Refactor to a 400 response instead of throwing an exception

isaac-souza · isaac-souza · commit 2d5a3f482231 · 2024-10-11T16:51:06.000-03:00
If we were to throw an exception it would likely get reported to Sentry
diff --git a/src/Exceptions/ForbidenRequestParamException.php b/src/Exceptions/ForbidenRequestParamException.php
diff --git a/src/Http/Middleware/AuthenticateApiKey.php b/src/Http/Middleware/AuthenticateApiKey.php
@@ -3,9 +3,7 @@
 namespace Givebutter\LaravelKeyable\Http\Middleware;
 
 use Closure;
-use Givebutter\LaravelKeyable\Exceptions\ForbidenRequestParamException;
 use Givebutter\LaravelKeyable\Models\ApiKey;
-use Illuminate\Http\Request;
 
 class AuthenticateApiKey
 {
@@ -20,7 +18,22 @@ class AuthenticateApiKey
      */
     public function handle($request, Closure $next, $guard = null)
     {
-        $this->checkForbidenRequestParams($request);
+        $forbidenRequestParams = ['apiKey', 'keyable'];
+        
+        // Check if request has forbidden params
+        foreach ($forbidenRequestParams as $param) {
+            if ($request->missing($param)) {
+                continue;
+            }
+
+            $message = "Request param '{$param}' is not allowed.";
+
+            if ($request->wantsJson()) {
+                return response()->json(['message' => $message], 400);
+            }
+
+            return response($message, 400);
+        }
 
         //Get API token from request
         $token = $this->getKeyFromRequest($request);
@@ -90,17 +103,4 @@ protected function unauthorizedResponse()
             ],
         ], 401);
     }
-
-    private function checkForbidenRequestParams(Request $request): void
-    {
-        $forbidenParams = ['apiKey', 'keyable'];
-
-        foreach ($forbidenParams as $forbidenParam) {
-            if ($request->missing($forbidenParam)) {
-                continue;
-            }
-
-            throw new ForbidenRequestParamException("Request param '{$forbidenParam}' is not allowed.");
-        }
-    }
 }
diff --git a/tests/Feature/AuthenticateApiKey.php b/tests/Feature/AuthenticateApiKey.php
@@ -93,7 +93,9 @@ public function throw_exception_if_unauthorized_get_request_has_forbidden_reques
             return response('All good', 200);
         })->middleware(['api', 'auth.apikey']);
 
-        $this->get("/api/posts?{$queryParam}=value")->assertInternalServerError();
+        $this->get("/api/posts?{$queryParam}=value")
+            ->assertBadRequest()
+            ->assertContent("Request param '{$queryParam}' is not allowed.");
     }
 
     /**
@@ -106,7 +108,39 @@ public function throw_exception_if_unauthorized_post_request_has_forbidden_reque
             return response('All good', 200);
         })->middleware(['api', 'auth.apikey']);
 
-        $this->post('/api/posts', [$bodyParam => 'value'])->assertInternalServerError();
+        $this->post('/api/posts', [$bodyParam => 'value'])
+            ->assertBadRequest()
+            ->assertContent("Request param '{$bodyParam}' is not allowed.");
+    }
+
+    /**
+     * @test
+     * @dataProvider forbiddenRequestParams
+     */
+    public function throw_exception_if_unauthorized_json_get_request_has_forbidden_request_query_params(string $queryParam): void
+    {
+        Route::get('/api/posts', function () {
+            return response('All good', 200);
+        })->middleware(['api', 'auth.apikey']);
+
+        $this->getJson("/api/posts?{$queryParam}=value")
+            ->assertBadRequest()
+            ->assertJson(['message' => "Request param '{$queryParam}' is not allowed."]);
+    }
+
+    /**
+     * @test
+     * @dataProvider forbiddenRequestParams
+     */
+    public function throw_exception_if_unauthorized_json_post_request_has_forbidden_request_body_params(string $bodyParam): void
+    {
+        Route::post('/api/posts', function () {
+            return response('All good', 200);
+        })->middleware(['api', 'auth.apikey']);
+
+        $this->postJson('/api/posts', [$bodyParam => 'value'])
+            ->assertBadRequest()
+            ->assertJson(['message' => "Request param '{$bodyParam}' is not allowed."]);
     }
 
     public function forbiddenRequestParams(): array
