PhalconExt\Http\Middleware\ApiAuth

Complexity

Total Complexity

27

Size/Duplication

Total Lines	146
Duplicated Lines	0 %

Importance

Changes	2
Bugs	0	Features	1

10 Methods

Rating	Name	Duplication	Size	Complexity
A	before()	0	11	2
A	createJWT()	0	13	2
A	getClaimedScopes()	0	13	3
A	authenticate()	0	7	2
A	shouldGenerate()	0	3	2
A	serve()	0	14	2
A	validateGenerate()	0	11	4
A	validateScope()	0	17	4
A	generateToken()	0	13	4
A	__construct()	0	11	2

<?php

/*
 * This file is part of the PHALCON-EXT package.
 *
 * (c) Jitendra Adhikari <jiten.adhikary@gmail.com>
 *     <https://github.com/adhocore>
 *
 * Licensed under MIT license.
 */

namespace PhalconExt\Http\Middleware;

use Phalcon\Http\Request;
use Phalcon\Http\Response;
use PhalconExt\Contract\ApiAuthenticator;
use PhalconExt\Factory\ApiAuthenticator as FactoryAuthenticator;
use PhalconExt\Http\BaseMiddleware;

/**
 * Check authentication &/or authorization for api requests.
 *
 * @author  Jitendra Adhikari <jiten.adhikary@gmail.com>
 * @license MIT
 *
 * @link    https://github.com/adhocore/phalcon-ext
 */
class ApiAuth extends BaseMiddleware
{
    protected $configKey = 'apiAuth';

    /** @var ApiAuthenticator */
    protected $authenticator;

    public function __construct(ApiAuthenticator $authenticator = null)
    {
        parent::__construct();

        $this->authenticator = $authenticator ?? $this->di(FactoryAuthenticator::class);

        if (!$this->di()->has('authenticator')) {
            $this->di()->setShared('authenticator', $this->authenticator);
        }

        $this->authenticator->configure($this->config);
    }

    /**
     * Handle authentication.
     *
     * @param Request  $request
     * @param Response $response
     *
     * @return bool
     */
    public function before(Request $request, Response $response): bool

The parameter $response is not used and could be removed.

    {
        list($routeName, $currentUri) = $this->getRouteNameUri();

        if ($this->shouldGenerate($request, $currentUri)) {
            return $this->generateToken($request);
        }

        $requiredScope = $this->config['scopes'][$routeName] ?? $this->config['scopes'][$currentUri] ?? null;

        return $this->validateScope($request, $requiredScope);
    }

    protected function shouldGenerate(Request $request, string $currentUri): bool
    {
        return $request->isPost() && $this->config['authUri'] === $currentUri;
    }

    protected function generateToken(Request $request)
    {
        $payload = $request->getJsonRawBody(true) ?: $request->getPost();

        if (!$this->validateGenerate($payload)) {
            return $this->abort(401, 'Credentials missing');
        }

        if (!$this->authenticate($payload)) {
            return $this->abort(401, 'Credentials invalid');
        }

        return $this->serve($payload['grant_type']);
    }

    protected function validateGenerate(array $payload): bool
    {
        if (!isset($payload['grant_type'], $payload[$payload['grant_type']])) {
            return false;
        }

        if (!\in_array($payload['grant_type'], ['password', 'refresh_token'])) {
            return false;
        }

        return 'password' !== $payload['grant_type'] || isset($payload['username']);
    }

    protected function authenticate(array $payload): bool
    {
        if ('refresh_token' === $payload['grant_type']) {
            return $this->authenticator->byRefreshToken($payload['refresh_token']);
        }

        return $this->authenticator->byCredential($payload['username'], $payload['password']);
    }

    protected function serve(string $grantType): bool
    {
        $token = [
            'access_token' => $this->createJWT(),
            'token_type'   => 'bearer',
            'expires_in'   => $this->config['jwt']['maxAge'],
            'grant_type'   => $grantType,
        ];

        if ($grantType === 'password') {
            $token['refresh_token'] = $this->authenticator->createRefreshToken();
        }

        return $this->abort(200, $token);
    }

    protected function createJWT(): string
    {
        $jwt = [
            'sub'    => $this->authenticator->getSubject(),
            'scopes' => $this->authenticator->getScopes(),
        ];

        if ($this->config['jwt']['issuer'] ?? null) {
            $jwt['iss'] = $this->config['jwt']['issuer'];
        }

        // 'exp' is automatically added based on `config->apiAuth->jwt->maxAge`!
        return $this->di('jwt')->encode($jwt);
    }

    protected function validateScope(Request $request, string $requiredScope = null): bool
    {
        $claimedScopes = [];

The assignment to $claimedScopes is dead and can be removed.

        $msg           = 'Permission denied';
        $jwt           = $request->getHeader('Authorization');

        try {
            $claimedScopes = $this->getClaimedScopes($jwt);
        } catch (\InvalidArgumentException $e) {
            $msg = $e->getMessage();
        }

        if ($requiredScope && !\in_array($requiredScope, $claimedScopes)) {
            return $this->abort(403, $msg);
        }

        return true;
    }

    protected function getClaimedScopes(string $jwt = null): array
    {
        if ('' === $jwt = \str_replace('Bearer ', '', \trim($jwt))) {

It seems like $jwt can also be of type null; however, parameter $string of trim() does only seem to accept string, maybe add an additional type check?

            return [];
        }

        $decoded = $this->di('jwt')->decode($jwt);

        if ($decoded['sub'] ?? null) {
            $this->authenticator->bySubject($decoded['sub']);
        }

        return $decoded['scopes'] ?? [];
    }
}