securing api with token validation integrated

Robert Kummer · Robert Kummer · commit f85c1d6a0c6e · 2017-06-02T09:48:46.000+02:00
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
@@ -2,6 +2,7 @@
 
 namespace App\Http;
 
+use App\Http\Middleware\TokenValidation;
 use Illuminate\Foundation\Http\Kernel as HttpKernel;
 
 class Kernel extends HttpKernel
@@ -38,6 +39,7 @@ class Kernel extends HttpKernel
 
         'api' => [
             'throttle:60,1',
+            'token',
             'bindings',
         ],
     ];
@@ -57,5 +59,6 @@ class Kernel extends HttpKernel
         'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
         'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'feature' => \App\Http\Middleware\WebUiFeatureAvailability::class,
+        'token' => TokenValidation::class,
     ];
 }
diff --git a/app/Http/Middleware/TokenValidation.php b/app/Http/Middleware/TokenValidation.php
@@ -0,0 +1,89 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class TokenValidation
+{
+    /**
+     * The URIs that should be excluded from CSRF verification.
+     *
+     * @var array
+     */
+    protected $except = [
+        '/api/health'
+    ];
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request $request
+     * @param  \Closure $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        if (!$this->inExceptArray($request)
+            && $this->hasSecretToken()
+            && $request->header($this->secretTokenName()) !== $this->secretToken()
+        ) {
+            abort(401, 'Token missing');
+        }
+
+        return $next($request);
+    }
+
+    /**
+     * do we have a secret token configured?
+     *
+     * @return bool
+     */
+    private function hasSecretToken() : bool
+    {
+        return config('fileproxy.api.secret_token', null) !== null;
+    }
+
+    /**
+     * returns secret token.
+     *
+     * @return string
+     */
+    private function secretToken() : string
+    {
+        return config('fileproxy.api.secret_token', '');
+    }
+
+    /**
+     * returns secret token name.
+     *
+     * @return string
+     */
+    private function secretTokenName() : string
+    {
+        $tokenName = config('fileproxy.api.token_name', null);
+
+        return $tokenName ?? 'X-FILEPROXY-TOKEN';
+    }
+
+    /**
+     * Determine if the request has a URI that should pass through CSRF verification.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return bool
+     */
+    protected function inExceptArray($request)
+    {
+        foreach ($this->except as $except) {
+            if ($except !== '/') {
+                $except = trim($except, '/');
+            }
+
+            if ($request->is($except)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}
diff --git a/config/fileproxy.php b/config/fileproxy.php
@@ -32,4 +32,21 @@
          */
         'accept_remote_creation' => env('FILEPROXY_WEB_ACCEPT_REMOTE_CREATION', false),
     ],
+
+    /*
+     * api configuration
+     */
+    'api' => [
+        /*
+         * The secret token has to be set for security reason. If it is not null you have to
+         * add a http header `X-FILEPROXY-TOKEN` to each api request.
+         */
+        'secret_token' => env('FILEPROXY_API_SECRET_TOKEN', null),
+
+        /*
+         * The secret token has to be set for security reason. If it is not null you have to
+         * add a http header `X-FILEPROXY-TOKEN` to each api request.
+         */
+        'token_name' => env('FILEPROXY_API_TOKEN_NAME', 'X-FILEPROXY-TOKEN'),
+    ],
 ];
diff --git a/readme.md b/readme.md
@@ -99,6 +99,29 @@ You can enable or disable the ability to create remote files via web frontend. T
 
 **Environment variable**: `FILEPROXY_WEB_ACCEPT_REMOTE_CREATION`
 
+### Api
+
+All settings depending on the api endpoint.
+
+#### secret_token
+
+The secret token is for security reason. Api calls can be secured by this value. If it is set you have to add a header `X-FILEPROXY-TOKEN` to each api request.
+
+When it is `null` no header validation will be executed.
+
+**Default**: `null`
+
+**Environment variable**: `FILEPROXY_API_SECRET_TOKEN`
+
+#### token_name
+
+The secret token will be checked by a header named `X-FILEPROXY-TOKEN` by default. You can override this concrete header name if you want.
+
+**Default**: `X-FILEPROXY-TOKEN`
+
+**Environment variable**: `FILEPROXY_API_TOKEN_NAME`
+
+
 ## Test
 
 All commands for running the business functions are unit tested. You can run `composer test` to run our test suite.
diff --git a/tests/Feature/Api/TokenValidationMiddlewareTest.php b/tests/Feature/Api/TokenValidationMiddlewareTest.php
@@ -0,0 +1,106 @@
+<?php
+
+namespace Tests\Feature\Api;
+
+use Illuminate\Foundation\Testing\DatabaseMigrations;
+use Illuminate\Foundation\Testing\DatabaseTransactions;
+use Tests\TestCase;
+
+class TokenValidationMiddlewareTest extends TestCase
+{
+    use DatabaseMigrations, DatabaseTransactions;
+
+    /** @test */
+    public function it_can_not_access_api_with_missing_header_when_secret_token_configured()
+    {
+        // ARRANGE
+        config(['fileproxy.api.secret_token' => 'S3cr3T']);
+
+        // ACT
+        $response = $this->getJson('/api/statistics');
+
+        // ASSERT
+        $response->assertStatus(401)
+            ->assertExactJson([
+                'errors' => [
+                    [
+                        'status' => 401,
+                        'code' => 0,
+                        'title' => 'Token missing'
+                    ]
+                ],
+            ]);
+    }
+
+    /** @test */
+    public function it_can_access_api_with_correct_header_when_secret_token_configured()
+    {
+        // ARRANGE
+        config(['fileproxy.api.secret_token' => 'S3cr3T']);
+
+        // ACT
+        $response = $this->getJson('/api/statistics', ['X-FILEPROXY-TOKEN' => 'S3cr3T']);
+
+        // ASSERT
+        $response->assertStatus(200)
+            ->assertHeader('Content-Type', 'application/vnd.api+json')
+            ->assertExactJson([
+                'data' => [
+                    'type' => 'statistics',
+                    'id' => '',
+                    'attributes' => [
+                        'size' => 0,
+                        'files' => 0,
+                        'aliases' => 0,
+                        'hits' => 0,
+                    ],
+                    'links' => [
+                        'self' => 'http://localhost/api/statistics/',
+                    ],
+                ]
+            ]);
+    }
+
+    /** @test */
+    public function it_can_access_api_with_correct_header_when_secret_token_configured_and_token_name_header_modified()
+    {
+        // ARRANGE
+        config(['fileproxy.api.secret_token' => 'S3cr3T', 'fileproxy.api.token_name' => 'X-TEST']);
+
+        // ACT
+        $response = $this->getJson('/api/statistics', ['X-TEST' => 'S3cr3T']);
+
+        // ASSERT
+        $response->assertStatus(200)
+            ->assertHeader('Content-Type', 'application/vnd.api+json')
+            ->assertExactJson([
+                'data' => [
+                    'type' => 'statistics',
+                    'id' => '',
+                    'attributes' => [
+                        'size' => 0,
+                        'files' => 0,
+                        'aliases' => 0,
+                        'hits' => 0,
+                    ],
+                    'links' => [
+                        'self' => 'http://localhost/api/statistics/',
+                    ],
+                ]
+            ]);
+    }
+
+    /** @test */
+    public function it_can_access_health_check_with_secured_api_without_secret_token()
+    {
+        // ARRANGE
+        config(['fileproxy.api.secret_token' => 'S3cr3T']);
+
+        // ACT
+        $response = $this->get('/api/health');
+
+        // ASSERT
+        $response->assertStatus(200);
+    }
+
+}
