67 lines
1.8 KiB
PHP
67 lines
1.8 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
use App\Support\ApiError;
|
|
use Closure;
|
|
use Illuminate\Http\JsonResponse;
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Support\Facades\Auth;
|
|
use Laravel\Sanctum\PersonalAccessToken;
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
|
|
class EnsureSupportToken
|
|
{
|
|
/**
|
|
* Handle an incoming request.
|
|
*/
|
|
public function handle(Request $request, Closure $next): JsonResponse|Response
|
|
{
|
|
$user = $request->user();
|
|
|
|
if (! $user) {
|
|
return $this->unauthorizedResponse('Unauthenticated request.');
|
|
}
|
|
|
|
$accessToken = $user->currentAccessToken();
|
|
|
|
if (! $accessToken instanceof PersonalAccessToken) {
|
|
return $this->unauthorizedResponse('Missing personal access token context.');
|
|
}
|
|
|
|
if (! $user->isSuperAdmin()) {
|
|
return $this->forbiddenResponse('Only super administrators may access support APIs.');
|
|
}
|
|
|
|
if (! $accessToken->can('support-admin') && ! $accessToken->can('super-admin')) {
|
|
return $this->forbiddenResponse('Access token does not include the support-admin ability.');
|
|
}
|
|
|
|
$request->attributes->set('support_token_id', $accessToken->id);
|
|
|
|
Auth::shouldUse('sanctum');
|
|
|
|
return $next($request);
|
|
}
|
|
|
|
private function unauthorizedResponse(string $message): JsonResponse
|
|
{
|
|
return ApiError::response(
|
|
'unauthenticated',
|
|
'Unauthenticated',
|
|
$message,
|
|
Response::HTTP_UNAUTHORIZED
|
|
);
|
|
}
|
|
|
|
private function forbiddenResponse(string $message): JsonResponse
|
|
{
|
|
return ApiError::response(
|
|
'support_forbidden',
|
|
'Forbidden',
|
|
$message,
|
|
Response::HTTP_FORBIDDEN
|
|
);
|
|
}
|
|
}
|