From cfcb922e834b16669f89d9879f4ad65d3e65c659 Mon Sep 17 00:00:00 2001
From: fipwmaqzufheoxq92ebc
 <29818044+fipwmaqzufheoxq92ebc@users.noreply.github.com>
Date: Tue, 21 Jul 2020 15:12:09 +0200
Subject: [PATCH] Refactor Authentication-Middlewares

---
 config-dist.php                      |   6 ++
 middleware/ApiKeyAuthMiddleware.php  | 132 +++++++++------------------
 middleware/AuthMiddleware.php        |  65 +++++++++++++
 middleware/DefaultAuthMiddleware.php |  25 +++++
 middleware/SessionAuthMiddleware.php |  83 ++++-------------
 routes.php                           |   9 +-
 6 files changed, 165 insertions(+), 155 deletions(-)
 create mode 100644 middleware/AuthMiddleware.php
 create mode 100644 middleware/DefaultAuthMiddleware.php

diff --git a/config-dist.php b/config-dist.php
index 2c746528..792a9604 100644
--- a/config-dist.php
+++ b/config-dist.php
@@ -66,6 +66,12 @@ Setting('ENTRY_PAGE', 'stock');
 # places where user context is needed will then use the default (first existing) user
 Setting('DISABLE_AUTH', false);
 
+#
+Setting('AUTH_CLASS', '\\Grocy\\Middleware\\DefaultAuthMiddleware');
+
+# The Header-name with the username set by the reverse-proxy (case-insensitive)
+Setting('PROXY_AUTH_HEADER', 'X-Username');
+
 # Set this to true if you want to disable the ability to scan a barcode via the device camera (Browser API)
 Setting('DISABLE_BROWSER_BARCODE_CAMERA_SCANNING', false);
 
diff --git a/middleware/ApiKeyAuthMiddleware.php b/middleware/ApiKeyAuthMiddleware.php
index 462d3d55..336e7262 100644
--- a/middleware/ApiKeyAuthMiddleware.php
+++ b/middleware/ApiKeyAuthMiddleware.php
@@ -1,105 +1,63 @@
 <?php
 
+
 namespace Grocy\Middleware;
 
+
+use Grocy\Services\ApiKeyService;
+use Psr\Http\Message\ResponseFactoryInterface;
 use Psr\Http\Message\ServerRequestInterface as Request;
-use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
-use Psr\Http\Message\ResponseInterface as Response;
 use Slim\Routing\RouteContext;
 
-use Grocy\Services\SessionService;
-use Grocy\Services\ApiKeyService;
-
-class ApiKeyAuthMiddleware extends BaseMiddleware
+class ApiKeyAuthMiddleware extends AuthMiddleware
 {
-	public function __construct(\DI\Container $container, string $sessionCookieName, string $apiKeyHeaderName)
-	{
-		parent::__construct($container);
-		$this->SessionCookieName = $sessionCookieName;
-		$this->ApiKeyHeaderName = $apiKeyHeaderName;
-	}
+    public function __construct(\DI\Container $container, ResponseFactoryInterface $responseFactory)
+    {
+        parent::__construct($container, $responseFactory);
+        $this->ApiKeyHeaderName = $this->AppContainer->get('ApiKeyHeaderName');
+    }
 
-	protected $SessionCookieName;
-	protected $ApiKeyHeaderName;
+    protected $ApiKeyHeaderName;
 
-	public function __invoke(Request $request, RequestHandler $handler): Response
-	{
-		$routeContext = RouteContext::fromRequest($request);
-		$route = $routeContext->getRoute();
-		$routeName = $route->getName();
+    function authenticate(Request $request)
+    {
+        $routeContext = RouteContext::fromRequest($request);
+        $route = $routeContext->getRoute();
+        $routeName = $route->getName();
 
-		if (GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease' || GROCY_IS_EMBEDDED_INSTALL || GROCY_DISABLE_AUTH)
-		{
-			define('GROCY_AUTHENTICATED', true);
-			$response = $handler->handle($request);
-		}
-		else
-		{
-			$validSession = true;
-			$validApiKey = true;
-			$usedApiKey = null;
+        $validApiKey = true;
+        $usedApiKey = null;
 
-			$sessionService = SessionService::getInstance();
-			if (!isset($_COOKIE[$this->SessionCookieName]) || !$sessionService->IsValidSession($_COOKIE[$this->SessionCookieName]))
-			{
-				$validSession = false;
-			}
 
