fotospiel-app/app/Http/Controllers/Api/Support/SupportTokenController.php

<?php

namespace App\Http\Controllers\Api\Support;

use App\Http\Controllers\Controller;
use App\Http\Requests\Support\SupportTokenRequest;
use App\Models\User;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Arr;
use Illuminate\Support\Facades\Hash;
use Illuminate\Validation\ValidationException;

class SupportTokenController extends Controller
{
    public function store(SupportTokenRequest $request): JsonResponse
    {
        $credentials = $request->credentials();

        $query = User::query();

        if (isset($credentials['email'])) {
            $query->where('email', $credentials['email']);
        }

        if (isset($credentials['username'])) {
            $query->where('username', $credentials['username']);
        }

        /** @var User|null $user */
        $user = $query->first();

        if (! $user || ! Hash::check($credentials['password'], (string) $user->password)) {
            throw ValidationException::withMessages([
                'login' => [trans('auth.failed')],
            ]);
        }

        if (! $user->isSuperAdmin()) {
            throw ValidationException::withMessages([
                'login' => [trans('auth.not_authorized')],
            ]);
        }

        $tokenConfig = config('support-api.token');
        $defaultAbilities = $tokenConfig['default_abilities'] ?? [];
        $abilities = $credentials['abilities'] ?? $defaultAbilities;

        if ($abilities !== $defaultAbilities) {
            $abilities = array_values(array_intersect($abilities, $defaultAbilities));
        }

        if (! in_array('support-admin', $abilities, true)) {
            $abilities[] = 'support-admin';
        }

        $tokenName = (string) ($tokenConfig['name'] ?? 'support-api');

        $user->tokens()->where('name', $tokenName)->delete();

        $token = $user->createToken($tokenName, $abilities);

        return response()->json([
            'token' => $token->plainTextToken,
            'token_type' => 'Bearer',
            'abilities' => $abilities,
            'user' => Arr::only($user->toArray(), [
                'id',
                'email',
                'name',
                'role',
                'tenant_id',
            ]),
        ]);
    }

    public function destroy(Request $request): JsonResponse
    {
        $token = $request->user()?->currentAccessToken();

        if ($token) {
            $token->delete();
        }

        return response()->json(['ok' => true]);
    }

    public function me(Request $request): JsonResponse
    {
        $user = $request->user();

        return response()->json([
            'user' => $user ? Arr::only($user->toArray(), [
                'id',
                'name',
                'email',
                'role',
                'tenant_id',
            ]) : null,
            'abilities' => $user?->currentAccessToken()?->abilities ?? [],
        ]);
    }
}