Re-add api token auth
This commit is contained in:
Matej Bačo
parent
9a0d9cee15
commit
448b0a5607
|
|
@ -1,5 +1,7 @@
|
|||
<?php
|
||||
|
||||
use Ahc\Jwt\JWT;
|
||||
use Ahc\Jwt\JWTException;
|
||||
use Appwrite\Auth\Auth;
|
||||
use Appwrite\Auth\MFA\Type\TOTP;
|
||||
use Appwrite\Event\Audit;
|
||||
|
|
@ -249,6 +251,40 @@ App::init()
|
|||
}
|
||||
}
|
||||
|
||||
// API Token authentication (like API Key but JWT short-term)
|
||||
$apiToken = $request->getHeader('x-appwrite-token', '');
|
||||
if (!empty($apiToken) && $user->isEmpty() && empty($authKey)) {
|
||||
$jwtObj = new JWT(App::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 900, 10);
|
||||
|
||||
try {
|
||||
$payload = $jwtObj->decode($apiToken);
|
||||
} catch (JWTException $error) {
|
||||
// Ignore if token is invalid
|
||||
}
|
||||
|
||||
if (!empty($payload)) {
|
||||
$projectId = $payload['projectId'] ?? '';
|
||||
$tokenScopes = $payload['scopes'] ?? [];
|
||||
|
||||
// JWT includes project ID for better security
|
||||
if ($projectId === $project->getId()) {
|
||||
$user = new Document([
|
||||
'$id' => '',
|
||||
'status' => true,
|
||||
'email' => 'app.' . $project->getId() . '@service.' . $request->getHostname(),
|
||||
'password' => '',
|
||||
'name' => $project->getAttribute('name', 'Untitled'),
|
||||
]);
|
||||
|
||||
$role = Auth::USER_ROLE_APPS;
|
||||
$scopes = \array_merge($roles[$role]['scopes'], $tokenScopes);
|
||||
|
||||
Authorization::setRole(Auth::USER_ROLE_APPS);
|
||||
Authorization::setDefaultStatus(false); // Cancel security segmentation for API keys.
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Authorization::setRole($role);
|
||||
|
||||
foreach (Auth::getRoles($user) as $authRole) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue