WIP: Road to 1.0.0 #1

Draft
miguel456 wants to merge 123 commits from develop into master
23 changed files with 497 additions and 209 deletions
Showing only changes of commit ddd79d38fe - Show all commits

View File

@ -103,11 +103,13 @@ class JSON
public function build($headers = []) public function build($headers = [])
{ {
// Uses the same structure as model resources, for consistency when they aren't used.
$response = [ $response = [
'data' => $this->getData(),
'meta' => [
'status' => $this->getStatus(), 'status' => $this->getStatus(),
'message' => $this->getMessage(), 'message' => $this->getMessage(),
'type' => $this->getType(), ],
'response' => $this->getData()
]; ];
return response($response, $this->getCode(), $headers); return response($response, $this->getCode(), $headers);

View File

@ -11,30 +11,14 @@ use Illuminate\Support\Facades\Hash;
class ApiKeyController extends Controller class ApiKeyController extends Controller
{ {
/**
* Display a listing of the resource.
*
*/
public function index() public function index()
{ {
return view('dashboard.user.api.index') $this->authorize('viewAny', ApiKey::class);
->with('keys', Auth::user()->keys);
}
public function adminKeys()
{
if (Auth::user()->hasRole('admin'))
{
return view('dashboard.administration.keys') return view('dashboard.administration.keys')
->with('keys', ApiKey::all()); ->with('keys', ApiKey::all());
} }
else
{
return redirect()
->back()
->with('error', 'You do not have permission to access this page.');
}
}
/** /**
* Store a newly created resource in storage. * Store a newly created resource in storage.
@ -43,6 +27,8 @@ class ApiKeyController extends Controller
*/ */
public function store(CreateApiKeyRequest $request) public function store(CreateApiKeyRequest $request)
{ {
$this->authorize('create', ApiKey::class);
$discriminator = "#" . bin2hex(openssl_random_pseudo_bytes(7)); $discriminator = "#" . bin2hex(openssl_random_pseudo_bytes(7));
$secret = bin2hex(openssl_random_pseudo_bytes(32)); $secret = bin2hex(openssl_random_pseudo_bytes(32));
@ -71,8 +57,8 @@ class ApiKeyController extends Controller
public function revokeKey(Request $request, ApiKey $key) public function revokeKey(Request $request, ApiKey $key)
{ {
if (Auth::user()->is($key->user) || Auth::user()->hasRole('admin')) $this->authorize('update', $key);
{
if ($key->status == 'active') if ($key->status == 'active')
{ {
$key->status = 'disabled'; $key->status = 'disabled';
@ -88,11 +74,7 @@ class ApiKeyController extends Controller
return redirect() return redirect()
->back() ->back()
->with('success', 'Key revoked. Apps using this key will stop working.'); ->with('success', 'Key revoked. Apps using this key will stop working.');
}
return redirect()
->back()
->with('error', 'You do not have permission to modify this key.');
} }
/** /**
@ -101,18 +83,13 @@ class ApiKeyController extends Controller
public function destroy($id) public function destroy($id)
{ {
$key = ApiKey::findOrFail($id); $key = ApiKey::findOrFail($id);
$this->authorize('delete', $key);
if (Auth::user()->is($key->user) || Auth::user()->hasRole('admin'))
{
$key->delete(); $key->delete();
return redirect() return redirect()
->back() ->back()
->with('success', 'Key deleted successfully. Apps using this key will stop working.'); ->with('success', 'Key deleted successfully. Apps using this key will stop working.');
}
return redirect()
->back()
->with('error', 'You do not have permission to modify this key.');
} }
} }

