feat(laravel): policy, auth and gate

Author: soyuka

src/Laravel/ApiPlatformProvider.php

@@ -56,10 +56,12 @@
 use ApiPlatform\Laravel\Eloquent\State\LinksHandlerInterface;
 use ApiPlatform\Laravel\Eloquent\State\PersistProcessor;
 use ApiPlatform\Laravel\Eloquent\State\RemoveProcessor;
-use ApiPlatform\Laravel\Exception\Handler;
+use ApiPlatform\Laravel\Exception\ErrorHandler;
 use ApiPlatform\Laravel\Routing\IriConverter;
 use ApiPlatform\Laravel\Routing\Router as UrlGeneratorRouter;
 use ApiPlatform\Laravel\Routing\SkolemIriConverter;
+use ApiPlatform\Laravel\Security\ResourceAccessChecker;
+use ApiPlatform\Laravel\State\AccessCheckerProvider;
 use ApiPlatform\Laravel\State\SwaggerUiProcessor;
 use ApiPlatform\Laravel\State\ValidateProvider;
 use ApiPlatform\Metadata\Exception\NotExposedHttpException;
@@ -91,6 +93,7 @@
 use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
 use ApiPlatform\Metadata\Resource\Factory\ResourceNameCollectionFactoryInterface;
 use ApiPlatform\Metadata\Resource\Factory\UriTemplateResourceMetadataCollectionFactory;
+use ApiPlatform\Metadata\ResourceAccessCheckerInterface;
 use ApiPlatform\Metadata\ResourceClassResolver;
 use ApiPlatform\Metadata\ResourceClassResolverInterface;
 use ApiPlatform\Metadata\UrlGeneratorInterface;
@@ -262,7 +265,7 @@ public function register(): void
                                                         null,
                                                         $app->make(LoggerInterface::class),
                                                         [
-                                                            'routePrefix' => $config->get('api-platform.prefix') ?? '/',
+                                                            'routePrefix' => $config->get('api-platform.routes.prefix') ?? '/',
                                                         ],
                                                         false
                                                     )
@@ -324,8 +327,12 @@ public function register(): void
             return new DeserializeProvider($app->make(JsonApiProvider::class), $app->make(SerializerInterface::class), $app->make(SerializerContextBuilderInterface::class));
         });
 
+        $this->app->singleton(AccessCheckerProvider::class, function (Application $app) {
+            return new AccessCheckerProvider($app->make(DeserializeProvider::class), $app->make(ResourceAccessCheckerInterface::class));
+        });
+
         $this->app->singleton(ContentNegotiationProvider::class, function (Application $app) use ($config) {
-            return new ContentNegotiationProvider($app->make(DeserializeProvider::class), new Negotiator(), $config->get('api-platform.formats'), $config->get('api-platform.error_formats'));
+            return new ContentNegotiationProvider($app->make(AccessCheckerProvider::class), new Negotiator(), $config->get('api-platform.formats'), $config->get('api-platform.error_formats'));
         });
 
         $this->app->bind(ProviderInterface::class, ContentNegotiationProvider::class);
@@ -443,6 +450,10 @@ public function register(): void
             return new HydraEntrypointNormalizer($app->make(ResourceMetadataCollectionFactoryInterface::class), $app->make(IriConverterInterface::class), $app->make(UrlGeneratorInterface::class));
         });
 
