Fix scopeOfKey when compatibility mode is on and keys are prefixed with ID

isaac-souza · isaac-souza · commit 22a752d3f345 · 2023-11-16T14:53:56.000-03:00
diff --git a/src/Models/ApiKey.php b/src/Models/ApiKey.php
@@ -105,17 +105,46 @@ public function scopeOfKey(Builder $query, string $key): Builder
 
         if ($compatibilityMode) {
             return $query->where(function (Builder $query) use ($key) {
-                return $query->where('key', $key)
-                    ->orWhere('key', hash('sha256', $key));
+                if ($this->isMissingId($key)) {
+                    return $query->where('key', $key)
+                        ->orWhere('key', hash('sha256', $key));
+                }
+
+                $id = $this->extractId($key);
+                $key = $this->extractKey($key);
+
+                return $query
+                    ->where(function (Builder $query) use ($key, $id) {
+                        return $query->where('key', $key)
+                            ->where('id', $id);
+                    })
+                    ->orWhere(function (Builder $query) use ($key, $id) {
+                        return $query->where('key', hash('sha256', $key))
+                            ->where('id', $id);
+                    });
             });
         }
 
-        if (strpos($key, '|') === false) {
+        if ($this->isMissingId($key)) {
             return $query->where('key', hash('sha256', $key));
         }
 
-        [$id, $key] = explode('|', $key, 2);
+        return $query->where('id', $this->extractId($key))
+            ->where('key', hash('sha256', $this->extractKey($key)));
+    }
+
+    private function isMissingId(string $key): bool
+    {
+        return strpos($key, '|') === false;
+    }
 
-        return $query->where('id', $id)->where('key', hash('sha256', $key));
+    private function extractId(string $key): string
+    {
+        return explode('|', $key, 2)[0];
+    }
+
+    private function extractKey(string $key): string
+    {
+        return explode('|', $key, 2)[1];
     }
 }
diff --git a/tests/Feature/CompatibilityMode.php b/tests/Feature/CompatibilityMode.php
@@ -71,14 +71,24 @@ public function accepts_both_hashed_and_non_hashed_api_keys_when_compatibility_m
             'key' => $apiKey2->fresh()->key,
         ]);
 
-        // Assert the non hashed api keys works
+        // Assert that non hashed api keys works
         $this->withHeaders([
-            'Authorization' => 'Bearer ' . $plainTextApiKey1,
+            'Authorization' => "Bearer {$plainTextApiKey1}",
         ])->get("/api/posts/{$post->id}")->assertOk();
 
-        // Assert the hashed api keys works
+        // Assert that non hashed api keys with ID prefix works
         $this->withHeaders([
-            'Authorization' => 'Bearer ' . $plainTextApiKey2,
+            'Authorization' => "Bearer {$apiKey1->id}|{$plainTextApiKey1}",
+        ])->get("/api/posts/{$post->id}")->assertOk();
+
+        // Assert that hashed api keys works
+        $this->withHeaders([
+            'Authorization' => "Bearer {$plainTextApiKey2}",
+        ])->get("/api/posts/{$post->id}")->assertOk();
+
+        // Assert that hashed api keys with ID prefix works
+        $this->withHeaders([
+            'Authorization' => "Bearer {$apiKey2->id}|{$plainTextApiKey2}",
         ])->get("/api/posts/{$post->id}")->assertOk();
     }
 }