View File

@ -23,6 +23,7 @@ namespace App\Http\Controllers;
use App\Application; use App\Application;
use App\Events\ApplicationDeniedEvent; use App\Events\ApplicationDeniedEvent;
use App\Http\Resources\ApplicationResource;
use App\Notifications\ApplicationMoved; use App\Notifications\ApplicationMoved;
use App\Notifications\NewApplicant; use App\Notifications\NewApplicant;
use App\Response; use App\Response;
@ -55,6 +56,8 @@ class ApplicationController extends Controller
} }
public function showUserApp(Request $request, Application $application) public function showUserApp(Request $request, Application $application)
{
if (!$request->wantsJson())
{ {
$this->authorize('view', $application); $this->authorize('view', $application);
@ -77,7 +80,17 @@ class ApplicationController extends Controller
return redirect()->back(); return redirect()->back();
} }
public function showAllApps() return (new ApplicationResource($application))->additional([
'meta' => [
'code' => 200,
'status' => 'success'
]
]);
}
public function showAllApps(Request $request)
{
if (!$request->wantsJson())
{ {
$this->authorize('viewAny', Application::class); $this->authorize('viewAny', Application::class);
@ -86,9 +99,16 @@ class ApplicationController extends Controller
} }
// todo: eager load all relationships used
return ApplicationResource::collection(Application::paginate(6))->additional([
'code' => '200',
'status' => 'success',
]);
}
public function renderApplicationForm(Request $request, $vacancySlug) public function renderApplicationForm(Request $request, $vacancySlug)
{ {
// FIXME: Get rid of references to first(), this is a wonky query
$vacancyWithForm = Vacancy::with('forms')->where('vacancySlug', $vacancySlug)->get(); $vacancyWithForm = Vacancy::with('forms')->where('vacancySlug', $vacancySlug)->get();
$firstVacancy = $vacancyWithForm->first(); $firstVacancy = $vacancyWithForm->first();
@ -96,10 +116,8 @@ class ApplicationController extends Controller
if (! $vacancyWithForm->isEmpty() && $firstVacancy->vacancyCount !== 0 && $firstVacancy->vacancyStatus == 'OPEN') { if (! $vacancyWithForm->isEmpty() && $firstVacancy->vacancyCount !== 0 && $firstVacancy->vacancyStatus == 'OPEN') {
return view('dashboard.application-rendering.apply') return view('dashboard.application-rendering.apply')
->with([ ->with([
'vacancy' => $vacancyWithForm->first(), 'vacancy' => $vacancyWithForm->first(),
'preprocessedForm' => json_decode($vacancyWithForm->first()->forms->formStructure, true), 'preprocessedForm' => json_decode($vacancyWithForm->first()->forms->formStructure, true),
]); ]);
} else { } else {
abort(404, 'The application you\'re looking for could not be found or it is currently unavailable.'); abort(404, 'The application you\'re looking for could not be found or it is currently unavailable.');

View File

@ -21,6 +21,7 @@
namespace App\Http; namespace App\Http;
use App\Http\Middleware\APIAuthenticationMiddleware;
use Illuminate\Foundation\Http\Kernel as HttpKernel; use Illuminate\Foundation\Http\Kernel as HttpKernel;
class Kernel extends HttpKernel class Kernel extends HttpKernel
@ -60,6 +61,7 @@ class Kernel extends HttpKernel
'api' => [ 'api' => [
'throttle:60,1', 'throttle:60,1',
\Illuminate\Routing\Middleware\SubstituteBindings::class, \Illuminate\Routing\Middleware\SubstituteBindings::class,
APIAuthenticationMiddleware::class
], ],
]; ];

View File

@ -0,0 +1,61 @@
<?php
namespace App\Http\Middleware;
use App\ApiKey;
use App\Facades\JSON;
use Carbon\Carbon;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\Str;
class APIAuthenticationMiddleware
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle(Request $request, Closure $next)
{
$key = $request->bearerToken();
if (!is_null($key))
{
// we have a valid discriminator
$discriminator = Str::before($key, '.');
$loneKey = Str::after($key, '.');
$keyRecord = ApiKey::where('discriminator', $discriminator)->first();
if ($keyRecord && Hash::check($loneKey, $keyRecord->secret) && $keyRecord->status == 'active')
{
Log::alert('API Authentication Success', [
'discriminator' => $discriminator
]);
$keyRecord->last_used = Carbon::now();
$keyRecord->save();
return $next($request);
}
return JSON::setResponseType('error')
->setStatus('authfail')
->setMessage('Invalid / Revoked API key.')
->setCode(401)
->build();
}
return JSON::setResponseType('error')
->setStatus('malformed_key')
->setMessage('Missing or malformed API key.')
->setCode(400)
->build();
}
}

