oficial/app/src/Middleware/API.php

<?php
namespace Incoviba\Middleware;

use Psr\Http\Message\ResponseFactoryInterface;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Psr\Log\LoggerInterface;
use Incoviba\Exception\MissingAuthorizationHeader;
use Incoviba\Service;

class API
{
    public function __construct(protected ResponseFactoryInterface $responseFactory,
                                protected LoggerInterface $logger,
                                protected Service\API $apiService,
                                protected Service\Login $loginService,
                                protected string $key,
                                array $apiUrls)
    {
        $this->permittedPaths = $apiUrls['permittedPaths'];
        $this->simplePaths = $apiUrls['simplePaths'];
        $this->externalPaths = $apiUrls['externalPaths'];
    }

    protected array $permittedPaths;
    protected array $simplePaths;
    protected array $externalPaths;

    public function __invoke(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        if ($this->validExternal($request)) {
            return $handler->handle($request);
        }
        try {
            $key = $this->apiService->getKey($request);
        } catch (MissingAuthorizationHeader $exception) {
            $this->logger->warning($exception, [
                'headers' => $request->getHeaders()
            ]);
            return $this->responseFactory->createResponse(401);
        }
        if ($this->validateSimpleKey($request, $key)) {
            return $handler->handle($request);
        }
        if ($this->validate($request, $key)) {
            return $handler->handle($request);
        }
        $this->logger->warning("Forbidden.", [
            'headers' => $request->getHeaders()
        ]);
        return $this->responseFactory->createResponse(403);
    }
    protected function validate(ServerRequestInterface $request, $incoming_key): bool
    {
        $selector = null;
        $token = null;
        if (str_contains($incoming_key, $this->loginService->getSeparator())) {
            list($incoming_key, $selector, $token) = explode($this->loginService->getSeparator(), $incoming_key, 3);
            if (!$this->loginService->isIn($selector, $token)) {
                return false;
            }
        }
        if (!$this->loginService->isIn($selector, $token) and !$this->validPermitted($request)) {
            return false;
        }
        return $incoming_key === md5($this->key);
    }
    protected function validateSimpleKey(ServerRequestInterface $request, $incoming_key): bool
    {
        return $incoming_key === md5($this->key) and $this->noComplexKeyNeeded($request);
    }
    protected function noComplexKeyNeeded(ServerRequestInterface $request): bool
    {
        $uri = $request->getUri();
        return in_array($uri->getPath(), $this->simplePaths);
    }
    protected function validPermitted(ServerRequestInterface $request): bool
    {
        $uri = $request->getUri();
        return in_array($uri->getPath(), $this->permittedPaths);
    }
    protected function validExternal(ServerRequestInterface $request): bool
    {
        $uri = $request->getUri();
        foreach ($this->externalPaths as $basePath => $paths) {
            if (!str_starts_with($uri->getPath(), strtolower($basePath))) {
                continue;
            }
            foreach ($paths as $subPath => $key) {
                $fullPath = strtolower("{$basePath}{$subPath}");
                if ($uri->getPath() === $fullPath) {
                    return $this->validateExternalKey($request, $basePath, $subPath);
                }
            }
        }
        return false;
    }
    protected function validateExternalKey(ServerRequestInterface $request, $basePath, $subPath): bool
    {
        $data = $this->externalPaths[$basePath][$subPath];
        if (isset($data['validator'])) {
            $method = [$data['validator'], 'validateToken'];
            if ($method($request, $data)) {
                $this->logger->info("Validated external key", [
                    'path' => $request->getUri()->getPath(),
                    'headers' => $request->getHeaders(),
                    'body' => $request->getBody()->getContents()
                ]);
                return true;
            }
        }
        if (isset($data['header']) and $request->hasHeader($data['header'])) {
            $token = $request->getHeaderLine($data['header']);
            if ($token === $this->externalPaths[$basePath][$subPath]['token']) {
                return true;
            }
        }
        if ($request->hasHeader('x-api-key')) {
            $key = $request->getHeaderLine('x-api-key');
            if ($key === $this->externalPaths[$basePath][$subPath]) {
                return true;
            }
        }
        if ($request->hasHeader('Authorization')) {
            $key = $request->getHeaderLine('Authorization');
            if (str_starts_with($key, 'Bearer ')) {
                $key = substr($key, 7);
                if ($key === $this->externalPaths[$basePath][$subPath]) {
                    return true;
                }
            }
        }
        $this->logger->warning("Failed to validate external key", [
            'path' => $request->getUri()->getPath(),
            'headers' => $request->getHeaders(),
            'token' => $this->externalPaths[$basePath][$subPath],
            'body' => $request->getBody()->getContents()
        ]);
        return false;
    }
}
FIX: Remove login for API 2023-11-25 00:55:31 -03:00			`<?php`
			`namespace Incoviba\Middleware;`

