-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Expand file tree
/
Copy pathUserApiTokenController.php
More file actions
182 lines (148 loc) · 5.58 KB
/
UserApiTokenController.php
File metadata and controls
182 lines (148 loc) · 5.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
<?php
namespace BookStack\Api;
use BookStack\Activity\ActivityType;
use BookStack\Http\Controller;
use BookStack\Permissions\Permission;
use BookStack\Users\Models\User;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Str;
class UserApiTokenController extends Controller
{
/**
* Show the form to create a new API token.
*/
public function create(Request $request, int $userId)
{
$this->checkPermission(Permission::AccessApi);
$this->checkPermissionOrCurrentUser(Permission::UsersManage, $userId);
$this->updateContext($request);
$user = User::query()->findOrFail($userId);
$this->setPageTitle(trans('settings.user_api_token_create'));
return view('users.api-tokens.create', [
'user' => $user,
'back' => $this->getRedirectPath($user),
]);
}
/**
* Store a new API token in the system.
*/
public function store(Request $request, int $userId)
{
$this->checkPermission(Permission::AccessApi);
$this->checkPermissionOrCurrentUser(Permission::UsersManage, $userId);
$this->validate($request, [
'name' => ['required', 'max:250'],
'expires_at' => ['date_format:Y-m-d'],
]);
$user = User::query()->findOrFail($userId);
$secret = Str::random(32);
$token = (new ApiToken())->forceFill([
'name' => $request->get('name'),
'token_id' => Str::random(32),
'secret' => Hash::make($secret),
'user_id' => $user->id,
'expires_at' => $request->get('expires_at') ?: ApiToken::defaultExpiry(),
]);
while (ApiToken::query()->where('token_id', '=', $token->token_id)->exists()) {
$token->token_id = Str::random(32);
}
$token->save();
session()->flash('api-token-secret:' . $token->id, $secret);
$this->logActivity(ActivityType::API_TOKEN_CREATE, $token);
return redirect($token->getUrl());
}
/**
* Show the details for a user API token, with access to edit.
*/
public function edit(Request $request, int $userId, int $tokenId)
{
$this->updateContext($request);
[$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);
$secret = session()->pull('api-token-secret:' . $token->id, null);
$this->setPageTitle(trans('settings.user_api_token'));
return view('users.api-tokens.edit', [
'user' => $user,
'token' => $token,
'model' => $token,
'secret' => $secret,
'back' => $this->getRedirectPath($user),
]);
}
/**
* Update the API token.
*/
public function update(Request $request, int $userId, int $tokenId)
{
$this->validate($request, [
'name' => ['required', 'max:250'],
'expires_at' => ['date_format:Y-m-d'],
]);
[$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);
$token->fill([
'name' => $request->get('name'),
'expires_at' => $request->get('expires_at') ?: ApiToken::defaultExpiry(),
])->save();
$this->logActivity(ActivityType::API_TOKEN_UPDATE, $token);
return redirect($token->getUrl());
}
/**
* Show the delete view for this token.
*/
public function delete(int $userId, int $tokenId)
{
[$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);
$this->setPageTitle(trans('settings.user_api_token_delete'));
return view('users.api-tokens.delete', [
'user' => $user,
'token' => $token,
]);
}
/**
* Destroy a token from the system.
*/
public function destroy(int $userId, int $tokenId)
{
[$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);
$token->delete();
$this->logActivity(ActivityType::API_TOKEN_DELETE, $token);
return redirect($this->getRedirectPath($user));
}
/**
* Check the permission for the current user and return an array
* where the first item is the user in context and the second item is their
* API token in context.
*/
protected function checkPermissionAndFetchUserToken(int $userId, int $tokenId): array
{
$this->checkPermissionOr(Permission::UsersManage, function () use ($userId) {
return $userId === user()->id && userCan(Permission::AccessApi);
});
$user = User::query()->findOrFail($userId);
$token = ApiToken::query()->where('user_id', '=', $user->id)->where('id', '=', $tokenId)->firstOrFail();
return [$user, $token];
}
/**
* Update the context for where the user is coming from to manage API tokens.
* (Track of location for correct return redirects)
*/
protected function updateContext(Request $request): void
{
$context = $request->query('context');
if ($context) {
session()->put('api-token-context', $context);
}
}
/**
* Get the redirect path for the current api token editing session.
* Attempts to recall the context of where the user is editing from.
*/
protected function getRedirectPath(User $relatedUser): string
{
$context = session()->get('api-token-context');
if ($context === 'settings' || user()->id !== $relatedUser->id) {
return $relatedUser->getEditUrl('#api_tokens');
}
return url('/my-account/auth#api_tokens');
}
}