-			$apiKeyService = new ApiKeyService();
+        $apiKeyService = new ApiKeyService();
 
-			// First check of the API key in the configured header
-			if (!$request->hasHeader($this->ApiKeyHeaderName) || !$apiKeyService->IsValidApiKey($request->getHeaderLine($this->ApiKeyHeaderName)))
-			{
-				$validApiKey = false;
-			}
-			else
-			{
-				$usedApiKey = $request->getHeaderLine($this->ApiKeyHeaderName);
-			}
+        // First check of the API key in the configured header
+        if (!$request->hasHeader($this->ApiKeyHeaderName) || !$apiKeyService->IsValidApiKey($request->getHeaderLine($this->ApiKeyHeaderName))) {
+            $validApiKey = false;
+        } else {
+            $usedApiKey = $request->getHeaderLine($this->ApiKeyHeaderName);
+        }
 
-			// Not recommended, but it's also possible to provide the API key via a query parameter (same name as the configured header)
-			if (!$validApiKey && !empty($request->getQueryParam($this->ApiKeyHeaderName)) && $apiKeyService->IsValidApiKey($request->getQueryParam($this->ApiKeyHeaderName)))
-			{
-				$validApiKey = true;
-				$usedApiKey = $request->getQueryParam($this->ApiKeyHeaderName);
-			}
+        // Not recommended, but it's also possible to provide the API key via a query parameter (same name as the configured header)
+        if (!$validApiKey && !empty($request->getQueryParam($this->ApiKeyHeaderName)) && $apiKeyService->IsValidApiKey($request->getQueryParam($this->ApiKeyHeaderName))) {
+            $validApiKey = true;
+            $usedApiKey = $request->getQueryParam($this->ApiKeyHeaderName);
+        }
 
-			// Handling of special purpose API keys
-			if (!$validApiKey)
-			{
-				if ($routeName === 'calendar-ical')
-				{
-					if ($request->getQueryParam('secret') !== null && $apiKeyService->IsValidApiKey($request->getQueryParam('secret'), ApiKeyService::API_KEY_TYPE_SPECIAL_PURPOSE_CALENDAR_ICAL))
-					{
-						$validApiKey = true;
-					}
-				}
-			}
+        // Handling of special purpose API keys
+        if (!$validApiKey) {
+            if ($routeName === 'calendar-ical') {
+                if ($request->getQueryParam('secret') !== null && $apiKeyService->IsValidApiKey($request->getQueryParam('secret'), ApiKeyService::API_KEY_TYPE_SPECIAL_PURPOSE_CALENDAR_ICAL)) {
+                    $validApiKey = true;
+                }
+            }
+        }
 
-			if (!$validSession && !$validApiKey)
-			{
-				define('GROCY_AUTHENTICATED', false);
-				$response = new \Slim\Psr7\Response(); // No content when unauthorized
-				$response = $response->withStatus(401);
-			}
-			elseif ($validApiKey)
-			{
-				$user = $apiKeyService->GetUserByApiKey($usedApiKey);
-				define('GROCY_AUTHENTICATED', true);
-				define('GROCY_USER_ID', $user->id);
+        if ($validApiKey) {
+            return $apiKeyService->GetUserByApiKey($usedApiKey);
 
