Skip to content

Commit d022c7f

Browse files
isaac-souzaisaac-souza
committed
Throw exception if request has parameters that are not allowed
1 parent 41075c2 commit d022c7f

File tree

3 files changed

+60
-0
lines changed

3 files changed

+60
-0
lines changed

src/Exceptions/ForbidenRequestParamException.php

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
<?php
2+
3+
namespace Givebutter\LaravelKeyable\Exceptions;
4+
5+
class ForbidenRequestParamException extends \Exception
6+
{
7+
//
8+
}

src/Http/Middleware/AuthenticateApiKey.php

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,9 @@
33
namespace Givebutter\LaravelKeyable\Http\Middleware;
44

55
use Closure;
6+
use Givebutter\LaravelKeyable\Exceptions\ForbidenRequestParamException;
67
use Givebutter\LaravelKeyable\Models\ApiKey;
8+
use Illuminate\Http\Request;
79

810
class AuthenticateApiKey
911
{
@@ -18,6 +20,8 @@ class AuthenticateApiKey
1820
*/
1921
public function handle($request, Closure $next, $guard = null)
2022
{
23+
$this->checkForbidenRequestParams($request);
24+
2125
//Get API token from request
2226
$token = $this->getKeyFromRequest($request);
2327

@@ -86,4 +90,17 @@ protected function unauthorizedResponse()
8690
],
8791
], 401);
8892
}
93+
94+
private function checkForbidenRequestParams(Request $request): void
95+
{
96+
$forbidenParams = ['apiKey', 'keyable'];
97+
98+
foreach ($forbidenParams as $forbidenParam) {
99+
if ($request->missing($forbidenParam)) {
100+
continue;
101+
}
102+
103+
throw new ForbidenRequestParamException("Request param '{$forbidenParam}' is not allowed.");
104+
}
105+
}
89106
}

tests/Feature/AuthenticateApiKey.php

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22

33
namespace Givebutter\Tests\Feature;
44

5+
use Givebutter\LaravelKeyable\Exceptions\ForbidenRequestParamException;
56
use Givebutter\Tests\TestCase;
67
use Givebutter\Tests\Support\Account;
78
use Illuminate\Support\Facades\Route;
@@ -81,4 +82,38 @@ public function request_without_api_key_responds_unauthorized()
8182

8283
$this->get("/api/posts")->assertUnauthorized();
8384
}
85+
86+
/**
87+
* @test
88+
* @dataProvider forbiddenRequestParams
89+
*/
90+
public function throw_exception_if_unauthorized_get_request_has_forbidden_request_query_params(string $queryParam): void
91+
{
92+
Route::get('/api/posts', function () {
93+
return response('All good', 200);
94+
})->middleware(['api', 'auth.apikey']);
95+
96+
$this->get("/api/posts?{$queryParam}=value")->assertInternalServerError();
97+
}
98+
99+
/**
100+
* @test
101+
* @dataProvider forbiddenRequestParams
102+
*/
103+
public function throw_exception_if_unauthorized_post_request_has_forbidden_request_body_params(string $bodyParam): void
104+
{
105+
Route::post('/api/posts', function () {
106+
return response('All good', 200);
107+
})->middleware(['api', 'auth.apikey']);
108+
109+
$this->post('/api/posts', [$bodyParam => 'value'])->assertInternalServerError();
110+
}
111+
112+
public function forbiddenRequestParams(): array
113+
{
114+
return [
115+
['keyable'],
116+
['apiKey'],
117+
];
118+
}
84119
}

0 commit comments

Comments
 (0)