Refactor Authentication and add proxy-authentication (#921)

* Refactor Authentication-Middlewares

* Add Proxy-Authentication

* Disable "Logout" & "Manage Users" when using ProxyAuth

* Review

Co-authored-by: Bernd Bestel <bernd@berrnd.de>

middleware/ApiKeyAuthMiddleware.php

@@ -2,104 +2,75 @@
 
 namespace Grocy\Middleware;
 
+use Psr\Http\Message\ResponseFactoryInterface;
 use Psr\Http\Message\ServerRequestInterface as Request;
-use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
-use Psr\Http\Message\ResponseInterface as Response;
 use Slim\Routing\RouteContext;
 
-use Grocy\Services\SessionService;
 use Grocy\Services\ApiKeyService;
 
-class ApiKeyAuthMiddleware extends BaseMiddleware
+class ApiKeyAuthMiddleware extends AuthMiddleware
 {
-	public function __construct(\DI\Container $container, string $sessionCookieName, string $apiKeyHeaderName)
-	{
-		parent::__construct($container);
-		$this->SessionCookieName = $sessionCookieName;
-		$this->ApiKeyHeaderName = $apiKeyHeaderName;
-	}
+    public function __construct(\DI\Container $container, ResponseFactoryInterface $responseFactory)
+    {
+        parent::__construct($container, $responseFactory);
+        $this->ApiKeyHeaderName = $this->AppContainer->get('ApiKeyHeaderName');
+    }
 
-	protected $SessionCookieName;
-	protected $ApiKeyHeaderName;
+    protected $ApiKeyHeaderName;
 
-	public function __invoke(Request $request, RequestHandler $handler): Response
-	{
-		$routeContext = RouteContext::fromRequest($request);
-		$route = $routeContext->getRoute();
-		$routeName = $route->getName();
+    function authenticate(Request $request)
+    {
+        if (!defined('GROCY_SHOW_AUTH_VIEWS'))
+        {
+            define('GROCY_SHOW_AUTH_VIEWS', true);
+        }
 
-		if (GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease' || GROCY_IS_EMBEDDED_INSTALL || GROCY_DISABLE_AUTH)
-		{
-			define('GROCY_AUTHENTICATED', true);
-			$response = $handler->handle($request);
-		}
-		else
-		{
-			$validSession = true;
-			$validApiKey = true;
-			$usedApiKey = null;
+        $routeContext = RouteContext::fromRequest($request);
+        $route = $routeContext->getRoute();
+        $routeName = $route->getName();
 
-			$sessionService = SessionService::getInstance();
-			if (!isset($_COOKIE[$this->SessionCookieName]) || !$sessionService->IsValidSession($_COOKIE[$this->SessionCookieName]))
-			{
-				$validSession = false;
-			}
+        $validApiKey = true;
+        $usedApiKey = null;
 
-			$apiKeyService = new ApiKeyService();
+        $apiKeyService = new ApiKeyService();
 
-			// First check of the API key in the configured header
-			if (!$request->hasHeader($this->ApiKeyHeaderName) || !$apiKeyService->IsValidApiKey($request->getHeaderLine($this->ApiKeyHeaderName)))
-			{
-				$validApiKey = false;
-			}
-			else
-			{
-				$usedApiKey = $request->getHeaderLine($this->ApiKeyHeaderName);
-			}
+        // First check of the API key in the configured header
+        if (!$request->hasHeader($this->ApiKeyHeaderName) || !$apiKeyService->IsValidApiKey($request->getHeaderLine($this->ApiKeyHeaderName)))
+        {
+            $validApiKey = false;
+        }
+        else
+        {
+            $usedApiKey = $request->getHeaderLine($this->ApiKeyHeaderName);
+        }
 
-			// Not recommended, but it's also possible to provide the API key via a query parameter (same name as the configured header)
-			if (!$validApiKey && !empty($request->getQueryParam($this->ApiKeyHeaderName)) && $apiKeyService->IsValidApiKey($request->getQueryParam($this->ApiKeyHeaderName)))
-			{
-				$validApiKey = true;
-				$usedApiKey = $request->getQueryParam($this->ApiKeyHeaderName);
-			}
+        // Not recommended, but it's also possible to provide the API key via a query parameter (same name as the configured header)
+        if (!$validApiKey && !empty($request->getQueryParam($this->ApiKeyHeaderName)) && $apiKeyService->IsValidApiKey($request->getQueryParam($this->ApiKeyHeaderName)))
+        {
+            $validApiKey = true;
+            $usedApiKey = $request->getQueryParam($this->ApiKeyHeaderName);
+        }
 
-			// Handling of special purpose API keys
-			if (!$validApiKey)
-			{
-				if ($routeName === 'calendar-ical')
-				{
-					if ($request->getQueryParam('secret') !== null && $apiKeyService->IsValidApiKey($request->getQueryParam('secret'), ApiKeyService::API_KEY_TYPE_SPECIAL_PURPOSE_CALENDAR_ICAL))
-					{
-						$validApiKey = true;
-					}
-				}
-			}
+        // Handling of special purpose API keys
+        if (!$validApiKey)
+        {
+            if ($routeName === 'calendar-ical')
+            {
+                if ($request->getQueryParam('secret') !== null && $apiKeyService->IsValidApiKey($request->getQueryParam('secret'), ApiKeyService::API_KEY_TYPE_SPECIAL_PURPOSE_CALENDAR_ICAL))
+                {
+                    $validApiKey = true;
+                }
+            }
+        }
 
-			if (!$validSession && !$validApiKey)
-			{
-				define('GROCY_AUTHENTICATED', false);
-				$response = new \Slim\Psr7\Response(); // No content when unauthorized
-				$response = $response->withStatus(401);
-			}
-			elseif ($validApiKey)
-			{
-				$user = $apiKeyService->GetUserByApiKey($usedApiKey);
-				define('GROCY_AUTHENTICATED', true);
-				define('GROCY_USER_ID', $user->id);
+        if ($validApiKey)
+        {
+            return $apiKeyService->GetUserByApiKey($usedApiKey);
 
-				$response = $handler->handle($request);
-			}
-			elseif ($validSession)
-			{
-				$user = $sessionService->GetUserBySessionKey($_COOKIE[$this->SessionCookieName]);
-				define('GROCY_AUTHENTICATED', true);
-				define('GROCY_USER_ID', $user->id);
-
-				$response = $handler->handle($request);
-			}
-		}
-
-		return $response;
-	}
+        }
+        else
+        {
+            return null;
+        }
+    }
 }