Merge pull request #17 from givebutter/fix/prefixed-key-with-compatibility-mode-on

jhoff · web-flow · commit 002c132c6aa2 · 2023-11-16T11:49:40.000-07:00
diff --git a/composer.json b/composer.json
@@ -21,8 +21,7 @@
     "minimum-stability": "dev",
     "prefer-stable": true,
     "require": {
-        "php": "^7.0|^8.0",
-        "doctrine/dbal": "^3.7"
+        "php": "^7.0|^8.0"
     },
     "autoload": {
         "psr-4": {
diff --git a/src/Models/ApiKey.php b/src/Models/ApiKey.php
@@ -105,17 +105,32 @@ public function scopeOfKey(Builder $query, string $key): Builder
 
         if ($compatibilityMode) {
             return $query->where(function (Builder $query) use ($key) {
-                return $query->where('key', $key)
-                    ->orWhere('key', hash('sha256', $key));
+                if (! str_contains($key, '|')) {
+                    return $query->where('key', $key)
+                        ->orWhere('key', hash('sha256', $key));
+                }
+
+                [$id, $key] = explode('|', $key, 2);
+
+                return $query
+                    ->where(function (Builder $query) use ($key, $id) {
+                        return $query->where('key', $key)
+                            ->where('id', $id);
+                    })
+                    ->orWhere(function (Builder $query) use ($key, $id) {
+                        return $query->where('key', hash('sha256', $key))
+                            ->where('id', $id);
+                    });
             });
         }
 
-        if (strpos($key, '|') === false) {
+        if (! str_contains($key, '|')) {
             return $query->where('key', hash('sha256', $key));
         }
 
         [$id, $key] = explode('|', $key, 2);
 
-        return $query->where('id', $id)->where('key', hash('sha256', $key));
+        return $query->where('id', $id)
+            ->where('key', hash('sha256', $key));
     }
 }
diff --git a/tests/Feature/CompatibilityMode.php b/tests/Feature/CompatibilityMode.php
@@ -71,14 +71,24 @@ public function accepts_both_hashed_and_non_hashed_api_keys_when_compatibility_m
             'key' => $apiKey2->fresh()->key,
         ]);
 
-        // Assert the non hashed api keys works
+        // Assert that non hashed api keys works
         $this->withHeaders([
-            'Authorization' => 'Bearer ' . $plainTextApiKey1,
+            'Authorization' => "Bearer {$plainTextApiKey1}",
         ])->get("/api/posts/{$post->id}")->assertOk();
 
-        // Assert the hashed api keys works
+        // Assert that non hashed api keys with ID prefix works
         $this->withHeaders([
-            'Authorization' => 'Bearer ' . $plainTextApiKey2,
+            'Authorization' => "Bearer {$apiKey1->id}|{$plainTextApiKey1}",
+        ])->get("/api/posts/{$post->id}")->assertOk();
+
+        // Assert that hashed api keys works
+        $this->withHeaders([
+            'Authorization' => "Bearer {$plainTextApiKey2}",
+        ])->get("/api/posts/{$post->id}")->assertOk();
+
+        // Assert that hashed api keys with ID prefix works
+        $this->withHeaders([
+            'Authorization' => "Bearer {$apiKey2->id}|{$plainTextApiKey2}",
         ])->get("/api/posts/{$post->id}")->assertOk();
     }
 }
