Added dbAuth middleware

Author: mevdschee

api.php

@@ -5075,7 +5075,9 @@ private function getAuthorizationCredentials(ServerRequestInterface $request): s
     public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
     {
         if (session_status() == PHP_SESSION_NONE) {
-            session_start();
+            if (!headers_sent()) {
+                session_start();
+            }
         }
         $credentials = $this->getAuthorizationCredentials($request);
         if ($credentials) {
@@ -5199,6 +5201,73 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
     }
 }
 
+// file: src/Tqdev/PhpCrudApi/Middleware/DbAuthMiddleware.php
+
+class DbAuthMiddleware extends Middleware
+{
+    private $reflection;
+    private $db;
+
+    public function __construct(Router $router, Responder $responder, array $properties, ReflectionService $reflection, GenericDB $db)
+    {
+        parent::__construct($router, $responder, $properties);
+        $this->reflection = $reflection;
+        $this->db = $db;
+    }
+
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
+    {
+        if (session_status() == PHP_SESSION_NONE) {
+            if (!headers_sent()) {
+                session_start();
+            }
+        }
+        $path = RequestUtils::getPathSegment($request, 1);
+        $method = $request->getMethod();
+        if ($method == 'POST' && $path == 'login') {
+            $body = $request->getParsedBody();
+            $username = isset($body->username) ? $body->username : '';
+            $password = isset($body->password) ? $body->password : '';
+            $tableName = $this->getProperty('usersTable', 'users');
+            $table = $this->reflection->getTable($tableName);
+            $usernameColumnName = $this->getProperty('usernameColumn', 'username');
+            $usernameColumn = $table->getColumn($usernameColumnName);
+            $passwordColumnName = $this->getProperty('passwordColumn', 'password');
+            $passwordColumn = $table->getColumn($passwordColumnName);
+            $condition = new ColumnCondition($usernameColumn, 'eq', $username);
+            $columnNames = $table->getColumnNames();
+            $users = $this->db->selectAll($table, $columnNames, $condition, [], 0, -1);
+            foreach ($users as $user) {
+                if (password_verify($password, $user[$passwordColumnName]) == 1) {
+                    if (!headers_sent()) {
+                        session_regenerate_id(true);
+                    }
+                    unset($user[$passwordColumnName]);
+                    $_SESSION['user'] = $user;
+                    return $this->responder->success($user);
+                }
+            }
+            return $this->responder->error(ErrorCode::AUTHENTICATION_FAILED, $username);
+        }
+        if ($method == 'POST' && $path == 'logout') {
+            if (isset($_SESSION['user'])) {
+                $user = $_SESSION['user'];
+                unset($_SESSION['user']);
+                session_destroy();
+                return $this->responder->success($user);
+            }
+            return $this->responder->error(ErrorCode::AUTHENTICATION_REQUIRED, '');
+        }
+        if (!isset($_SESSION['user']) || !$_SESSION['user']) {
+            $authenticationMode = $this->getProperty('mode', 'required');
+            if ($authenticationMode == 'required') {
+                return $this->responder->error(ErrorCode::AUTHENTICATION_REQUIRED, '');
+            }
+        }
+        return $next->handle($request);
+    }
+}
+
 // file: src/Tqdev/PhpCrudApi/Middleware/FirewallMiddleware.php
 
 class FirewallMiddleware extends Middleware
@@ -5468,7 +5537,9 @@ private function getAuthorizationToken(ServerRequestInterface $request): string
     public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
     {
         if (session_status() == PHP_SESSION_NONE) {
-            session_start();
+            if (!headers_sent()) {
+                session_start();
+            }
         }
         $token = $this->getAuthorizationToken($request);
         if ($token) {
@@ -7289,6 +7360,9 @@ public function __construct(Config $config)
                 case 'jwtAuth':
                     new JwtAuthMiddleware($router, $responder, $properties);
                     break;
+                case 'dbAuth':
+                    new DbAuthMiddleware($router, $responder, $properties, $reflection, $db);
+                    break;
                 case 'validation':
                     new ValidationMiddleware($router, $responder, $properties, $reflection);
                     break;

