Authorize restifyjs.

Author: binaryk

config/config.php

@@ -49,6 +49,21 @@
         'user_verify_url' => env('FRONTEND_APP_URL').'/verify/{id}/{emailHash}',
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | RestifyJS
+    |--------------------------------------------------------------------------
+    |
+    | This configuration is used for supporting the RestifyJS
+    |
+    */
+    'restifyjs' => [
+        /*
+        | Token to authorize the setup endpoint.
+        */
+        'token' => env('RESTIFYJS_TOKEN', 'testing'),
+    ],
+
     /*
     |--------------------------------------------------------------------------
     | Restify Base Route

routes/api.php

@@ -20,6 +20,7 @@
 use Binaryk\LaravelRestify\Http\Controllers\RepositoryUpdateBulkController;
 use Binaryk\LaravelRestify\Http\Controllers\RepositoryUpdateController;
 use Binaryk\LaravelRestify\Http\Controllers\RestifyJsSetupController;
+use Binaryk\LaravelRestify\Http\Middleware\RestifySanctumAuthenticate;
 use Illuminate\Support\Facades\Route;
 
 // Global Search...
@@ -31,7 +32,9 @@
 Route::post('/profile/avatar', '\\'.ProfileAvatarController::class);
 
 // RestifyJS
-Route::get('/restifyjs/setup', '\\'.RestifyJsSetupController::class);
+Route::get('/restifyjs/setup', '\\'.RestifyJsSetupController::class)->withoutMiddleware(
+    RestifySanctumAuthenticate::class,
+);
 
 // Filters
 Route::get('/{repository}/filters', '\\'.RepositoryFilterController::class);

src/Http/Controllers/RestifyJsSetupController.php

@@ -5,13 +5,19 @@
 use Binaryk\LaravelRestify\Http\Requests\RestifyRequest;
 use Binaryk\LaravelRestify\Repositories\Repository;
 use Binaryk\LaravelRestify\Restify;
+use Illuminate\Http\Request;
 use Illuminate\Routing\Controller;
+use Illuminate\Support\Facades\App;
 use Illuminate\Support\Str;
 
 class RestifyJsSetupController extends Controller
 {
     public function __invoke(RestifyRequest $request)
     {
+        if (App::environment('production')) {
+            $this->authorize($request);
+        }
+
         return response()->json([
             'config' => $this->config(),
             'repositories' => $this->repositories($request),
@@ -46,4 +52,11 @@ private function deleteFirstAndLastSlash(string $domain): string
 
         return $domain;
     }
+
+    private function authorize(Request $request)
+    {
+        if ($request->input('token') !== config('restify.restifyjs.token')) {
+            abort(401, 'You are not authorized to see this request.');
+        }
+    }
 }