fix: don't return HTML code for a 401 in an API call (#3313)

thorsten · thorsten · commit 00615f1cec94 · 2025-01-12T16:17:27.000+01:00
diff --git a/docs/openapi.json b/docs/openapi.json
@@ -1,7 +1,7 @@
 {
   "openapi": "3.0.0",
   "info": {
-    "title": "REST API for phpMyFAQ 4.0",
+    "title": "REST API for phpMyFAQ 4.1",
     "description": "phpMyFAQ includes a REST API and offers APIs for various services like fetching the phpMyFAQ version or doing a search against the phpMyFAQ installation.",
     "contact": {
       "name": "phpMyFAQ Team",
@@ -719,7 +719,7 @@
             "content": {
               "application/json": {
                 "schema": {},
-                "example": "[\n            {\n                \"question\": \"How can I survive without phpMyFAQ?\",\n                \"url\": \"https://www.example.org/index.php?action=faq&cat=1&id=36&artlang=de\",\n                \"id\": \"8\",\n                \"order\": \"1\"\n            },\n            {\n                \"question\": \"Is there life after death?\",\n                \"url\": \"https://www.example.org/index.php?action=faq&cat=1&id=1&artlang=en\",\n                \"id\": \"10\",\n                \"order\": \"2\"\n            }\n        ]"
+                "example": "[\n            {\n                \"question\": \"How can I survive without phpMyFAQ?\",\n                \"url\": \"https://www.example.org/index.php?action=faq&cat=1&id=36&artlang=de\",\n                \"id\": 8,\n                \"order\": 1\n            },\n            {\n                \"question\": \"Is there life after death?\",\n                \"url\": \"https://www.example.org/index.php?action=faq&cat=1&id=1&artlang=en\",\n                \"id\": 10,\n                \"order\": 2\n            }\n        ]"
               }
             }
           },
@@ -1641,7 +1641,43 @@
             "content": {
               "application/json": {
                 "schema": {},
-                "example": "phpMyFAQ Codename Pontus"
+                "example": "phpMyFAQ Codename Porus"
+              }
+            }
+          }
+        }
+      }
+    },
+    "/api/v3.1/update": {
+      "post": {
+        "tags": ["Endpoints with Authentication"],
+        "operationId": "triggerUpdate",
+        "responses": {
+          "200": {
+            "description": "Returns the new and updated phpMyFAQ version number as string.",
+            "headers": {
+              "x-pmf-token": {
+                "description": "phpMyFAQ client API Token, generated in admin backend",
+                "schema": {
+                  "type": "string"
+                }
+              }
+            },
+            "content": {
+              "application/json": {
+                "schema": {},
+                "example": "4.0.0"
+              }
+            }
+          },
+          "401": {
+            "description": "If the user is not authenticated and/or does not have sufficient permissions.",
+            "headers": {
+              "x-pmf-token": {
+                "description": "phpMyFAQ client API Token, generated in admin backend",
+                "schema": {
+                  "type": "string"
+                }
               }
             }
           }
diff --git a/docs/openapi.yaml b/docs/openapi.yaml
@@ -1,6 +1,6 @@
 openapi: 3.0.0
 info:
-  title: 'REST API for phpMyFAQ 4.0'
+  title: 'REST API for phpMyFAQ 4.1'
   description: 'phpMyFAQ includes a REST API and offers APIs for various services like fetching the phpMyFAQ version or doing a search against the phpMyFAQ installation.'
   contact:
     name: 'phpMyFAQ Team'
@@ -484,7 +484,7 @@ paths:
           content:
             application/json:
               schema: {}
-              example: "[\n            {\n                \"question\": \"How can I survive without phpMyFAQ?\",\n                \"url\": \"https://www.example.org/index.php?action=faq&cat=1&id=36&artlang=de\",\n                \"id\": \"8\",\n                \"order\": \"1\"\n            },\n            {\n                \"question\": \"Is there life after death?\",\n                \"url\": \"https://www.example.org/index.php?action=faq&cat=1&id=1&artlang=en\",\n                \"id\": \"10\",\n                \"order\": \"2\"\n            }\n        ]"
+              example: "[\n            {\n                \"question\": \"How can I survive without phpMyFAQ?\",\n                \"url\": \"https://www.example.org/index.php?action=faq&cat=1&id=36&artlang=de\",\n                \"id\": 8,\n                \"order\": 1\n            },\n            {\n                \"question\": \"Is there life after death?\",\n                \"url\": \"https://www.example.org/index.php?action=faq&cat=1&id=1&artlang=en\",\n                \"id\": 10,\n                \"order\": 2\n            }\n        ]"
         '404':
           description: "If there's not one sticky FAQ."
           headers:
@@ -1114,7 +1114,31 @@ paths:
           content:
             application/json:
               schema: {}
-              example: 'phpMyFAQ Codename Pontus'
+              example: 'phpMyFAQ Codename Porus'
+  /api/v3.1/update:
+    post:
+      tags:
+        - 'Endpoints with Authentication'
+      operationId: triggerUpdate
+      responses:
+        '200':
+          description: 'Returns the new and updated phpMyFAQ version number as string.'
+          headers:
+            x-pmf-token:
+              description: 'phpMyFAQ client API Token, generated in admin backend'
+              schema:
+                type: string
+          content:
+            application/json:
+              schema: {}
+              example: 4.0.0
+        '401':
+          description: 'If the user is not authenticated and/or does not have sufficient permissions.'
+          headers:
+            x-pmf-token:
+              description: 'phpMyFAQ client API Token, generated in admin backend'
+              schema:
+                type: string
   /api/v3.0/version:
     get:
       tags:
diff --git a/phpmyfaq/api/index.php b/phpmyfaq/api/index.php
@@ -29,7 +29,7 @@
 $loader = new PhpFileLoader($container, new FileLocator(__DIR__));
 try {
     $loader->load('../src/services.php');
-} catch (\Exception $e) {
+} catch (Exception $e) {
     echo $e->getMessage();
 }
 
