect,apiKeyAuth,apiKeyDbAuth,dbAuth,jwtAuth,basicAuth,authorization,sanitation,validation,ipAddress,multiTenancy,pageLimits,joinLimits,customization',
+    'apiKeyAuth.mode' => 'optional',
+    'apiKeyAuth.keys' => '123456789abc',
+    'apiKeyDbAuth.mode' => 'optional',
+    'apiKeyDbAuth.header' => 'X-API-Key-DB',
     'dbAuth.mode' => 'optional',
     'dbAuth.returnedColumns' => 'id,username,password',
     'dbAuth.registerUser' => '1',
@@ -24,7 +28,7 @@
         return 'php-crud-api';
     },
     'authorization.tableHandler' => function ($operation, $tableName) {
-        return !($tableName == 'invisibles' && !isset($_SESSION['claims']['name']) && empty($_SESSION['username']) && empty($_SESSION['user']));
+        return !($tableName == 'invisibles' && !isset($_SESSION['claims']['name']) && empty($_SESSION['username']) && empty($_SESSION['user']) && empty($_SESSION['apiKey']) && empty($_SESSION['apiUser']));
     },
     'authorization.columnHandler' => function ($operation, $tableName, $columnName) {
         return !($columnName == 'invisible');

tests/fixtures/blog_mysql.sql

@@ -88,13 +88,14 @@ CREATE TABLE `users` (
   `id` int(11) NOT NULL AUTO_INCREMENT,
   `username` varchar(255) NOT NULL,
   `password` varchar(255) NOT NULL,
+  `api_key` varchar(255) NULL,
   `location` point,
   PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
 
-INSERT INTO `users` (`username`, `password`, `location`) VALUES
-('user1',	'pass1', NULL),
-('user2',	'$2y$10$cg7/nswxVZ0cmVIsMB/pVOh1OfcHScBJGq7Xu4KF9dFEQgRZ8HWe.', NULL);
+INSERT INTO `users` (`username`, `password`, `api_key`, `location`) VALUES
+('user1',	'pass1', '123456789abc', NULL),
+('user2',	'$2y$10$cg7/nswxVZ0cmVIsMB/pVOh1OfcHScBJGq7Xu4KF9dFEQgRZ8HWe.', NULL, NULL);
 
 DROP TABLE IF EXISTS `countries`;
 CREATE TABLE `countries` (

tests/fixtures/blog_pgsql.sql

@@ -99,6 +99,7 @@ CREATE TABLE users (
     id serial NOT NULL,
     username character varying(255) NOT NULL,
     password character varying(255) NOT NULL,
+    api_key character varying(255) NULL,
     location geometry
 );
 
@@ -231,9 +232,9 @@ INSERT INTO "tags" ("name", "is_important") VALUES
 -- Data for Name: users; Type: TABLE DATA; Schema: public; Owner: postgres
 --
 
-INSERT INTO "users" ("username", "password", "location") VALUES
-('user1',	'pass1',	NULL),
-('user2',	'$2y$10$cg7/nswxVZ0cmVIsMB/pVOh1OfcHScBJGq7Xu4KF9dFEQgRZ8HWe.',	NULL);
+INSERT INTO "users" ("username", "password", "api_key", "location") VALUES
+('user1',	'pass1',	'123456789abc',	NULL),
+('user2',	'$2y$10$cg7/nswxVZ0cmVIsMB/pVOh1OfcHScBJGq7Xu4KF9dFEQgRZ8HWe.',	NULL,	NULL);
 
 --
 -- Data for Name: countries; Type: TABLE DATA; Schema: public; Owner: postgres

tests/fixtures/blog_sqlite.sql

@@ -79,11 +79,12 @@ CREATE TABLE "users" (
   "id" integer NOT NULL PRIMARY KEY AUTOINCREMENT,
   "username" varchar(255) NOT NULL,
   "password" varchar(255) NOT NULL,
+  "api_key" varchar(255) NULL,
   "location" text NULL
 );
 
-INSERT INTO "users" ("id", "username", "password", "location") VALUES (1, 'user1', 'pass1', NULL);
-INSERT INTO "users" ("id", "username", "password", "location") VALUES (2, 'user2', '$2y$10$cg7/nswxVZ0cmVIsMB/pVOh1OfcHScBJGq7Xu4KF9dFEQgRZ8HWe.', NULL);
+INSERT INTO "users" ("id", "username", "password", "api_key", "location") VALUES (1, 'user1', 'pass1', '123456789abc', NULL);
+INSERT INTO "users" ("id", "username", "password", "api_key", "location") VALUES (2, 'user2', '$2y$10$cg7/nswxVZ0cmVIsMB/pVOh1OfcHScBJGq7Xu4KF9dFEQgRZ8HWe.', NULL, NULL);
 
 DROP TABLE IF EXISTS "countries";
 CREATE TABLE "countries" (

tests/fixtures/blog_sqlsrv.sql

@@ -212,6 +212,7 @@ CREATE TABLE [users](
 	[id] [int] NOT NULL CONSTRAINT [users_id_def] DEFAULT NEXT VALUE FOR [users_id_seq],
 	[username] [nvarchar](255) NOT NULL,
 	[password] [nvarchar](255) NOT NULL,
+	[api_key] [nvarchar](255) NULL,
 	[location] [geometry],
 	CONSTRAINT [users_pkey] PRIMARY KEY CLUSTERED([id] ASC)
 )
@@ -336,9 +337,9 @@ GO
 INSERT [tags] ([name], [is_important]) VALUES (N'important', 1)
 GO
 