+        $this->app->singleton(ResourceAccessCheckerInterface::class, function () {
+            return new ResourceAccessChecker();
+        });
+
         $this->app->singleton(ItemNormalizer::class, function (Application $app) use ($defaultContext) {
             return new ItemNormalizer(
                 $app->make(PropertyNameCollectionFactoryInterface::class),
@@ -454,8 +465,7 @@ public function register(): void
                 $app->make(ClassMetadataFactoryInterface::class),
                 $app->make(LoggerInterface::class),
                 $app->make(ResourceMetadataCollectionFactoryInterface::class),
-                /* $resourceAccessChecker */
-                null,
+                $app->make(ResourceAccessCheckerInterface::class),
                 $defaultContext
             );
         });
@@ -481,8 +491,7 @@ public function register(): void
                 $app->make(ClassMetadataFactoryInterface::class),
                 $app->make(LoggerInterface::class),
                 $app->make(ResourceMetadataCollectionFactoryInterface::class),
-                // $app->make(ResourceAccessCheckerInterface::class),
-                null,
+                $app->make(ResourceAccessCheckerInterface::class),
                 $defaultContext
             );
         });
@@ -628,9 +637,8 @@ public function register(): void
                 $app->make(ClassMetadataFactoryInterface::class),
                 $defaultContext,
                 $app->make(ResourceMetadataCollectionFactoryInterface::class),
-                null,
+                $app->make(ResourceAccessCheckerInterface::class),
                 null
-                // $app->make(ResourceAccessCheckerInterface::class),
                 // $app->make(TagCollectorInterface::class),
             );
         });
@@ -690,15 +698,14 @@ public function register(): void
                 $app->make(NameConverterInterface::class),
                 $app->make(ClassMetadataFactoryInterface::class),
                 $defaultContext,
-                // $app->make(ResourceAccessCheckerInterface::class),
-                null
+                $app->make(ResourceAccessCheckerInterface::class)
             );
         });
 
         $this->app->singleton(
             ExceptionHandlerInterface::class,
             function (Application $app) {
-                return new Handler(
+                return new ErrorHandler(
                     $app,
                     $app->make(ResourceMetadataCollectionFactoryInterface::class),
                     $app->make(ApiPlatformController::class),
@@ -736,25 +743,28 @@ public function boot(ResourceNameCollectionFactoryInterface $resourceNameCollect
             return;
         }
 
+        $config = $this->app['config'];
         $routeCollection = new RouteCollection();
         foreach ($resourceNameCollectionFactory->create() as $resourceClass) {
             foreach ($resourceMetadataFactory->create($resourceClass) as $resourceMetadata) {
                 foreach ($resourceMetadata->getOperations() as $operation) {
                     $uriTemplate = $operation->getUriTemplate();
                     // _format is read by the middleware
                     $uriTemplate = $operation->getRoutePrefix().str_replace('{._format}', '{_format?}', $uriTemplate);
-                    $route = new Route([$operation->getMethod()], $uriTemplate, [ApiPlatformController::class, '__invoke']);
-                    $route->name($operation->getName());
-                    $route->setDefaults(['_api_operation_name' => $operation->getName(), '_api_resource_class' => $operation->getClass()]);
-                    // Another option then to use a middleware, not sure what's best (you then retrieve $request->getRoute() somehow ?)
-                    // $route->??? = ['operation' => $operation];
-                    $routeCollection->add($route)
-                        ->middleware(ApiPlatformMiddleware::class.':'.$operation->getName());
+                    $route = (new Route([$operation->getMethod()], $uriTemplate, [ApiPlatformController::class, '__invoke']))
+                            ->name($operation->getName())
+                            ->setDefaults(['_api_operation_name' => $operation->getName(), '_api_resource_class' => $operation->getClass()]);
+
+                    $route->middleware(ApiPlatformMiddleware::class.':'.$operation->getName());
+                    $route->middleware($config->get('api-platform.routes.middleware'));
+                    $route->middleware($operation->getMiddleware());
+
+                    $routeCollection->add($route);
                 }
             }
         }
 