View File

@ -0,0 +1,28 @@
<?php
namespace App\Http\Resources;
use App\Response;
use App\User;
use Illuminate\Http\Resources\Json\JsonResource;
class ApplicationResource extends JsonResource
{
/**
* Transform the resource into an array.
*
* @param \Illuminate\Http\Request $request
* @return array
*/
public function toArray($request)
{
return [
'id' => $this->id,
'applicationStatus' => $this->applicationStatus,
'applicant' => new UserResource(User::findOrFail($this->applicantUserID)),
'response' => new ResponseResource(Response::findOrFail($this->applicantFormResponseID)),
'created_at' => $this->created_at,
'updated_at' => $this->updated_at
];
}
}

View File

@ -0,0 +1,19 @@
<?php
namespace App\Http\Resources;
use Illuminate\Http\Resources\Json\JsonResource;
class AppointmentResource extends JsonResource
{
/**
* Transform the resource into an array.
*
* @param \Illuminate\Http\Request $request
* @return array
*/
public function toArray($request)
{
return parent::toArray($request);
}
}

View File

@ -0,0 +1,19 @@
<?php
namespace App\Http\Resources;
use Illuminate\Http\Resources\Json\JsonResource;
class BanResource extends JsonResource
{
/**
* Transform the resource into an array.
*
* @param \Illuminate\Http\Request $request
* @return array
*/
public function toArray($request)
{
return parent::toArray($request);
}
}

View File

@ -0,0 +1,26 @@
<?php
namespace App\Http\Resources;
use Illuminate\Http\Resources\Json\JsonResource;
class FormResource extends JsonResource
{
/**
* Transform the resource into an array.
*
* @param \Illuminate\Http\Request $request
* @return array
*/
public function toArray($request)
{
return [
'id' => $this->id,
'formName' => $this->formName,
'formStructure' => json_decode($this->formStructure),
'formStatus' => $this->formStatus,
'created_at' => $this->created_at,
'updated_at' => $this->updated_at
];
}
}

View File

@ -0,0 +1,19 @@
<?php
namespace App\Http\Resources;
use Illuminate\Http\Resources\Json\JsonResource;
class OptionResource extends JsonResource
{
/**
* Transform the resource into an array.
*
* @param \Illuminate\Http\Request $request
* @return array
*/
public function toArray($request)
{
return parent::toArray($request);
}
}

View File

@ -0,0 +1,19 @@
<?php
namespace App\Http\Resources;
use Illuminate\Http\Resources\Json\JsonResource;
class ProfileResource extends JsonResource
{
/**
* Transform the resource into an array.
*
* @param \Illuminate\Http\Request $request
* @return array
*/
public function toArray($request)
{
return parent::toArray($request);
}
}

View File

@ -0,0 +1,28 @@
<?php
namespace App\Http\Resources;
use App\Form;
use App\Vacancy;
use Illuminate\Http\Resources\Json\JsonResource;
class ResponseResource extends JsonResource
{
/**
* Transform the resource into an array.
*
* @param \Illuminate\Http\Request $request
* @return array
*/
public function toArray($request)
{
return [
'id' => $this->id,
'form' => new FormResource(Form::findOrFail($this->responseFormID)),
'responseData' => json_decode($this->responseData),
'vacancy' => new VacancyResource(Vacancy::findOrFail($this->associatedVacancyID)),
'created_at' => $this->created_at,
'updated_at' => $this->updated_at
];
}
}

View File

@ -0,0 +1,19 @@
<?php
namespace App\Http\Resources;
use Illuminate\Http\Resources\Json\JsonResource;
class TeamFileResource extends JsonResource
{
/**
* Transform the resource into an array.
*
* @param \Illuminate\Http\Request $request
* @return array
*/
public function toArray($request)
{
return parent::toArray($request);
}
}

View File

@ -0,0 +1,19 @@
<?php
namespace App\Http\Resources;
use Illuminate\Http\Resources\Json\JsonResource;
class TeamResource extends JsonResource
{
/**
* Transform the resource into an array.
*
* @param \Illuminate\Http\Request $request
* @return array
*/
public function toArray($request)
{
return parent::toArray($request);
}
}