			`use Psr\Http\Message\ResponseFactoryInterface;`
			`use Psr\Http\Message\ResponseInterface;`
			`use Psr\Http\Message\ServerRequestInterface;`
			`use Psr\Http\Server\RequestHandlerInterface;`
Se extra getKey y configuraciones the paths 2024-08-27 14:46:03 -04:00			`use Psr\Log\LoggerInterface;`
FIX: Remove login for API 2023-11-25 00:55:31 -03:00			`use Incoviba\Exception\MissingAuthorizationHeader;`
Base API, and more solid key and check 2024-03-20 23:07:49 -03:00			`use Incoviba\Service;`
FIX: Remove login for API 2023-11-25 00:55:31 -03:00
			`class API`
			`{`
FIX: API not added by git 2024-07-26 23:57:04 -04:00			`public function __construct(protected ResponseFactoryInterface $responseFactory,`
Se extra getKey y configuraciones the paths 2024-08-27 14:46:03 -04:00			`protected LoggerInterface $logger,`
			`protected Service\API $apiService,`
FIX: API not added by git 2024-07-26 23:57:04 -04:00			`protected Service\Login $loginService,`
Validacion API/external 2025-05-12 16:01:09 -04:00			`protected string $key,`
Cambios de usos de env vars 2025-06-03 12:04:53 -04:00			`array $apiUrls)`
			`{`
			`$this->permittedPaths = $apiUrls['permittedPaths'];`
			`$this->simplePaths = $apiUrls['simplePaths'];`
			`$this->externalPaths = $apiUrls['externalPaths'];`
			`}`

