ca8a2066de
reads auth_token cookie (constant COOKIE_NAME for cross-layer
sharing with the AuthController). missing/empty cookie or
unknown token -> 401 json {error: unauthenticated}. expired
session is deleted then 401 returned. valid session attaches
the User entity to request attributes under 'user' so
downstream controllers can read it via request attributes. 37
tests pass.
51 lines
1.2 KiB
PHP
51 lines
1.2 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
use App\Auth\Clock;
|
|
use App\Auth\SessionRepository;
|
|
use Closure;
|
|
use Illuminate\Http\JsonResponse;
|
|
use Illuminate\Http\Request;
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
|
|
class AuthMiddleware
|
|
{
|
|
public const COOKIE_NAME = 'auth_token';
|
|
|
|
public function __construct(
|
|
private SessionRepository $sessionRepo,
|
|
private Clock $clock,
|
|
) {}
|
|
|
|
/**
|
|
* @param Closure(Request): Response $next
|
|
*/
|
|
public function handle(Request $request, Closure $next): Response
|
|
{
|
|
$token = $request->cookie(self::COOKIE_NAME);
|
|
if (! is_string($token) || $token === '') {
|
|
return $this->unauthorized();
|
|
}
|
|
|
|
$session = $this->sessionRepo->findByToken($token);
|
|
if ($session === null) {
|
|
return $this->unauthorized();
|
|
}
|
|
|
|
if ($session->isExpired($this->clock->now())) {
|
|
$this->sessionRepo->deleteByToken($token);
|
|
|
|
return $this->unauthorized();
|
|
}
|
|
|
|
$request->attributes->set('user', $session->getUser());
|
|
|
|
return $next($request);
|
|
}
|
|
|
|
private function unauthorized(): JsonResponse
|
|
{
|
|
return new JsonResponse(['error' => 'unauthenticated'], 401);
|
|
}
|
|
}
|