From e7cb1d970bd10e1691edfb3e1f3ddbd14a48b19b Mon Sep 17 00:00:00 2001
From: Daniel-I-Am <djdecloet@gmail.com>
Date: Sat, 29 Aug 2020 14:00:47 +0200
Subject: [PATCH] Add middleware for Bearer authorization

---
 app/Http/Middleware/ApiAuthorization.php | 38 ++++++++++++++++++++++++
 config/chaosapi.php                      |  2 ++
 2 files changed, 40 insertions(+)
 create mode 100644 app/Http/Middleware/ApiAuthorization.php

diff --git a/app/Http/Middleware/ApiAuthorization.php b/app/Http/Middleware/ApiAuthorization.php
new file mode 100644
index 0000000..8665de5
--- /dev/null
+++ b/app/Http/Middleware/ApiAuthorization.php
@@ -0,0 +1,38 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\AuthToken;
+use Closure;
+
+class ApiAuthorization
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        // During debug mode disable this check
+        if (config('chaosapi.middleware-enabled')) return $next($request);
+
+        // Get the Authorization header
+        $authHeader = $request->header('Authorization');
+
+        // Check if header present or header malformed
+        if ($authHeader === null) return abort(403);
+        if (!str_starts_with($authHeader, 'Bearer ')) return abort(400);
+
+        $authToken = substr($authHeader, 7);
+        $dbAuthToken = AuthToken::where('token', $authToken)->first();
+
+        // Check token in DB
+        if ($dbAuthToken === null) return abort(401);
+
+        // Valid request
+        return $next($request);
+    }
+}
diff --git a/config/chaosapi.php b/config/chaosapi.php
index c396419..63c188a 100644
--- a/config/chaosapi.php
+++ b/config/chaosapi.php
@@ -1,5 +1,7 @@
 <?php
 
 return [
+    'middleware-enabled' => env('APP_DEBUG', false),
+
     'cachetime' => 60
 ];