invoiceninja/app/Http/Middleware/ApiCheck.php

<?php

namespace App\Http\Middleware;

use App\Models\AccountToken;
use Auth;
use Cache;
use Closure;
use Request;
use Response;
use Session;
use Utils;

/**
 * Class ApiCheck.
 */
class ApiCheck
{
    /**
     * Handle an incoming request.
     *
     * @param \Illuminate\Http\Request $request
     * @param \Closure                 $next
     *
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $loggingIn = $request->is('api/v1/login')
            || $request->is('api/v1/register')
            || $request->is('api/v1/oauth_login')
            || $request->is('api/v1/ios_subscription_status');

        $headers = Utils::getApiHeaders();
        $hasApiSecret = false;

        if ($secret = env(API_SECRET)) {
            $requestSecret = Request::header('X-Ninja-Secret') ?: ($request->api_secret ?: '');
            $hasApiSecret = hash_equals($requestSecret, $secret);
        } elseif (Utils::isSelfHost()) {
            $hasApiSecret = true;
        }

        if ($loggingIn) {
            // check API secret
            if (! $hasApiSecret) {
                sleep(ERROR_DELAY);
                $error['error'] = ['message' => 'Invalid value for API_SECRET'];

                return Response::json($error, 403, $headers);
            }
        } else {
            // check for a valid token
            $token = AccountToken::where('token', '=', Request::header('X-Ninja-Token'))->first(['id', 'user_id']);

            // check if user is archived
            if ($token && $token->user) {
                Auth::onceUsingId($token->user_id);
                session(['token_id' => $token->id]);
            } elseif ($hasApiSecret && $request->is('api/v1/ping')) {
                // do nothing: allow ping with api_secret or account token
            } else {
                sleep(ERROR_DELAY);
                $error['error'] = ['message' => 'Invalid token'];

                return Response::json($error, 403, $headers);
            }
        }

        if (! Utils::isNinja() && ! $loggingIn) {
            return $next($request);
        }

        $isMobileApp = strpos(array_get($_SERVER, 'HTTP_USER_AGENT'), '(dart:io)') !== false;

        if (! Utils::hasFeature(FEATURE_API) && ! $hasApiSecret && ! $isMobileApp) {
            $error['error'] = ['message' => 'API requires pro plan'];

            return Response::json($error, 403, $headers);
        } else {
            $key = Auth::check() ? Auth::user()->account->id : $request->getClientIp();

            // http://stackoverflow.com/questions/1375501/how-do-i-throttle-my-sites-api-users
            $hour = 60 * 60;
            $hour_limit = 1000;
            $hour_throttle = Cache::get("hour_throttle:{$key}", null);
            $last_api_request = Cache::get("last_api_request:{$key}", 0);
            $last_api_diff = time() - $last_api_request;

            if (is_null($hour_throttle)) {
                $new_hour_throttle = 0;
            } else {
                $new_hour_throttle = $hour_throttle - $last_api_diff;
                $new_hour_throttle = $new_hour_throttle < 0 ? 0 : $new_hour_throttle;
                $new_hour_throttle += $hour / $hour_limit;
                $hour_hits_remaining = floor(($hour - $new_hour_throttle) * $hour_limit / $hour);
                $hour_hits_remaining = $hour_hits_remaining >= 0 ? $hour_hits_remaining : 0;
            }

            if ($new_hour_throttle > $hour) {
                $wait = ceil($new_hour_throttle - $hour);
                sleep(1);

                return Response::json("Please wait {$wait} second(s)", 403, $headers);
            }

            Cache::put("hour_throttle:{$key}", $new_hour_throttle, 60);
            Cache::put("last_api_request:{$key}", time(), 60);
        }

        return $next($request);
    }
}
php-cs-fixer cleanup 2017-01-30 20:40:43 +01:00			`<?php`
Working on L5 2015-04-02 15:06:16 +02:00
php-cs-fixer cleanup 2017-01-30 20:40:43 +01:00			`namespace App\Http\Middleware;`

			`use App\Models\AccountToken;`
			`use Auth;`
			`use Cache;`
Working on L5 2015-04-02 15:06:16 +02:00			`use Closure;`
			`use Request;`
			`use Response;`
php-cs-fixer cleanup 2017-01-30 20:40:43 +01:00			`use Session;`
			`use Utils;`
Working on L5 2015-04-02 15:06:16 +02:00
Code Refactoring - Removed unused uses - Type hinting for method parameters - Removed commented code - Introduced comments for classes and methods - Short array syntax 2016-07-03 18:11:58 +02:00			`/**`
php-cs-fixer cleanup 2017-01-30 20:40:43 +01:00			`* Class ApiCheck.`
Code Refactoring - Removed unused uses - Type hinting for method parameters - Removed commented code - Introduced comments for classes and methods - Short array syntax 2016-07-03 18:11:58 +02:00			`*/`
php-cs-fixer clean up 2017-01-30 17:05:31 +01:00			`class ApiCheck`
			`{`
Working on L5 2015-04-02 15:06:16 +02:00			`/**`
php-cs-fixer cleanup 2017-01-30 20:40:43 +01:00			`* Handle an incoming request.`
			`*`
			`* @param \Illuminate\Http\Request $request`
			`* @param \Closure $next`
			`*`
			`* @return mixed`
			`*/`
Working on L5 2015-04-02 15:06:16 +02:00			`public function handle($request, Closure $next)`
			`{`
Support OAuth login on iPhone 2016-10-06 14:46:27 +02:00			`$loggingIn = $request->is('api/v1/login')`
			`\|\| $request->is('api/v1/register')`
Stubs for Apple iOS subscription notifications (#1739) 2017-11-14 10:56:41 +01:00			`\|\| $request->is('api/v1/oauth_login')`
			`\|\| $request->is('api/v1/ios_subscription_status');`
Api error handling (#1277) * fix env variable * update routes * Improve error handling for API_SECRET when testing API endpoint credentials * exclude /api/v1/ping from API check 2017-01-11 09:13:22 +01:00
Working on L5 2015-04-02 15:06:16 +02:00			`$headers = Utils::getApiHeaders();`
Clarify API secret error 2016-09-20 08:03:07 +02:00			`$hasApiSecret = false;`
Check for blank api secret 2016-06-05 17:50:41 +02:00
			`if ($secret = env(API_SECRET)) {`
Support sending API secret as header 2016-10-26 09:24:16 +02:00			`$requestSecret = Request::header('X-Ninja-Secret') ?: ($request->api_secret ?: '');`
			`$hasApiSecret = hash_equals($requestSecret, $secret);`
Changes for mobile app 2018-06-17 10:27:36 +02:00			`} elseif (Utils::isSelfHost()) {`
			`$hasApiSecret = true;`
Check for blank api secret 2016-06-05 17:50:41 +02:00			`}`
Working on L5 2015-04-02 15:06:16 +02:00
Working on the API 2015-11-02 19:43:22 +01:00			`if ($loggingIn) {`
Enabled registering through the API 2016-03-08 22:22:59 +01:00			`// check API secret`
php-cs-fixer clean up 2017-01-30 17:05:31 +01:00			`if (! $hasApiSecret) {`
Enabled registering through the API 2016-03-08 22:22:59 +01:00			`sleep(ERROR_DELAY);`
php-cs-fixer cleanup 2017-01-30 20:40:43 +01:00			`$error['error'] = ['message' => 'Invalid value for API_SECRET'];`

Api error handling (#1277) * fix env variable * update routes * Improve error handling for API_SECRET when testing API endpoint credentials * exclude /api/v1/ping from API check 2017-01-11 09:13:22 +01:00			`return Response::json($error, 403, $headers);`
Enabled registering through the API 2016-03-08 22:22:59 +01:00			`}`
Working on L5 2015-04-02 15:06:16 +02:00			`} else {`
Working on the API 2015-11-02 19:43:22 +01:00			`// check for a valid token`
			`$token = AccountToken::where('token', '=', Request::header('X-Ninja-Token'))->first(['id', 'user_id']);`

Only show user’s own tokens 2016-05-08 20:50:35 +02:00			`// check if user is archived`
			`if ($token && $token->user) {`
API changes 2016-08-17 16:29:25 +02:00			`Auth::onceUsingId($token->user_id);`
L5.4 fixes 2018-02-26 10:52:34 +01:00			`session(['token_id' => $token->id]);`
Allow ping with api_secret or account token 2017-03-05 11:29:28 +01:00			`} elseif ($hasApiSecret && $request->is('api/v1/ping')) {`
			`// do nothing: allow ping with api_secret or account token`
Working on the API 2015-11-02 19:43:22 +01:00			`} else {`
Enabled registering through the API 2016-03-08 22:22:59 +01:00			`sleep(ERROR_DELAY);`
php-cs-fixer cleanup 2017-01-30 20:40:43 +01:00			`$error['error'] = ['message' => 'Invalid token'];`