View File

@ -0,0 +1,28 @@
<?php
namespace App\Http\Resources;
use Illuminate\Http\Resources\Json\JsonResource;
class UserResource extends JsonResource
{
/**
* Transform the resource into an array.
*
* @param \Illuminate\Http\Request $request
* @return array
*/
public function toArray($request)
{
return [
'id' => $this->id,
'uuid' => $this->uuid,
'name' => $this->name,
'email' => $this->email,
'username' => $this->username,
'created_at' => $this->created_at,
'updated_at' => $this->updated_at,
'current_team_id' => $this->current_team_id
];
}
}

View File

@ -0,0 +1,19 @@
<?php
namespace App\Http\Resources;
use Illuminate\Http\Resources\Json\JsonResource;
class VacancyResource extends JsonResource
{
/**
* Transform the resource into an array.
*
* @param \Illuminate\Http\Request $request
* @return array
*/
public function toArray($request)
{
return parent::toArray($request);
}
}

View File

@ -0,0 +1,72 @@
<?php
namespace App\Policies;
use App\ApiKey;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;
class ApiKeyPolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view any models.
*
* @param \App\User $user
* @return mixed
*/
public function viewAny(User $user)
{
if ($user->hasRole('admin'))
return true;
return false;
}
/**
* Determine whether the user can create models.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
if ($user->hasRole('admin'))
return true;
return false;
}
/**
* Determine whether the user can update the model.
*
* @param \App\User $user
* @param \App\ApiKey $apiKey
* @return mixed
*/
public function update(User $user, ApiKey $apiKey)
{
if ($user->hasRole('admin'))
return true;
return false;
}
/**
* Determine whether the user can delete the model.
*
* @param \App\User $user
* @param \App\ApiKey $apiKey
* @return mixed
*/
public function delete(User $user, ApiKey $apiKey)
{
if ($user->hasRole('admin'))
return true;
return false;
}
}

View File

@ -21,10 +21,12 @@
namespace App\Providers; namespace App\Providers;
use App\ApiKey;
use App\Application; use App\Application;
use App\Appointment; use App\Appointment;
use App\Ban; use App\Ban;
use App\Form; use App\Form;
use App\Policies\ApiKeyPolicy;
use App\Policies\ApplicationPolicy; use App\Policies\ApplicationPolicy;
use App\Policies\AppointmentPolicy; use App\Policies\AppointmentPolicy;
use App\Policies\BanPolicy; use App\Policies\BanPolicy;
@ -61,7 +63,8 @@ class AuthServiceProvider extends ServiceProvider
Ban::class => BanPolicy::class, Ban::class => BanPolicy::class,
Appointment::class => AppointmentPolicy::class, Appointment::class => AppointmentPolicy::class,
Team::class => TeamPolicy::class, Team::class => TeamPolicy::class,
TeamFile::class, TeamFilePolicy::class TeamFile::class => TeamFilePolicy::class,
ApiKey::class => ApiKeyPolicy::class
]; ];
/** /**

View File

@ -268,11 +268,6 @@ return [
'icon' => 'fas fa-user-circle', 'icon' => 'fas fa-user-circle',
'url' => '/profile/settings/account', 'url' => '/profile/settings/account',
], ],
[
'text' => 'Programmatic Access',
'icon' => 'fas fa-wrench',
'route' => 'keys.index'
],
[ [
'header' => 'h_app_management', 'header' => 'h_app_management',
'can' => ['applications.view.all', 'applications.vote'], 'can' => ['applications.view.all', 'applications.vote'],
@ -374,7 +369,7 @@ return [
'text' => 'API Keys', 'text' => 'API Keys',
'icon' => 'fas fa-user-shield', 'icon' => 'fas fa-user-shield',
'can' => 'admin.settings.view', 'can' => 'admin.settings.view',
'route' => 'adminKeys' 'route' => 'keys.index'
] ]
], ],
], ],

