Allow config of anonymous access

Author: mevdschee

README.md

@@ -161,9 +161,12 @@ You can tune the middleware behavior using middleware specific configuration par
 - "cors.allowMethods": The methods allowed in the CORS request ("OPTIONS, GET, PUT, POST, DELETE, PATCH")
 - "cors.allowCredentials": To allow credentials in the CORS request ("true")
 - "cors.maxAge": The time that the CORS grant is valid in seconds ("1728000")
+- "jwtAuth.mode": Set to "optional" if you want to allow anonymous access ("required")
 - "jwtAuth.leeway": The acceptable number of seconds of clock skew ("5")
 - "jwtAuth.ttl": The number of seconds the token is valid ("30")
 - "jwtAuth.secret": The shared secret used to sign the JWT token with ("")
+- "basicAuth.mode": Set to "optional" if you want to allow anonymous access ("required")
+- "basicAuth.realm": Text to prompt when showing login ("Username and password required")
 - "basicAuth.passwordFile": The file to read for username/password combinations (".htpasswd")
 - "authorization.tableHandler": Handler to implement table authorization rules ("")
 - "authorization.columnHandler": Handler to implement column authorization rules ("")
@@ -793,11 +796,12 @@ The following errors may be reported:
 - 1008: Cannot read HTTP message (422 UNPROCESSABLE ENTITY)
 - 1009: Duplicate key exception (409 CONFLICT)
 - 1010: Data integrity violation (409 CONFLICT)
-- 1011: Authorization required (401 UNAUTHORIZED)
-- 1012: Access denied (403 FORBIDDEN)
+- 1011: Authentication required (401 UNAUTHORIZED)
+- 1012: Authentication failed (403 FORBIDDEN)
 - 1013: Input validation failed (422 UNPROCESSABLE ENTITY)
 - 1014: Operation forbidden (403 FORBIDDEN)
 - 1015: Operation not supported (405 METHOD NOT ALLOWED)
+- 1016: Temporary or permanently blocked (403 FORBIDDEN)
 - 9999: Unknown error (500: INTERNAL SERVER ERROR)
 
 The following JSON structure is used:

src/Tqdev/PhpCrudApi/Middleware/BasicAuthMiddleware.php

@@ -85,7 +85,16 @@ public function handle(Request $request): Response
             $validUser = $this->getValidUsername($username, $password, $passwordFile);
             $_SESSION['username'] = $validUser;
             if (!$validUser) {
-                return $this->responder->error(ErrorCode::ACCESS_DENIED, $username);
+                return $this->responder->error(ErrorCode::AUTHENTICATION_FAILED, $username);
+            }
+        }
+        if (!isset($_SESSION['username']) || !$_SESSION['username']) {
+            $authenticationMode = $this->getProperty('mode', 'required');
+            if ($authenticationMode == 'required') {
+                $response = $this->responder->error(ErrorCode::AUTHENTICATION_REQUIRED, '');
+                $realm = $this->getProperty('realm', 'Username and password required');
+                $response->addHeader('WWW-Authenticate', "Basic realm=\"$realm\"");
+                return $response;
             }
         }
         return $this->next->handle($request);

src/Tqdev/PhpCrudApi/Middleware/FirewallMiddleware.php

@@ -46,7 +46,7 @@ public function handle(Request $request): Response
         }
         $allowedIpAddresses = $this->getProperty('allowedIpAddresses', '');
         if (!$this->isIpAllowed($ipAddress, $allowedIpAddresses)) {
-            $response = $this->responder->error(ErrorCode::ACCESS_DENIED, $ipAddress);
+            $response = $this->responder->error(ErrorCode::TEMPORARY_OR_PERMANENTLY_BLOCKED, '');
         } else {
             $response = $this->next->handle($request);
         }

src/Tqdev/PhpCrudApi/Middleware/JwtAuthMiddleware.php

@@ -87,7 +87,13 @@ public function handle(Request $request): Response
             $claims = $this->getClaims($token);
             $_SESSION['claims'] = $claims;
             if (empty($claims)) {
-                return $this->responder->error(ErrorCode::ACCESS_DENIED, 'JWT');
+                return $this->responder->error(ErrorCode::AUTHENTICATION_FAILED, 'JWT');
+            }
+        }
+        if (empty($_SESSION['claims'])) {
+            $authenticationMode = $this->getProperty('mode', 'required');
+            if ($authenticationMode == 'required') {
+                return $this->responder->error(ErrorCode::AUTHENTICATION_REQUIRED, '');
             }
         }
         return $this->next->handle($request);

