new: develop api with bearer token

Author: mdabbas-cse

app/Http/Controllers/Api/UserApiController.php

@@ -41,4 +41,18 @@ public function index($request, $response)
     ];
     return $response->json($data);
   }
+
+  public function user($request, $response)
+  {
+    $req = $request->all();
+    $data = [
+      'success' => true,
+      'user' => [
+        'id' => $req->id,
+        'name' => 'John Doe',
+        'email' => ''
+      ]
+    ];
+    return $response->json($data);
+  }
 }

app/Http/Middlewares/AuthApi.php

@@ -0,0 +1,48 @@
+<?php
+
+namespace LaraCore\App\Http\Middlewares;
+
+class AuthApiMiddleware
+{
+  public static function handle($request)
+  {
+    // Get the API token from the request headers
+    $token = $request->getHeader('Authorization');
+
+    // Check if the token is present
+    if (!$token) {
+      self::unauthorizedResponse();
+    }
+
+    // Validate the token (you may want to implement a more secure validation mechanism)
+    $isValidToken = self::validateToken($token);
+
+    if (!$isValidToken) {
+      self::unauthorizedResponse();
+    }
+
+    // The token is valid, continue with the request
+  }
+
+  private static function unauthorizedResponse()
+  {
+    // Handle unauthorized access (e.g., return a 401 Unauthorized response)
+    header('HTTP/1.0 401 Unauthorized');
+    echo 'Unauthorized';
+    exit;
+  }
+
+  private static function validateToken($token)
+  {
+    // Validate the token against your storage (e.g., database)
+    // Return true if the token is valid, false otherwise
+    // Implement this method based on your specific authentication mechanism
+
+    // For demonstration purposes, we'll assume a simple token validation
+    $validTokens = [
+      'eW91ci1hcGktdG9rZW4=',
+    ]; // Store valid tokens securely
+
+    return in_array($token, $validTokens);
+  }
+}

config/Config.php

@@ -34,6 +34,23 @@
   'csrf' => [
     'key' => 'csrf_token'
   ],
+  /**
+   * Set API token
+   * condition: true | false
+   * key: base64_encode('laracore-api-token')
+   * if condition is true then you need to pass api token in header
+   * Authorization: Bearer base64_encode('laracore-api-token')
+   * and set check to true
+   * it's will set api token for all api routes
+   * if you want to set api token for specific route then set check to false
+   * and pass api token in header
+   * and create middleware for that route
+   * and set middleware in route
+   */
+  'api-token' => [
+    'check' => false,
+    'key' => 'bGFyYWNvcmUtYXBpLXRva2Vu'
+  ],
   'remember' => [
     'cookie_name' => 'hash',
     'cookie_expiry' => 604800

framework/Request.php

@@ -15,6 +15,7 @@ public function __construct()
   {
 
 
+
   }
 
   /**
@@ -197,6 +198,34 @@ public function getParam($key)
     return $this->routeParams[$key];
   }
 
+  /**
+   * @method for check http authorization
+   * 
+   * @return bool
+   */
+  public function isHttpAuthorizedOrFail()
+  {
+    return isset($_SERVER['HTTP_AUTHORIZATION']) && !empty($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] : false;
+  }
+
+  /**
+   * @medium for set json header
+   * 
+   * @return void
+   */
+  public function setJsonHeader()
+  {
+    header('Content-Type: application/json');
+  }
+
+  /**
+   * @method  for setUnauthorized 
+   */
+  public function setUnauthorizedHeader()
+  {
+    header('HTTP/1.0 401 Unauthorized');
+  }
+
   /**
    * 
    */

framework/Routers/Router.php

@@ -3,6 +3,7 @@
 namespace LaraCore\Framework\Routers;
 
 use LaraCore\App\Http\Kernel;
+use LaraCore\Framework\Configuration;
 use LaraCore\Framework\Request;
 use LaraCore\Framework\Response;
 
@@ -16,7 +17,7 @@ class Router
   /**
    * @var array
    */
-  protected $middleware = [];
+  protected $middlewares = [];
 
   /**
    * @var array
@@ -80,15 +81,29 @@ public function middleware($middleware)
   /**
    * Method to set middleware group
    * 
-   * @param string $middlewareGroup
+   * @param string $middleware
    */
   public static function middlewareGroup($middleware, callable $callback)
   {
     $request = new Request();
     $middlewareAliases = Kernel::$middlewareAliases;
     $middleware = $middlewareAliases[$middleware];
+
+    /** @var mixed */
+    $previousMiddleware = self::$middlewares;
+    self::$middlewares = [];
+
     call_user_func($callback);
     self::runMiddleware($request, $middleware);
+
+    // Assign the current middleware to the routes in the group
+    // $groupMiddleware = self::$middlewares;
+    // self::$middlewares = $previousMiddleware;
+
+    // foreach (self::$routes as &$route) {
+    //   $route['middleware'] = array_merge($route['middleware'], $groupMiddleware);
+    // }
+
   }
 
   /**
@@ -180,9 +195,9 @@ private static function executeRoute($request, $response, $route)
   {
     $callback = $route['action'];
 
-    // set api header
+    // set api header of api route
     if ($route['isApi']) {
-      self::setApiHeader();
+      self::setApiHeaderWithAuth($request, $response);
     }
 
     if (is_array($callback)) {
@@ -281,22 +296,54 @@ public static function setApiPrefix($prefix)
    * 
    * @return void
    */
-  public static function setApiHeader()
+  public static function setApiHeaderWithAuth($request, $response)
   {
+    // Enable CORS (Cross-Origin Resource Sharing)
     header('Access-Control-Allow-Origin: *');
     header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
     header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With');
-    header('Content-Type: application/json');
-  }
 
-  /**
-   * set api header, cors, content type with auth token
-   * 
-   * @return void
-   */
-  public static function setApiHeaderWithAuth()
-  {
+    // Set content type to JSON
+    $request->setJsonHeader();
+
+    $config = Configuration::get('api-token');
+    if (!$config['check']) {
+      return;
+    }
 
+    // Check for Authorization header (Bearer token)
+    $authHeader = $request->isHttpAuthorizedOrFail();
+
+    if (!$authHeader) {
+      // No Authorization header provided
+      $request->setUnauthorizedHeader();
+      $response->jsonResponse(
+        ['error' => 'No Authorization header provided'],
+        401
+      );
+    }
+    // Validate and extract the Bearer token
+    list($bearer, $token) = explode(' ', $authHeader);
+    if (empty($token) || strtolower($bearer) !== 'bearer') {
+      // Invalid or missing Bearer token
+      $request->setUnauthorizedHeader();
+      $response->jsonResponse(
+        ['error' => 'Invalid or missing Bearer token'],
+        401
+      );
+    }
+    // For demonstration, assume a hardcoded valid token
+    $yourValidAuthToken = $config['key']; // api_token
+
+    if ($token !== $yourValidAuthToken) {
+      // Invalid token
+      $request->setUnauthorizedHeader();
+      // echo json_encode(['error'=> VarDumper::dumpAsString($token))
+      $response->jsonResponse(
+        ['error' => 'Invalid token'],
+        401
+      );
+    }
   }
 
   /**

routes/api.php

@@ -5,4 +5,8 @@
 
 // Router::setApiPrefix('api');
 
-Router::get('/user', [UserApiController::class, 'index']);
+// Router::middlewareGroup('authApi', function () {
+//   Router::get('/user', [UserApiController::class, 'index']);
+// });
+Router::get('/user', [UserApiController::class, 'index']);
+Router::get('/user/{id}', [UserApiController::class, 'user']);