src/Tqdev/PhpCrudApi/Api.php

@@ -19,6 +19,7 @@
 use Tqdev\PhpCrudApi\Middleware\BasicAuthMiddleware;
 use Tqdev\PhpCrudApi\Middleware\CorsMiddleware;
 use Tqdev\PhpCrudApi\Middleware\CustomizationMiddleware;
+use Tqdev\PhpCrudApi\Middleware\DbAuthMiddleware;
 use Tqdev\PhpCrudApi\Middleware\FirewallMiddleware;
 use Tqdev\PhpCrudApi\Middleware\IpAddressMiddleware;
 use Tqdev\PhpCrudApi\Middleware\JoinLimitsMiddleware;
@@ -68,6 +69,9 @@ public function __construct(Config $config)
                 case 'jwtAuth':
                     new JwtAuthMiddleware($router, $responder, $properties);
                     break;
+                case 'dbAuth':
+                    new DbAuthMiddleware($router, $responder, $properties, $reflection, $db);
+                    break;
                 case 'validation':
                     new ValidationMiddleware($router, $responder, $properties, $reflection);
                     break;

src/Tqdev/PhpCrudApi/Middleware/BasicAuthMiddleware.php

@@ -79,7 +79,9 @@ private function getAuthorizationCredentials(ServerRequestInterface $request): s
     public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
     {
         if (session_status() == PHP_SESSION_NONE) {
-            session_start();
+            if (!headers_sent()) {
+                session_start();
+            }
         }
         $credentials = $this->getAuthorizationCredentials($request);
         if ($credentials) {

src/Tqdev/PhpCrudApi/Middleware/JwtAuthMiddleware.php

@@ -125,7 +125,9 @@ private function getAuthorizationToken(ServerRequestInterface $request): string
     public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
     {
         if (session_status() == PHP_SESSION_NONE) {
-            session_start();
+            if (!headers_sent()) {
+                session_start();
+            }
         }
         $token = $this->getAuthorizationToken($request);
         if ($token) {

tests/config/base.php

@@ -4,14 +4,15 @@
     'username' => 'php-crud-api',
     'password' => 'php-crud-api',
     'controllers' => 'records,columns,cache,openapi,geojson',
-    'middlewares' => 'cors,jwtAuth,basicAuth,authorization,validation,ipAddress,sanitation,multiTenancy,pageLimits,joinLimits,customization',
+    'middlewares' => 'cors,dbAuth,jwtAuth,basicAuth,authorization,validation,ipAddress,sanitation,multiTenancy,pageLimits,joinLimits,customization',
+    'dbAuth.mode' => 'optional',
     'jwtAuth.mode' => 'optional',
     'jwtAuth.time' => '1538207605',
     'jwtAuth.secret' => 'axpIrCGNGqxzx2R9dtXLIPUSqPo778uhb8CA0F4Hx',
     'basicAuth.mode' => 'optional',
     'basicAuth.passwordFile' => __DIR__ . DIRECTORY_SEPARATOR . '.htpasswd',
     'authorization.tableHandler' => function ($operation, $tableName) {
-        return !($tableName == 'invisibles' && !isset($_SESSION['claims']['name']) && empty($_SESSION['username']));
+        return !($tableName == 'invisibles' && !isset($_SESSION['claims']['name']) && empty($_SESSION['username']) && empty($_SESSION['user']));
     },
     'authorization.columnHandler' => function ($operation, $tableName, $columnName) {
         return !($columnName == 'invisible');

tests/fixtures/blog_mysql.sql

@@ -94,7 +94,7 @@ CREATE TABLE `users` (
 
 INSERT INTO `users` (`username`, `password`, `location`) VALUES
 ('user1',	'pass1', NULL),
-('user2',	'pass2', NULL);
+('user2',	'$2y$10$cg7/nswxVZ0cmVIsMB/pVOh1OfcHScBJGq7Xu4KF9dFEQgRZ8HWe.', NULL);
 
 DROP TABLE IF EXISTS `countries`;
 CREATE TABLE `countries` (

tests/fixtures/blog_pgsql.sql

@@ -232,7 +232,7 @@ INSERT INTO "tags" ("name", "is_important") VALUES
 
 INSERT INTO "users" ("username", "password", "location") VALUES
 ('user1',	'pass1',	NULL),
-('user2',	'pass2',	NULL);
+('user2',	'$2y$10$cg7/nswxVZ0cmVIsMB/pVOh1OfcHScBJGq7Xu4KF9dFEQgRZ8HWe.',	NULL);
 
 --
 -- Data for Name: countries; Type: TABLE DATA; Schema: public; Owner: postgres

tests/fixtures/blog_sqlsrv.sql

@@ -337,7 +337,7 @@ GO
 
 INSERT [users] ([username], [password], [location]) VALUES (N'user1', N'pass1', NULL)
 GO
-INSERT [users] ([username], [password], [location]) VALUES (N'user2', N'pass2', NULL)
+INSERT [users] ([username], [password], [location]) VALUES (N'user2', N'$2y$10$cg7/nswxVZ0cmVIsMB/pVOh1OfcHScBJGq7Xu4KF9dFEQgRZ8HWe.', NULL)
 GO
 
