113 lines
3.2 KiB
PHP
113 lines
3.2 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
use App\Models\Tenant;
|
|
use App\Support\ApiError;
|
|
use Closure;
|
|
use Illuminate\Http\JsonResponse;
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Support\Facades\Auth;
|
|
use Laravel\Sanctum\PersonalAccessToken;
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
|
|
class EnsureTenantAdminToken
|
|
{
|
|
/**
|
|
* Handle an incoming request.
|
|
*/
|
|
public function handle(Request $request, Closure $next): JsonResponse|Response
|
|
{
|
|
$user = $request->user();
|
|
|
|
if (! $user) {
|
|
return $this->unauthorizedResponse('Unauthenticated request.');
|
|
}
|
|
|
|
$accessToken = $user->currentAccessToken();
|
|
|
|
if (! $accessToken instanceof PersonalAccessToken) {
|
|
return $this->unauthorizedResponse('Missing personal access token context.');
|
|
}
|
|
|
|
if (! in_array($user->role, ['tenant_admin', 'super_admin'], true)) {
|
|
return $this->forbiddenResponse('Only tenant administrators may access this resource.');
|
|
}
|
|
|
|
if (! $accessToken->can('tenant-admin')) {
|
|
return $this->forbiddenResponse('Access token does not include the tenant-admin ability.');
|
|
}
|
|
|
|
/** @var Tenant|null $tenant */
|
|
$tenant = $user->tenant;
|
|
|
|
if (! $tenant && $user->role === 'super_admin') {
|
|
$requestedTenantId = $this->resolveRequestedTenantId($request);
|
|
|
|
if ($requestedTenantId !== null) {
|
|
$tenant = Tenant::query()->find($requestedTenantId);
|
|
}
|
|
}
|
|
|
|
if (! $tenant && $user->role !== 'super_admin') {
|
|
return $this->forbiddenResponse('Tenant context missing for user.');
|
|
}
|
|
|
|
if ($tenant) {
|
|
$request->attributes->set('tenant_id', $tenant->id);
|
|
$request->attributes->set('tenant', $tenant);
|
|
} elseif ($user->role === 'super_admin') {
|
|
$requestedTenantId = $this->resolveRequestedTenantId($request);
|
|
if ($requestedTenantId !== null) {
|
|
$request->attributes->set('tenant_id', $requestedTenantId);
|
|
}
|
|
}
|
|
|
|
$request->attributes->set('sanctum_token_id', $accessToken->id);
|
|
|
|
Auth::shouldUse('sanctum');
|
|
|
|
return $next($request);
|
|
}
|
|
|
|
private function unauthorizedResponse(string $message): JsonResponse
|
|
{
|
|
return ApiError::response(
|
|
'unauthenticated',
|
|
'Unauthenticated',
|
|
$message,
|
|
Response::HTTP_UNAUTHORIZED
|
|
);
|
|
}
|
|
|
|
private function forbiddenResponse(string $message): JsonResponse
|
|
{
|
|
return ApiError::response(
|
|
'tenant_admin_only',
|
|
'Forbidden',
|
|
$message,
|
|
Response::HTTP_FORBIDDEN
|
|
);
|
|
}
|
|
|
|
private function resolveRequestedTenantId(Request $request): ?int
|
|
{
|
|
$routeTenant = $request->route('tenant');
|
|
if (is_numeric($routeTenant)) {
|
|
return (int) $routeTenant;
|
|
}
|
|
|
|
$queryTenant = $request->query('tenant_id');
|
|
if (is_numeric($queryTenant)) {
|
|
return (int) $queryTenant;
|
|
}
|
|
|
|
$headerTenant = $request->header('X-Tenant-ID');
|
|
if (is_numeric($headerTenant)) {
|
|
return (int) $headerTenant;
|
|
}
|
|
|
|
return null;
|
|
}
|
|
}
|