diff --git a/phpmyfaq/src/phpMyFAQ/Application.php b/phpmyfaq/src/phpMyFAQ/Application.php
@@ -116,7 +116,15 @@ private function handleRequest(RouteCollection $routeCollection): void
                 Response::HTTP_NOT_FOUND
             );
         } catch (UnauthorizedHttpException) {
-            $response = new RedirectResponse('/login');
+            if (str_contains($urlMatcher->getContext()->getBaseUrl(), '/api')) {
+                $response = new Response(
+                    json_encode(['error' => 'Unauthorized access']),
+                    Response::HTTP_UNAUTHORIZED,
+                    ['Content-Type' => 'application/json']
+                );
+            } else {
+                $response = new RedirectResponse('/login');
+            }
         } catch (BadRequestException $exception) {
             $response = new Response(
                 sprintf(
diff --git a/phpmyfaq/src/phpMyFAQ/Controller/AbstractController.php b/phpmyfaq/src/phpMyFAQ/Controller/AbstractController.php
@@ -40,7 +40,7 @@
     version: '3.0',
     description: 'phpMyFAQ includes a REST API and offers APIs for various services like fetching the phpMyFAQ ' .
     'version or doing a search against the phpMyFAQ installation.',
-    title: 'REST API for phpMyFAQ 4.0',
+    title: 'REST API for phpMyFAQ 4.1',
     contact: new OA\Contact(
         name: 'phpMyFAQ Team',
         email: 'support@phpmyfaq.de'

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@`
`29`	`29`	`$loader = new PhpFileLoader($container, new FileLocator(__DIR__));`
`30`	`30`	`try {`
`31`	`31`	`$loader->load('../src/services.php');`
`32`		`-} catch (\Exception $e) {`
	`32`	`+} catch (Exception $e) {`
`33`	`33`	`echo $e->getMessage();`
`34`	`34`	`}`
`35`	`35`