 INSERT [countries] ([name], [shape]) VALUES (N'Left', N'POLYGON ((30 10, 40 40, 20 40, 10 20, 30 10))')

tests/functional/001_records/082_read_users_as_geojson.log

@@ -1,15 +1,15 @@
-GET /geojson/users/1
+GET /geojson/users/1?exclude=password
 ===
 200
 Content-Type: application/json
-Content-Length: 132
+Content-Length: 109
 
-{"type":"Feature","id":1,"properties":{"username":"user1","password":"testtest2"},"geometry":{"type":"Point","coordinates":[30,20]}}
+{"type":"Feature","id":1,"properties":{"username":"user1"},"geometry":{"type":"Point","coordinates":[30,20]}}
 ===
-GET /geojson/users/2
+GET /geojson/users/2?exclude=password
 ===
 200
 Content-Type: application/json
-Content-Length: 94
+Content-Length: 75
 
-{"type":"Feature","id":2,"properties":{"username":"user2","password":"pass2"},"geometry":null}
+{"type":"Feature","id":2,"properties":{"username":"user2"},"geometry":null}

tests/functional/001_records/083_list_users_as_geojson.log

@@ -1,39 +1,39 @@
-GET /geojson/users
+GET /geojson/users?exclude=password
 ===
 200
 Content-Type: application/json
-Content-Length: 269
+Content-Length: 227
 
-{"type":"FeatureCollection","features":[{"type":"Feature","id":1,"properties":{"username":"user1","password":"testtest2"},"geometry":{"type":"Point","coordinates":[30,20]}},{"type":"Feature","id":2,"properties":{"username":"user2","password":"pass2"},"geometry":null}]}
+{"type":"FeatureCollection","features":[{"type":"Feature","id":1,"properties":{"username":"user1"},"geometry":{"type":"Point","coordinates":[30,20]}},{"type":"Feature","id":2,"properties":{"username":"user2"},"geometry":null}]}
 ===
-GET /geojson/users?geometry=location&include=username
+GET /geojson/users?exclude=password&geometry=location
 ===
 200
 Content-Type: application/json
 Content-Length: 227
 
 {"type":"FeatureCollection","features":[{"type":"Feature","id":1,"properties":{"username":"user1"},"geometry":{"type":"Point","coordinates":[30,20]}},{"type":"Feature","id":2,"properties":{"username":"user2"},"geometry":null}]}
 ===
-GET /geojson/users?geometry=notlocation
+GET /geojson/users?exclude=password&geometry=notlocation
 ===
 200
 Content-Type: application/json
-Content-Length: 277
+Content-Length: 235
 
-{"type":"FeatureCollection","features":[{"type":"Feature","id":1,"properties":{"username":"user1","password":"testtest2","location":"POINT(30 20)"},"geometry":null},{"type":"Feature","id":2,"properties":{"username":"user2","password":"pass2","location":null},"geometry":null}]}
+{"type":"FeatureCollection","features":[{"type":"Feature","id":1,"properties":{"username":"user1","location":"POINT(30 20)"},"geometry":null},{"type":"Feature","id":2,"properties":{"username":"user2","location":null},"geometry":null}]}
 ===
-GET /geojson/users?page=1,1
+GET /geojson/users?exclude=password&page=1,1
 ===
 200
 Content-Type: application/json
-Content-Length: 186
+Content-Length: 163
 
-{"type":"FeatureCollection","features":[{"type":"Feature","id":1,"properties":{"username":"user1","password":"testtest2"},"geometry":{"type":"Point","coordinates":[30,20]}}],"results":2}
+{"type":"FeatureCollection","features":[{"type":"Feature","id":1,"properties":{"username":"user1"},"geometry":{"type":"Point","coordinates":[30,20]}}],"results":2}
 ===
-GET /geojson/users?bbox=29.99,19.99,30.01,20.01
+GET /geojson/users?exclude=password&bbox=29.99,19.99,30.01,20.01
 ===
 200
 Content-Type: application/json
-Content-Length: 174
+Content-Length: 151
 
-{"type":"FeatureCollection","features":[{"type":"Feature","id":1,"properties":{"username":"user1","password":"testtest2"},"geometry":{"type":"Point","coordinates":[30,20]}}]}
+{"type":"FeatureCollection","features":[{"type":"Feature","id":1,"properties":{"username":"user1"},"geometry":{"type":"Point","coordinates":[30,20]}}]}