From 4766c81580bcfff8301010cc9fc8bab5fb70ec4b Mon Sep 17 00:00:00 2001
From: Bernd Bestel <bernd@berrnd.de>
Date: Thu, 24 Dec 2020 10:00:51 +0100
Subject: [PATCH] Allow API keys in ReverseProxyAuthMiddleware (closes #1216)

---
 changelog/61_UNRELEASED_xxxx-xx-xx.md     |  1 +
 middleware/LdapAuthMiddleware.php         |  1 -
 middleware/ReverseProxyAuthMiddleware.php | 13 +++++++++----
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/changelog/61_UNRELEASED_xxxx-xx-xx.md b/changelog/61_UNRELEASED_xxxx-xx-xx.md
index 7f312099..5a9f64bc 100644
--- a/changelog/61_UNRELEASED_xxxx-xx-xx.md
+++ b/changelog/61_UNRELEASED_xxxx-xx-xx.md
@@ -6,6 +6,7 @@
 
 - Improved the prerequisites checker (added missing required PHP extension `ctype`) (thanks @Forceu)
 - Added validation checks for most `data/config.php` settings to prevent using invalid ones (thanks @Forceu)
+- When using reverse proxy authentication (`ReverseProxyAuthMiddleware`), _additionally_ a valid key can now also be used for authentication (if you want don't want to protect the API endpoints via your reverse proxy, however)
 - Fixed that some number inputs were broken when the new decimal places setting were set to `0`
 - Fixed that browser camera barcode scanning did not work on the product edit page for adding product barcodes
 - Fixed that the new product option "Never show on stock overview" was unintentionally set by default for new products
diff --git a/middleware/LdapAuthMiddleware.php b/middleware/LdapAuthMiddleware.php
index f1495d5c..019d5040 100644
--- a/middleware/LdapAuthMiddleware.php
+++ b/middleware/LdapAuthMiddleware.php
@@ -16,7 +16,6 @@ class LdapAuthMiddleware extends AuthMiddleware
 		// First try to authenticate by API key
 		$auth = new ApiKeyAuthMiddleware($this->AppContainer, $this->ResponseFactory);
 		$user = $auth->authenticate($request);
-
 		if ($user !== null)
 		{
 			return $user;
diff --git a/middleware/ReverseProxyAuthMiddleware.php b/middleware/ReverseProxyAuthMiddleware.php
index 190da80c..2135fe4e 100644
--- a/middleware/ReverseProxyAuthMiddleware.php
+++ b/middleware/ReverseProxyAuthMiddleware.php
@@ -10,25 +10,30 @@ class ReverseProxyAuthMiddleware extends AuthMiddleware
 {
 	public function authenticate(Request $request)
 	{
+		$db = DatabaseService::getInstance()->GetDbConnection();
+
 		if (!defined('GROCY_SHOW_AUTH_VIEWS'))
 		{
 			define('GROCY_SHOW_AUTH_VIEWS', false);
 		}
 
-		$db = DatabaseService::getInstance()->GetDbConnection();
+		// API key authentication is also ok
+		$auth = new ApiKeyAuthMiddleware($this->AppContainer, $this->ResponseFactory);
+		$user = $auth->authenticate($request);
+		if ($user !== null)
+		{
+			return $user;
+		}
 
 		$username = $request->getHeader(GROCY_REVERSE_PROXY_AUTH_HEADER);
-
 		if (count($username) !== 1)
 		{
 			// Invalid configuration of Proxy
 			throw new \Exception('ReverseProxyAuthMiddleware: Invalid username from proxy: ' . var_dump($username));
 		}
-
 		$username = $username[0];
 
 		$user = $db->users()->where('username', $username)->fetch();
-
 		if ($user == null)
 		{
 			$user = UsersService::getInstance()->CreateUser($username, '', '', '');