-        $prefix = $this->app['config']->get('api-platform.prefix') ?? '';
+        $prefix = $config->get('api-platform.routes.prefix') ?? '';
         $route = new Route(['GET'], $prefix.'/contexts/{shortName?}{_format?}', [ContextAction::class, '__invoke']);
         $route->name('api_jsonld_context')->middleware(ApiPlatformMiddleware::class);
         $routeCollection->add($route);
@@ -784,10 +794,6 @@ public function boot(ResourceNameCollectionFactoryInterface $resourceNameCollect
 
     private function shouldRegisterRoutes(): bool
     {
-        if (!$this->app['config']->get('api-platform.register_routes')) {
-            return false;
-        }
-
         if ($this->app instanceof CachesRoutes && $this->app->routesAreCached()) {
             return false;
         }

src/Laravel/Exception/Handler.php renamed to src/Laravel/Exception/ErrorHandler.php

@@ -23,14 +23,16 @@
 use ApiPlatform\Metadata\ResourceClassResolverInterface;
 use ApiPlatform\Metadata\Util\ContentNegotiationTrait;
 use ApiPlatform\State\Util\OperationRequestInitiatorTrait;
+use Illuminate\Auth\Access\AuthorizationException;
+use Illuminate\Auth\AuthenticationException;
 use Illuminate\Contracts\Container\Container;
 use Illuminate\Foundation\Exceptions\Handler as ExceptionsHandler;
 use Illuminate\Http\Request;
 use Negotiation\Negotiator;
 use Symfony\Component\HttpFoundation\Exception\RequestExceptionInterface;
 use Symfony\Component\HttpKernel\Exception\HttpExceptionInterface as SymfonyHttpExceptionInterface;
 
-class Handler extends ExceptionsHandler
+class ErrorHandler extends ExceptionsHandler
 {
     use ContentNegotiationTrait;
     use OperationRequestInitiatorTrait;
@@ -154,6 +156,18 @@ private function getStatusCode(?HttpOperation $apiOperation, ?HttpOperation $err
             }
         }
 
+        if ($exception instanceof AuthenticationException) {
+            return 401;
+        }
+
+        if ($exception instanceof AuthorizationException) {
+            return 403;
+        }
+
+        if ($exception instanceof SymfonyHttpExceptionInterface) {
+            return $exception->getStatusCode();
+        }
+
         if ($exception instanceof SymfonyHttpExceptionInterface) {
             return $exception->getStatusCode();
         }

src/Laravel/Security/ResourceAccessChecker.php

@@ -0,0 +1,25 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Laravel\Security;
+
+use ApiPlatform\Metadata\ResourceAccessCheckerInterface;
+use Illuminate\Support\Facades\Gate;
+
+class ResourceAccessChecker implements ResourceAccessCheckerInterface
+{
+    public function isGranted(string $resourceClass, string $expression, array $extraVariables = []): bool
+    {
+        return Gate::allows($expression, $extraVariables['object']);
+    }
+}

src/Laravel/State/AccessCheckerProvider.php

@@ -0,0 +1,62 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Laravel\State;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\Metadata\ResourceAccessCheckerInterface;
+use ApiPlatform\State\ProviderInterface;
+use Illuminate\Auth\Access\AuthorizationException;
+
+/**
+ * Allows access based on the ApiPlatform\Symfony\Security\ResourceAccessCheckerInterface.
+ * This implementation covers GraphQl and HTTP.
+ *
+ * @see ResourceAccessCheckerInterface
+ *
+ * @implements ProviderInterface<object>
+ */
+final class AccessCheckerProvider implements ProviderInterface
+{
+    /**
+     * @param ProviderInterface<object> $decorated
+     */
+    public function __construct(private readonly ProviderInterface $decorated, private readonly ResourceAccessCheckerInterface $resourceAccessChecker)
+    {
+    }
+
+    public function provide(Operation $operation, array $uriVariables = [], array $context = []): object|array|null
+    {
+        $policy = $operation->getPolicy();
+        $message = $operation->getSecurityMessage();
+
+        $body = $this->decorated->provide($operation, $uriVariables, $context);
+        if (null === $policy) {
+            return $body;
+        }
+
+        $request = $context['request'] ?? null;
+
+        $resourceAccessCheckerContext = [
+            'object' => $body,
+            'request' => $request,
+            'operation' => $operation,
+        ];
+
+        if (!$this->resourceAccessChecker->isGranted($operation->getClass(), $policy, $resourceAccessCheckerContext)) {
+            throw new AuthorizationException($message ?? 'Access Denied.');
+        }
+
+        return $body;
+    }
+}