-				$response = $handler->handle($request);
-			}
-			elseif ($validSession)
-			{
-				$user = $sessionService->GetUserBySessionKey($_COOKIE[$this->SessionCookieName]);
-				define('GROCY_AUTHENTICATED', true);
-				define('GROCY_USER_ID', $user->id);
-
-				$response = $handler->handle($request);
-			}
-		}
-
-		return $response;
-	}
-}
+        } else {
+            return null;
+        }
+    }
+}
\ No newline at end of file
diff --git a/middleware/AuthMiddleware.php b/middleware/AuthMiddleware.php
new file mode 100644
index 00000000..d5f8bbc4
--- /dev/null
+++ b/middleware/AuthMiddleware.php
@@ -0,0 +1,65 @@
+<?php
+
+
+namespace Grocy\Middleware;
+
+
+use Grocy\Auth\ApiKeyAuthProvider;
+use Grocy\Auth\ProxyAuthProvider;
+use Grocy\Auth\SessionAuthProvider;
+use Psr\Http\Message\ResponseFactoryInterface;
+use Psr\Http\Message\ResponseInterface as Response;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
+use Slim\Routing\RouteContext;
+
+abstract class AuthMiddleware extends BaseMiddleware
+{
+    public function __construct(\DI\Container $container, ResponseFactoryInterface $responseFactory)
+    {
+        parent::__construct($container);
+        $this->ResponseFactory = $responseFactory;
+    }
+
+    protected $ResponseFactory;
+
+    public function __invoke(Request $request, RequestHandler $handler): Response
+    {
+        $routeContext = RouteContext::fromRequest($request);
+        $route = $routeContext->getRoute();
+        $routeName = $route->getName();
+        if ($routeName === 'root') {
+            return $handler->handle($request);
+        }
+        if ($routeName === 'login') {
+            define('GROCY_AUTHENTICATED', false);
+            return $handler->handle($request);
+        }
+        if (GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease' || GROCY_IS_EMBEDDED_INSTALL || GROCY_DISABLE_AUTH) {
+            define('GROCY_AUTHENTICATED', true);
+            return $handler->handle($request);
+        } else {
+            $user = $this->authenticate($request);
+            if ($user === null) {
+                define('GROCY_AUTHENTICATED', false);
+                $response = $this->ResponseFactory->createResponse();
+                return $response->withHeader('Location', $this->AppContainer->get('UrlManager')->ConstructUrl('/login'));
+            } else {
+                define('GROCY_AUTHENTICATED', true);
+                define('GROCY_USER_ID', $user->id);
+                define('GROCY_USER_USERNAME', $user->username);
+
+
+                return $response = $handler->handle($request);
+            }
+        }
+    }
+
+    /**
+     * @param Request $request
+     * @return mixed|null the user row or null if the request is not authenticated
+     * @throws \Exception Throws an \Exception if config is invalid.
+     */
+    protected abstract function authenticate(Request $request);
+
+}
\ No newline at end of file
diff --git a/middleware/DefaultAuthMiddleware.php b/middleware/DefaultAuthMiddleware.php
new file mode 100644
index 00000000..8994b914
--- /dev/null
+++ b/middleware/DefaultAuthMiddleware.php
@@ -0,0 +1,25 @@
+<?php
+
+
+namespace Grocy\Middleware;
+
+
+use Psr\Http\Message\ServerRequestInterface as Request;
+
+class DefaultAuthMiddleware extends AuthMiddleware
+{
+
+    protected function authenticate(Request $request)
+    {
+        $auth = new ApiKeyAuthMiddleware($this->AppContainer, $this->ResponseFactory);
+        $user = $auth->authenticate($request);
+        if ($user !== null)
+            return $user;
+
+        $auth = new SessionAuthMiddleware($this->AppContainer, $this->ResponseFactory);
+        $user = $auth->authenticate($request);
+
+        return $user;
+
+    }
+}
\ No newline at end of file
diff --git a/middleware/SessionAuthMiddleware.php b/middleware/SessionAuthMiddleware.php
index 94895e05..b25af041 100644
--- a/middleware/SessionAuthMiddleware.php
+++ b/middleware/SessionAuthMiddleware.php
@@ -1,73 +1,30 @@
 <?php
 
+
 namespace Grocy\Middleware;
 
-use Psr\Http\Message\ServerRequestInterface as Request;
-use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
-use Psr\Http\Message\ResponseFactoryInterface;
-use Psr\Http\Message\ResponseInterface as Response;
-use Slim\Routing\RouteContext;
 
 use Grocy\Services\SessionService;
-use Grocy\Services\LocalizationService;
+use Psr\Http\Message\ResponseFactoryInterface;
+use Psr\Http\Message\ServerRequestInterface as Request;
 
-class SessionAuthMiddleware extends BaseMiddleware
+class SessionAuthMiddleware extends AuthMiddleware
 {
-	public function __construct(\DI\Container $container, string $sessionCookieName, ResponseFactoryInterface $responseFactory)
-	{
-		parent::__construct($container);
-		$this->SessionCookieName = $sessionCookieName;
-		$this->ResponseFactory = $responseFactory;
-	}
+    public function __construct(\DI\Container $container, ResponseFactoryInterface $responseFactory)
+    {
+        parent::__construct($container, $responseFactory);
+        $this->SessionCookieName = $this->AppContainer->get('LoginControllerInstance')->GetSessionCookieName();
+    }
 
-	protected $SessionCookieName;
-	protected $ResponseFactory;
+    protected $SessionCookieName;
 
-	public function __invoke(Request $request, RequestHandler $handler): Response
-	{
-		$routeContext = RouteContext::fromRequest($request);
-		$route = $routeContext->getRoute();
-		$routeName = $route->getName();
-		$sessionService = SessionService::getInstance();
-
-		if ($routeName === 'root')
-		{
-			$response = $handler->handle($request);
-		}
-		elseif (GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease' || GROCY_IS_EMBEDDED_INSTALL || GROCY_DISABLE_AUTH)
-		{
-			$user = $sessionService->GetDefaultUser();
-			define('GROCY_AUTHENTICATED', true);
-			define('GROCY_USER_USERNAME', $user->username);
-
-			$response = $handler->handle($request);
-		}
-		else
-		{
-			if ((!isset($_COOKIE[$this->SessionCookieName]) || !$sessionService->IsValidSession($_COOKIE[$this->SessionCookieName])) && $routeName !== 'login')
-			{
-				define('GROCY_AUTHENTICATED', false);
-				$response = $this->ResponseFactory->createResponse();
-				return $response->withHeader('Location', $this->AppContainer->get('UrlManager')->ConstructUrl('/login'));
-			}
-			else
-			{
-				if ($routeName !== 'login')
-				{
-					$user = $sessionService->GetUserBySessionKey($_COOKIE[$this->SessionCookieName]);
-					define('GROCY_AUTHENTICATED', true);
-					define('GROCY_USER_USERNAME', $user->username);
-					define('GROCY_USER_ID', $user->id);
-				}
-				else
-				{
-					define('GROCY_AUTHENTICATED', false);
-				}
-
-				$response = $handler->handle($request);
-			}
-		}
-
-		return $response;
-	}
-}
+    function authenticate(Request $request)
+    {
+        $sessionService = SessionService::getInstance();
+        if (!isset($_COOKIE[$this->SessionCookieName]) || !$sessionService->IsValidSession($_COOKIE[$this->SessionCookieName])) {
+            return null;
+        } else {
+            return $sessionService->GetUserBySessionKey($_COOKIE[$this->SessionCookieName]);
+        }
+    }
+}
\ No newline at end of file
diff --git a/routes.php b/routes.php
index c432ecee..7ef190be 100644
--- a/routes.php
+++ b/routes.php
@@ -1,14 +1,13 @@
 <?php
 
+use Grocy\Middleware\AuthMiddleware;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Psr\Http\Message\ResponseInterface as Response;
 use Slim\Routing\RouteCollectorProxy;
 
 use Grocy\Middleware\JsonMiddleware;
 use Grocy\Middleware\CorsMiddleware;
-use Grocy\Middleware\SessionAuthMiddleware;
-use Grocy\Middleware\ApiKeyAuthMiddleware;
-
+$auth_middleware = GROCY_AUTH_CLASS;
 $app->group('', function(RouteCollectorProxy $group)
 {
 	// System routes
@@ -133,7 +132,7 @@ $app->group('', function(RouteCollectorProxy $group)
 	$group->get('/api', '\Grocy\Controllers\OpenApiController:DocumentationUi');
 	$group->get('/manageapikeys', '\Grocy\Controllers\OpenApiController:ApiKeysList');
 	$group->get('/manageapikeys/new', '\Grocy\Controllers\OpenApiController:CreateNewApiKey');
-})->add(new SessionAuthMiddleware($container, $container->get('LoginControllerInstance')->GetSessionCookieName(), $app->getResponseFactory()));
+})->add(new $auth_middleware($container, $app->getResponseFactory()));
 
 $app->group('/api', function(RouteCollectorProxy $group)
 {
@@ -253,7 +252,7 @@ $app->group('/api', function(RouteCollectorProxy $group)
 		$group->get('/calendar/ical/sharing-link', '\Grocy\Controllers\CalendarApiController:IcalSharingLink');
 	}
 })->add(JsonMiddleware::class)
-->add(new ApiKeyAuthMiddleware($container, $container->get('LoginControllerInstance')->GetSessionCookieName(), $container->get('ApiKeyHeaderName')));
+->add(new $auth_middleware($container, $app->getResponseFactory()));
 
 // Handle CORS preflight OPTIONS requests
 $app->options('/api/{routes:.+}', function(Request $request, Response $response): Response