Added own APIToken authenticator, so we can wrap the used API token inside the symfony security token

2025-07-07 17:04:30 +02:00 · 2023-08-17 00:17:02 +02:00 · 2023-08-17 00:17:02 +02:00 · 8dad143f8d
commit 8dad143f8d
parent bcd41c4d9b
10 changed files with 391 additions and 67 deletions
--- a/src/Entity/UserSystem/ApiToken.php
+++ b/src/Entity/UserSystem/ApiToken.php
@ -58,6 +58,12 @@ class ApiToken
    #[ORM\Column(length: 68, unique: true)]
    private string $token;

+    #[ORM\Column(type: Types::SMALLINT, enumType: ApiTokenLevel::class)]
+    private ApiTokenLevel $level = ApiTokenLevel::READ_ONLY;
+
+    #[ORM\Column(type: Types::DATETIME_MUTABLE, nullable: true)]
+    private ?\DateTimeInterface $last_time_used = null;
+
    public function __construct(ApiTokenType $tokenType = ApiTokenType::PERSONAL_ACCESS_TOKEN)
    {
        // Generate a rondom token on creation. The tokenType is 3 characters long (plus underscore), so the token is 68 characters long.
@ -121,5 +127,36 @@ class ApiToken
        return $this;
    }

+    /**
+     * Gets the last time the token was used to authenticate or null if it was never used.
+     * @return \DateTimeInterface|null
+     */
+    public function getLastTimeUsed(): ?\DateTimeInterface
+    {
+        return $this->last_time_used;
+    }
+
+    /**
+     * Sets the last time the token was used to authenticate.
+     * @param \DateTimeInterface|null $last_time_used
+     * @return ApiToken
+     */
+    public function setLastTimeUsed(?\DateTimeInterface $last_time_used): ApiToken
+    {
+        $this->last_time_used = $last_time_used;
+        return $this;
+    }
+
+    public function getLevel(): ApiTokenLevel
+    {
+        return $this->level;
+    }
+
+    public function setLevel(ApiTokenLevel $level): ApiToken
+    {
+        $this->level = $level;
+        return $this;
+    }
+

 }
--- a/src/Entity/UserSystem/ApiTokenLevel.php
+++ b/src/Entity/UserSystem/ApiTokenLevel.php
@ -0,0 +1,58 @@
+<?php
+/*
+ * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
+ *
+ *  Copyright (C) 2019 - 2023 Jan Böhmer (https://github.com/jbtronics)
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published
+ *  by the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+declare(strict_types=1);
+
+
+namespace App\Entity\UserSystem;
+
+enum ApiTokenLevel: int
+{
+    private const ROLE_READ_ONLY = 'ROLE_API_READ_ONLY';
+    private const ROLE_EDIT = 'ROLE_API_EDIT';
+    private const ROLE_FULL = 'ROLE_API_FULL';
+
+    /**
+     * The token can only read (non-sensitive) data.
+     */
+    case READ_ONLY = 1;
+    /**
+     * The token can read and edit (non-sensitive) data.
+     */
+    case EDIT = 2;
+    /**
+     * The token can do everything the user can do.
+     */
+    case FULL = 3;
+
+    /**
+     * Returns the additional roles that the authenticated user should have when using this token.
+     * @return string[]
+     */
+    public function getAdditionalRoles(): array
+    {
+        //The higher roles should always include the lower ones
+        return match ($this) {
+            self::READ_ONLY => [self::ROLE_READ_ONLY],
+            self::EDIT => [self::ROLE_READ_ONLY, self::ROLE_EDIT],
+            self::FULL => [self::ROLE_READ_ONLY, self::ROLE_EDIT, self::ROLE_FULL],
+        };
+    }
+}
--- a/src/Entity/UserSystem/User.php
+++ b/src/Entity/UserSystem/User.php
@ -315,6 +315,11 @@ class User extends AttachmentContainingDBElement implements UserInterface, HasPe
    #[ORM\Column(type: Types::BOOLEAN)]
    protected bool $saml_user = false;

+    /**
+     * @var ApiToken|null The api token which is used to authenticate the user, or null if the user is not authenticated via api token
+     */
+    private ?ApiToken $authenticating_api_token = null;
+
    public function __construct()
    {
        $this->attachments = new ArrayCollection();
@ -1035,6 +1040,23 @@ class User extends AttachmentContainingDBElement implements UserInterface, HasPe
        $this->api_tokens->removeElement($apiToken);
    }

+    /**
+     * Mark the user as authenticated with an API token, should only be used by the API token authenticator.
+     * @param  ApiToken  $apiToken
+     * @return void
+     */
+    public function markAsApiTokenAuthenticated(ApiToken $apiToken): void
+    {
+        $this->authenticating_api_token = $apiToken;
+    }

+    /**
+     * Return the API token that is currently authenticating the user or null if the user is not authenticated with an API token.
+     * @return ApiToken|null
+     */
+    public function getAuthenticatingApiToken(): ?ApiToken
+    {
+        return $this->authenticating_api_token;
+    }

 }