src/Tqdev/PhpCrudApi/Record/ErrorCode.php

@@ -22,11 +22,12 @@ class ErrorCode
     const HTTP_MESSAGE_NOT_READABLE = 1008;
     const DUPLICATE_KEY_EXCEPTION = 1009;
     const DATA_INTEGRITY_VIOLATION = 1010;
-    const AUTHORIZATION_REQUIRED = 1011;
-    const ACCESS_DENIED = 1012;
+    const AUTHENTICATION_REQUIRED = 1011;
+    const AUTHENTICATION_FAILED = 1012;
     const INPUT_VALIDATION_FAILED = 1013;
     const OPERATION_FORBIDDEN = 1014;
     const OPERATION_NOT_SUPPORTED = 1015;
+    const TEMPORARY_OR_PERMANENTLY_BLOCKED = 1016;
 
     private $values = [
         9999 => ["%s", Response::INTERNAL_SERVER_ERROR],
@@ -41,11 +42,12 @@ class ErrorCode
         1008 => ["Cannot read HTTP message", Response::UNPROCESSABLE_ENTITY],
         1009 => ["Duplicate key exception", Response::CONFLICT],
         1010 => ["Data integrity violation", Response::CONFLICT],
-        1011 => ["Authorization required", Response::UNAUTHORIZED],
-        1012 => ["Access denied for '%s'", Response::FORBIDDEN],
+        1011 => ["Authentication required", Response::UNAUTHORIZED],
+        1012 => ["Authentication failed for '%s'", Response::FORBIDDEN],
         1013 => ["Input validation failed for '%s'", Response::UNPROCESSABLE_ENTITY],
         1014 => ["Operation forbidden", Response::FORBIDDEN],
         1015 => ["Operation '%s' not supported", Response::METHOD_NOT_ALLOWED],
+        1016 => ["Temporary or permanently blocked", Response::FORBIDDEN],
     ];
 
     public function __construct(int $code)

tests/config/base.php

@@ -5,8 +5,10 @@
     'password' => 'php-crud-api',
     'controllers' => 'records,columns,cache,openapi',
     'middlewares' => 'cors,jwtAuth,basicAuth,authorization,validation,sanitation,multiTenancy,customization',
+    'jwtAuth.mode' => 'optional',
     'jwtAuth.time' => '1538207605',
     'jwtAuth.secret' => 'axpIrCGNGqxzx2R9dtXLIPUSqPo778uhb8CA0F4Hx',
+    'basicAuth.mode' => 'optional',
     'basicAuth.passwordFile' => __DIR__ . DIRECTORY_SEPARATOR . '.htpasswd',
     'authorization.tableHandler' => function ($operation, $tableName) {
         return !($tableName == 'invisibles' && !isset($_SESSION['claims']['name']) && empty($_SESSION['username']));

tests/functional/002_auth/001_jwt_auth.log

@@ -20,9 +20,9 @@ Authorization: Bearer invalid
 ===
 403
 Content-Type: application/json
-Content-Length: 49
+Content-Length: 57
 
-{"code":1012,"message":"Access denied for 'JWT'"}
+{"code":1012,"message":"Authentication failed for 'JWT'"}
 ===
 GET /records/invisibles/e42c77c6-06a4-4502-816c-d112c7142e6d
 ===

tests/functional/002_auth/002_basic_auth.log

@@ -20,9 +20,9 @@ Authorization: Basic aW52YWxpZHVzZXI6aW52YWxpZHBhc3M
 ===
 403
 Content-Type: application/json
-Content-Length: 57
+Content-Length: 65
 
-{"code":1012,"message":"Access denied for 'invaliduser'"}
+{"code":1012,"message":"Authentication failed for 'invaliduser'"}
 ===
 GET /records/invisibles/e42c77c6-06a4-4502-816c-d112c7142e6d
 ===