View File

@ -16,6 +16,24 @@
@section('content') @section('content')
<x-modal id="createKeyModal" modal-label="createKeyModalLabel" modal-title="New API Key" include-close-button="true">
<form id="createKey" method="post" action="{{ route('keys.store') }}">
@csrf
<div class="form-group">
<label for="name">Give your new API key a name to easily identify it.</label>
<input type="text" name="keyName" class="form-control" id="name" required>
</div>
</form>
<x-slot name="modalFooter">
<button onclick="$('#createKey').submit()" type="button" class="btn btn-success"><i class="fas fa-key"></i> Register new key</button>
</x-slot>
</x-modal>
<div class="row"> <div class="row">
<div class="col"> <div class="col">
<div class="alert alert-primary"> <div class="alert alert-primary">
@ -24,6 +42,17 @@
</div> </div>
</div> </div>
@if (session()->has('finalKey'))
<div class="row">
<div class="col">
<div class="alert alert-success">
<p><i class="fas fa-key"></i> This is your API key: {{ session('finalKey') }}</p>
<p>Please copy it <b>now</b> as it'll only appear once.</p>
</div>
</div>
</div>
@endif
<div class="row"> <div class="row">
<div class="col"> <div class="col">
@ -68,6 +97,12 @@
@else @else
<button disabled type="button" class="btn btn-danger btn-sm ml-2"><i class="fas fa-lock"></i> Revoke</button> <button disabled type="button" class="btn btn-danger btn-sm ml-2"><i class="fas fa-lock"></i> Revoke</button>
@endif @endif
<form class="d-inline-block" action="{{ route('keys.destroy', ['key' => $key->id]) }}" method="post">
@csrf
@method('DELETE')
<button type="submit" class="btn btn-danger btn-sm ml-2"><i class="fas fa-trash"></i> Delete</button>
</form>
</td> </td>
</tr> </tr>
@endforeach @endforeach
@ -82,8 +117,8 @@
<x-slot name="cardFooter"> <x-slot name="cardFooter">
<button onclick="window.location.href='{{ route('keys.index') }}'" type="button" class="btn btn-success ml-2"><i class="fas fa-key"></i> Your Keys</button> <button onclick="$('#createKeyModal').modal('show')" type="button" class="btn btn-secondary ml-2"><i class="fas fa-plus"></i> New API Key</button>
<button type="button" onclick="window.location.href='/admin/maintenance/system-logs'" class="btn btn-secondary"><i class="fas fa-clipboard"></i> Search Logs</button> <button type="button" onclick="window.location.href='/admin/maintenance/system-logs'" class="btn btn-secondary ml-2"><i class="fas fa-clipboard"></i> Search Logs</button>
</x-slot> </x-slot>
</x-card> </x-card>