			`protected array $permittedPaths;`
			`protected array $simplePaths;`
			`protected array $externalPaths;`
FIX: Remove login for API 2023-11-25 00:55:31 -03:00
			`public function __invoke(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface`
			`{`
Validacion API/external 2025-05-12 16:01:09 -04:00			`if ($this->validExternal($request)) {`
			`return $handler->handle($request);`
			`}`
FIX: Remove login for API 2023-11-25 00:55:31 -03:00			`try {`
Se extra getKey y configuraciones the paths 2024-08-27 14:46:03 -04:00			`$key = $this->apiService->getKey($request);`
Cambios de usos de env vars 2025-06-03 12:04:53 -04:00			`} catch (MissingAuthorizationHeader $exception) {`
			`$this->logger->warning($exception, [`
			`'headers' => $request->getHeaders()`
			`]);`
FIX: Remove login for API 2023-11-25 00:55:31 -03:00			`return $this->responseFactory->createResponse(401);`
			`}`
FIX: API not added by git 2024-07-26 23:57:04 -04:00			`if ($this->validateSimpleKey($request, $key)) {`
			`return $handler->handle($request);`
			`}`
Base API, and more solid key and check 2024-03-20 23:07:49 -03:00			`if ($this->validate($request, $key)) {`
FIX: Remove login for API 2023-11-25 00:55:31 -03:00			`return $handler->handle($request);`
			`}`
Log forbidden 2025-06-03 12:06:35 -04:00			`$this->logger->warning("Forbidden.", [`
			`'headers' => $request->getHeaders()`
			`]);`
FIX: Remove login for API 2023-11-25 00:55:31 -03:00			`return $this->responseFactory->createResponse(403);`
			`}`
Base API, and more solid key and check 2024-03-20 23:07:49 -03:00			`protected function validate(ServerRequestInterface $request, $incoming_key): bool`
FIX: Remove login for API 2023-11-25 00:55:31 -03:00			`{`
FIX: API not added by git 2024-07-26 23:57:04 -04:00			`$selector = null;`
			`$token = null;`
Base API, and more solid key and check 2024-03-20 23:07:49 -03:00			`if (str_contains($incoming_key, $this->loginService->getSeparator())) {`
FIX: API not added by git 2024-07-26 23:57:04 -04:00			`list($incoming_key, $selector, $token) = explode($this->loginService->getSeparator(), $incoming_key, 3);`
			`if (!$this->loginService->isIn($selector, $token)) {`
Base API, and more solid key and check 2024-03-20 23:07:49 -03:00			`return false;`
			`}`
			`}`
FIX: API not added by git 2024-07-26 23:57:04 -04:00			`if (!$this->loginService->isIn($selector, $token) and !$this->validPermitted($request)) {`
Base API, and more solid key and check 2024-03-20 23:07:49 -03:00			`return false;`
			`}`
FIX: Remove login for API 2023-11-25 00:55:31 -03:00			`return $incoming_key === md5($this->key);`
			`}`
FIX: API not added by git 2024-07-26 23:57:04 -04:00			`protected function validateSimpleKey(ServerRequestInterface $request, $incoming_key): bool`
			`{`
			`return $incoming_key === md5($this->key) and $this->noComplexKeyNeeded($request);`
			`}`
			`protected function noComplexKeyNeeded(ServerRequestInterface $request): bool`
			`{`
			`$uri = $request->getUri();`
Se extra getKey y configuraciones the paths 2024-08-27 14:46:03 -04:00			`return in_array($uri->getPath(), $this->simplePaths);`
FIX: API not added by git 2024-07-26 23:57:04 -04:00			`}`
Base API, and more solid key and check 2024-03-20 23:07:49 -03:00			`protected function validPermitted(ServerRequestInterface $request): bool`
			`{`
			`$uri = $request->getUri();`
Se extra getKey y configuraciones the paths 2024-08-27 14:46:03 -04:00			`return in_array($uri->getPath(), $this->permittedPaths);`
Base API, and more solid key and check 2024-03-20 23:07:49 -03:00			`}`
Validacion API/external 2025-05-12 16:01:09 -04:00			`protected function validExternal(ServerRequestInterface $request): bool`
			`{`
			`$uri = $request->getUri();`
			`foreach ($this->externalPaths as $basePath => $paths) {`
FIX: Toku external 2025-05-12 16:35:33 -04:00			`if (!str_starts_with($uri->getPath(), strtolower($basePath))) {`
Validacion API/external 2025-05-12 16:01:09 -04:00			`continue;`
			`}`
FIX: Toku external 2025-05-12 16:35:33 -04:00			`foreach ($paths as $subPath => $key) {`
			`$fullPath = strtolower("{$basePath}{$subPath}");`
Validacion API/external 2025-05-12 16:01:09 -04:00			`if ($uri->getPath() === $fullPath) {`
			`return $this->validateExternalKey($request, $basePath, $subPath);`
			`}`
			`}`
			`}`
			`return false;`
			`}`
			`protected function validateExternalKey(ServerRequestInterface $request, $basePath, $subPath): bool`
			`{`
More granular control of external validation configuration 2025-05-29 19:22:55 -04:00			`$data = $this->externalPaths[$basePath][$subPath];`
Validate with service 2025-05-29 19:43:06 -04:00			`if (isset($data['validator'])) {`
			`$method = [$data['validator'], 'validateToken'];`
Validar con headers 2025-05-30 14:18:48 -04:00			`if ($method($request, $data)) {`
Validated external query log 2025-06-03 22:19:11 -04:00			`$this->logger->info("Validated external key", [`
			`'path' => $request->getUri()->getPath(),`
			`'headers' => $request->getHeaders(),`
			`'body' => $request->getBody()->getContents()`
			`]);`
FIX: Toku envía complejo el header 2025-05-29 19:56:43 -04:00			`return true;`
			`}`
Validate with service 2025-05-29 19:43:06 -04:00			`}`
More granular control of external validation configuration 2025-05-29 19:22:55 -04:00			`if (isset($data['header']) and $request->hasHeader($data['header'])) {`
			`$token = $request->getHeaderLine($data['header']);`
			`if ($token === $this->externalPaths[$basePath][$subPath]['token']) {`
			`return true;`
			`}`
			`}`
Validacion API/external 2025-05-12 16:01:09 -04:00			`if ($request->hasHeader('x-api-key')) {`
			`$key = $request->getHeaderLine('x-api-key');`
			`if ($key === $this->externalPaths[$basePath][$subPath]) {`
			`return true;`
			`}`
			`}`
			`if ($request->hasHeader('Authorization')) {`
			`$key = $request->getHeaderLine('Authorization');`
			`if (str_starts_with($key, 'Bearer ')) {`
			`$key = substr($key, 7);`
			`if ($key === $this->externalPaths[$basePath][$subPath]) {`
			`return true;`
			`}`
			`}`
			`}`
Log external tries 2025-05-29 19:24:35 -04:00			`$this->logger->warning("Failed to validate external key", [`
			`'path' => $request->getUri()->getPath(),`
			`'headers' => $request->getHeaders(),`
FIX: Log de envio 2025-05-30 12:48:12 -04:00			`'token' => $this->externalPaths[$basePath][$subPath],`
			`'body' => $request->getBody()->getContents()`
Log external tries 2025-05-29 19:24:35 -04:00			`]);`
Validacion API/external 2025-05-12 16:01:09 -04:00			`return false;`
			`}`
FIX: Remove login for API 2023-11-25 00:55:31 -03:00			`}`