-INSERT [users] ([username], [password], [location]) VALUES (N'user1', N'pass1', NULL)
+INSERT [users] ([username], [password], [api_key], [location]) VALUES (N'user1', N'pass1', N'123456789abc', NULL)
 GO
-INSERT [users] ([username], [password], [location]) VALUES (N'user2', N'$2y$10$cg7/nswxVZ0cmVIsMB/pVOh1OfcHScBJGq7Xu4KF9dFEQgRZ8HWe.', NULL)
+INSERT [users] ([username], [password], [api_key], [location]) VALUES (N'user2', N'$2y$10$cg7/nswxVZ0cmVIsMB/pVOh1OfcHScBJGq7Xu4KF9dFEQgRZ8HWe.', NULL, NULL)
 GO
 
 INSERT [countries] ([name], [shape]) VALUES (N'Left', N'POLYGON ((30 10, 40 40, 20 40, 10 20, 30 10))')

tests/functional/001_records/027_list_example_from_readme_users_only.log

@@ -3,6 +3,6 @@ GET /records/posts?join=users&filter=id,eq,1
 ===
 200
 Content-Type: application/json; charset=utf-8
-Content-Length: 136
+Content-Length: 161
 
-{"records":[{"id":1,"user_id":{"id":1,"username":"user1","password":"pass1","location":null},"category_id":1,"content":"blog started"}]}
+{"records":[{"id":1,"user_id":{"id":1,"username":"user1","password":"pass1","api_key":"123456789abc","location":null},"category_id":1,"content":"blog started"}]}

tests/functional/001_records/028_read_example_from_readme_users_only.log

@@ -3,6 +3,6 @@ GET /records/posts/1?join=users
 ===
 200
 Content-Type: application/json; charset=utf-8
-Content-Length: 122
+Content-Length: 147
 
-{"id":1,"user_id":{"id":1,"username":"user1","password":"pass1","location":null},"category_id":1,"content":"blog started"}
+{"id":1,"user_id":{"id":1,"username":"user1","password":"pass1","api_key":"123456789abc","location":null},"category_id":1,"content":"blog started"}

tests/functional/001_records/082_read_users_as_geojson.log

@@ -1,14 +1,14 @@
 skip-for-sqlite: no support for geometry functions (spatialite)
 ===
-GET /geojson/users/1?exclude=password
+GET /geojson/users/1?exclude=password,api_key
 ===
 200
 Content-Type: application/json; charset=utf-8
 Content-Length: 109
 
 {"type":"Feature","id":1,"properties":{"username":"user1"},"geometry":{"type":"Point","coordinates":[30,20]}}
 ===
-GET /geojson/users/2?exclude=password
+GET /geojson/users/2?exclude=password,api_key
 ===
 200
 Content-Type: application/json; charset=utf-8

tests/functional/001_records/083_list_users_as_geojson.log

@@ -1,38 +1,38 @@
 skip-for-sqlite: no support for geometry functions (spatialite)
 ===
-GET /geojson/users?exclude=password
+GET /geojson/users?exclude=password,api_key
 ===
 200
 Content-Type: application/json; charset=utf-8
 Content-Length: 227
 
 {"type":"FeatureCollection","features":[{"type":"Feature","id":1,"properties":{"username":"user1"},"geometry":{"type":"Point","coordinates":[30,20]}},{"type":"Feature","id":2,"properties":{"username":"user2"},"geometry":null}]}
 ===
-GET /geojson/users?exclude=password&geometry=location
+GET /geojson/users?exclude=password,api_key&geometry=location
 ===
 200
 Content-Type: application/json; charset=utf-8
 Content-Length: 227
 
 {"type":"FeatureCollection","features":[{"type":"Feature","id":1,"properties":{"username":"user1"},"geometry":{"type":"Point","coordinates":[30,20]}},{"type":"Feature","id":2,"properties":{"username":"user2"},"geometry":null}]}
 ===
-GET /geojson/users?exclude=password&geometry=notlocation
+GET /geojson/users?exclude=password,api_key&geometry=notlocation
 ===
 200
 Content-Type: application/json; charset=utf-8
 Content-Length: 235
 
 {"type":"FeatureCollection","features":[{"type":"Feature","id":1,"properties":{"username":"user1","location":"POINT(30 20)"},"geometry":null},{"type":"Feature","id":2,"properties":{"username":"user2","location":null},"geometry":null}]}
 ===
-GET /geojson/users?exclude=password&page=1,1
+GET /geojson/users?exclude=password,api_key&page=1,1
 ===
 200
 Content-Type: application/json; charset=utf-8
 Content-Length: 163
 
 {"type":"FeatureCollection","features":[{"type":"Feature","id":1,"properties":{"username":"user1"},"geometry":{"type":"Point","coordinates":[30,20]}}],"results":2}
 ===
-GET /geojson/users?exclude=password&bbox=29.99,19.99,30.01,20.01
+GET /geojson/users?exclude=password,api_key&bbox=29.99,19.99,30.01,20.01
 ===
 200
 Content-Type: application/json; charset=utf-8