Api error handling (#1277) * fix env variable * update routes * Improve error handling for API_SECRET when testing API endpoint credentials * exclude /api/v1/ping from API check 2017-01-11 09:13:22 +01:00			`return Response::json($error, 403, $headers);`
Working on the API 2015-11-02 19:43:22 +01:00			`}`
Working on L5 2015-04-02 15:06:16 +02:00			`}`

php-cs-fixer cleanup 2017-01-30 20:40:43 +01:00			`if (! Utils::isNinja() && ! $loggingIn) {`
Bug fixes 2015-05-13 17:32:59 +02:00			`return $next($request);`
Working on L5 2015-04-02 15:06:16 +02:00			`}`

Rebase to v4.5.9 2019-01-30 11:45:46 +01:00			`$isMobileApp = strpos(array_get($_SERVER, 'HTTP_USER_AGENT'), '(dart:io)') !== false;`

			`if (! Utils::hasFeature(FEATURE_API) && ! $hasApiSecret && ! $isMobileApp) {`
php-cs-fixer cleanup 2017-01-30 20:40:43 +01:00			`$error['error'] = ['message' => 'API requires pro plan'];`

Api error handling (#1277) * fix env variable * update routes * Improve error handling for API_SECRET when testing API endpoint credentials * exclude /api/v1/ping from API check 2017-01-11 09:13:22 +01:00			`return Response::json($error, 403, $headers);`
Working on L5 2015-04-02 15:06:16 +02:00			`} else {`
Working on the API 2015-11-02 19:43:22 +01:00			`$key = Auth::check() ? Auth::user()->account->id : $request->getClientIp();`
Working on L5 2015-04-02 15:06:16 +02:00
			`// http://stackoverflow.com/questions/1375501/how-do-i-throttle-my-sites-api-users`
			`$hour = 60 * 60;`
Increase API limit 2018-05-15 15:18:44 +02:00			`$hour_limit = 1000;`
Working on the API 2015-11-02 19:43:22 +01:00			`$hour_throttle = Cache::get("hour_throttle:{$key}", null);`
			`$last_api_request = Cache::get("last_api_request:{$key}", 0);`
Working on L5 2015-04-02 15:06:16 +02:00			`$last_api_diff = time() - $last_api_request;`
Enable mobile app for non-pro users 2016-05-29 16:31:03 +02:00
Working on L5 2015-04-02 15:06:16 +02:00			`if (is_null($hour_throttle)) {`
			`$new_hour_throttle = 0;`
			`} else {`
			`$new_hour_throttle = $hour_throttle - $last_api_diff;`
			`$new_hour_throttle = $new_hour_throttle < 0 ? 0 : $new_hour_throttle;`
			`$new_hour_throttle += $hour / $hour_limit;`
php-cs-fixer clean up 2017-01-30 17:05:31 +01:00			`$hour_hits_remaining = floor(($hour - $new_hour_throttle) * $hour_limit / $hour);`
Working on L5 2015-04-02 15:06:16 +02:00			`$hour_hits_remaining = $hour_hits_remaining >= 0 ? $hour_hits_remaining : 0;`
			`}`

			`if ($new_hour_throttle > $hour) {`
			`$wait = ceil($new_hour_throttle - $hour);`
			`sleep(1);`
php-cs-fixer cleanup 2017-01-30 20:40:43 +01:00
Added Swagger 2015-11-08 21:34:26 +01:00			`return Response::json("Please wait {$wait} second(s)", 403, $headers);`
Working on L5 2015-04-02 15:06:16 +02:00			`}`

Throttle emails 2018-02-04 10:24:43 +01:00			`Cache::put("hour_throttle:{$key}", $new_hour_throttle, 60);`
			`Cache::put("last_api_request:{$key}", time(), 60);`
Working on L5 2015-04-02 15:06:16 +02:00			`}`

			`return $next($request);`
			`}`
Enable mobile app for non-pro users 2016-05-29 16:31:03 +02:00			`}`