Restriction on middleware to reject if allowed_country_code is set and the requested country code is out of the allowed country_codes

Author: joseganora

app/Http/Middleware/ApiAuthMiddleware.php

@@ -43,6 +43,12 @@ public function handle($request, Closure $next)
                 return response()->json(['error' => 'Application is not allowed to access this API version'], 403);
             }
 
+            $canAccessOrganisation = $this->canAccessOrganisation($request->path(), (array) $application->rules);
+
+            if (!$canAccessOrganisation) {
+                return response()->json(['error' => 'Application is not allowed to access this organisation'], 403);
+            }
+
             $usageLog = new UsageLog;
             $usageLog->application_id = $application->id;
             $usageLog->method = $request->method();
@@ -71,4 +77,21 @@ private function canAccessRequestedVersion(string $path, array $rules): bool
 
         return true;
     }
+
+    private function canAccessOrganisation(string $path, array $rules): bool
+    {
+        // Check if accessing org/{code}/whatnow endpoint
+        if (preg_match('#org/([^/]+)/whatnow#', $path, $matches)) {
+            $orgCode = $matches[1];
+
+            // If allowed_country_code is defined in rules, check if this org is restricted
+            if (isset($rules['allowed_country_code']) && is_array($rules['allowed_country_code'])) {
+                if (!in_array($orgCode, $rules['allowed_country_code'])) {
+                    return false;
+                }
+            }
+        }
+
+        return true;
+    }
 }