View File

@ -1,118 +0,0 @@
@extends('adminlte::page')
@section('title', config('app.name') . ' | ' . __('API Key Management'))
@section('content_header')
<h4>Profile / Settings / API Keys</h4>
@stop
@section('js')
<x-global-errors></x-global-errors>
@stop
@section('content')
<x-modal id="createKeyModal" modal-label="createKeyModalLabel" modal-title="New API Key" include-close-button="true">
<form id="createKey" method="post" action="{{ route('keys.store') }}">
@csrf
<div class="form-group">
<label for="name">Give your new API key a name to easily identify it.</label>
<input type="text" name="keyName" class="form-control" id="name" required>
</div>
</form>
<x-slot name="modalFooter">
<button onclick="$('#createKey').submit()" type="button" class="btn btn-success"><i class="fas fa-key"></i> Register new key</button>
</x-slot>
</x-modal>
<div class="row">
<div class="col">
<div class="alert alert-warning">
<p><i class="fas fa-exclamation-triangle"></i> <b>Friendly reminder: </b> API keys can access your whole account and the resources it has access to. Please treat them like a password. If they are leaked, please revoke them.</p>
</div>
</div>
</div>
@if (session()->has('finalKey'))
<div class="row">
<div class="col">
<div class="alert alert-success">
<p><i class="fas fa-key"></i> This is your API key: {{ session('finalKey') }}</p>
<p>Please copy it <b>now</b> as it'll only appear once.</p>
</div>
</div>
</div>
@endif
<div class="row">
<div class="col">
<x-card id="keyListing" card-title="Manage API Keys" footer-style="text-center">
<x-slot name="cardHeader"></x-slot>
@if(!$keys->isEmpty())
<table class="table table-borderless">
<thead>
<tr>
<th>Key name</th>
<th>Status</th>
<th>Last Used</th>
<th>Last Modified</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
@foreach($keys as $key)
<tr>
<td>{{ $key->name }}</td>
<td><span class="badge badge-{{ ($key->status == 'disabled') ? 'danger' : 'primary' }}">{{ ($key->status == 'disabled') ? 'Revoked' : 'Active' }}</span></td>
<td><span class="badge badge-{{ ($key->last_used == null) ? 'danger' : 'primary' }}">{{ ($key->last_used == null) ? 'No recent activity' : $key->last_used }}</span></td>
<td><span class="badge badge-primary">{{ $key->updated_at }}</span></td>
<td>
@if ($key->status == 'active')
<form class="d-inline-block" action="{{ route('revokeKey', ['key' => $key->id]) }}" method="post">
@csrf
@method('PATCH')
<button type="submit" class="btn btn-danger btn-sm ml-2"><i class="fas fa-lock"></i> Revoke</button>
</form>
@endif
<form class="d-inline-block" action="{{ route('keys.destroy', ['key' => $key->id]) }}" method="post">
@csrf
@method('DELETE')
<button type="submit" class="btn btn-danger btn-sm ml-2"><i class="fas fa-trash"></i> Delete</button>
</form>
</td>
</tr>
@endforeach
</tbody>
</table>
@else
<div class="alert alert-success">
<p><i class="fa fa-info-circle"></i> You don't have any API keys yet.</p>
</div>
@endif
<x-slot name="cardFooter">
<button onclick="$('#createKeyModal').modal('show')" type="button" class="btn btn-secondary"><i class="fas fa-plus"></i> New API Key</button>
</x-slot>
</x-card>
</div>
</div>
@stop
@section('footer')
@include('breadcrumbs.dashboard.footer')
@stop

View File

@ -33,6 +33,9 @@ use Illuminate\Support\Facades\Route;
| |
*/ */
Route::middleware('auth:api')->get('/user', function (Request $request) { Route::middleware(['api'])->group(function (){
return $request->user();
Route::get('applications', [\App\Http\Controllers\ApplicationController::class, 'showAllApps']);
Route::get('applications/view/{application}', [\App\Http\Controllers\ApplicationController::class, 'showUserApp']);
}); });

View File

@ -164,13 +164,6 @@ Route::group(['prefix' => LaravelLocalization::setLocale(), 'middleware' => ['lo
->name('showProfileSettings') ->name('showProfileSettings')
->middleware('passwordredirect'); ->middleware('passwordredirect');
Route::resource('keys', ApiKeyController::class)
->middleware('passwordredirect');
Route::patch('keys/revoke/{key}', [ApiKeyController::class, 'revokeKey'])
->name('revokeKey')
->middleware('passwordredirect');
Route::patch('/settings/save', [ProfileController::class, 'saveProfile']) Route::patch('/settings/save', [ProfileController::class, 'saveProfile'])
->name('saveProfileSettings') ->name('saveProfileSettings')
->middleware('passwordredirect'); ->middleware('passwordredirect');
@ -229,8 +222,10 @@ Route::group(['prefix' => LaravelLocalization::setLocale(), 'middleware' => ['lo
Route::get('settings', [OptionsController::class, 'index']) Route::get('settings', [OptionsController::class, 'index'])
->name('showSettings'); ->name('showSettings');
Route::get('keys', [ApiKeyController::class, 'adminKeys']) Route::resource('keys', ApiKeyController::class);
->name('adminKeys');
Route::patch('keys/revoke/{key}', [ApiKeyController::class, 'revokeKey'])
->name('revokeKey');
Route::post('settings/save', [OptionsController::class, 'saveSettings']) Route::post('settings/save', [OptionsController::class, 'saveSettings'])
->name('saveSettings'); ->name('saveSettings');