src/Laravel/Tests/AuthTest.php

@@ -0,0 +1,50 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Laravel\Tests;
+
+use ApiPlatform\Laravel\Test\ApiTestAssertionsTrait;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Orchestra\Testbench\Concerns\WithWorkbench;
+use Orchestra\Testbench\TestCase;
+
+class AuthTest extends TestCase
+{
+    use ApiTestAssertionsTrait;
+    use RefreshDatabase;
+    use WithWorkbench;
+
+    public function testGetCollection(): void
+    {
+        $response = $this->get('/api/vaults', ['accept' => ['application/ld+json']]);
+        $this->assertArraySubset(['detail' => 'Unauthenticated.'], $response->json());
+        $response->assertHeader('content-type', 'application/problem+json; charset=utf-8');
+        $response->assertStatus(401);
+    }
+
+    public function testAuthenticated(): void
+    {
+        $response = $this->post('/tokens/create');
+        $token = $response->json()['token'];
+        $response = $this->get('/api/vaults', ['accept' => ['application/ld+json'], 'authorization' => 'Bearer '.$token]);
+        $response->assertStatus(200);
+    }
+
+    public function testAuthenticatedPolicy(): void
+    {
+        $response = $this->post('/tokens/create');
+        $token = $response->json()['token'];
+        $response = $this->post('/api/vaults', [], ['content-type' => ['application/ld+json'], 'authorization' => 'Bearer '.$token]);
+        $response->assertStatus(403);
+    }
+}

src/Laravel/composer.json

@@ -37,6 +37,7 @@
         "illuminate/routing": "^11.0",
         "illuminate/support": "^11.0",
         "illuminate/container": "^11.0",
+        "laravel/sanctum": "^4.0",
         "symfony/web-link": "^6.4 || ^7.1",
         "willdurand/negotiation": "^3.1",
         "phpstan/phpdoc-parser": "^1.29"
@@ -82,6 +83,20 @@
     },
     "scripts": {
         "build": "@php vendor/bin/testbench workbench:build --ansi",
-        "test": "@php vendor/bin/testbench package:test"
+        "test": "@php vendor/bin/testbench package:test",
+        "post-autoload-dump": [
+            "@clear",
+            "@prepare"
+        ],
+        "clear": "@php vendor/bin/testbench package:purge-skeleton --ansi",
+        "prepare": "@php vendor/bin/testbench package:discover --ansi",
+        "serve": [
+            "Composer\\Config::disableProcessTimeout",
+            "@build",
+            "@php vendor/bin/testbench serve --ansi"
+        ],
+        "lint": [
+            "@php vendor/bin/phpstan analyse --verbose --ansi"
+        ]
     }
-}
+}

src/Laravel/config/api-platform.php

@@ -16,11 +16,10 @@
     'description' => 'My awesome API',
     'version' => '1.0.0',
 
-    /*
-     *  Automatic registration of routes will only happen if this setting is `true`
-     */
-    'register_routes' => true,
-    'prefix' => '/api',
+    'routes' => [
+        'prefix' => '/api',
+        'middleware' => [],
+    ],
 
     /*
      * Where are ApiResource defined

src/Laravel/testbench.yaml

@@ -1,8 +1,10 @@
 providers:
     - ApiPlatform\Laravel\ApiPlatformProvider
+    - Laravel\Sanctum\SanctumServiceProvider
     - Workbench\App\Providers\WorkbenchServiceProvider
 
 migrations:
+    - vendor/laravel/sanctum/database/migrations
     - workbench/database/migrations
 
 seeders: