Correctly validate api request token expiration date for access

leepeuker · Mar 2, 2024 · 96c3d0d · 96c3d0d
1 parent 127e830
commit 96c3d0d
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/src/Domain/User/Service/Authentication.php b/src/Domain/User/Service/Authentication.php
@@ -115,6 +115,10 @@ public function getUserIdByApiToken(Request $request) : ?int
             return null;
         }
 
+        if ($this->isValidAuthToken($apiToken) === false) {
+            return null;
+        }
+
         return $this->userApi->findByToken($apiToken)?->getId();
     }
 

diff --git a/src/HttpController/Api/Middleware/IsAuthorizedToReadUserData.php b/src/HttpController/Api/Middleware/IsAuthorizedToReadUserData.php
@@ -17,7 +17,9 @@ public function __construct(
 
     public function __invoke(Request $request) : ?Response
     {
-        $requestedUser = $this->userApi->findUserByName((string)$request->getRouteParameters()['username']);
+        $requestedUsername = (string)$request->getRouteParameters()['username'];
+
+        $requestedUser = $this->userApi->findUserByName($requestedUsername);
         if ($requestedUser === null) {
             return Response::createNotFound();
         }

diff --git a/src/HttpController/Api/Middleware/IsAuthorizedToWriteUserData.php b/src/HttpController/Api/Middleware/IsAuthorizedToWriteUserData.php
@@ -17,7 +17,9 @@ public function __construct(
 
     public function __invoke(Request $request) : ?Response
     {
-        $requestedUser = $this->userApi->findUserByName((string)$request->getRouteParameters()['username']);
+        $requestedUsername = (string)$request->getRouteParameters()['username'];
+
+        $requestedUser = $this->userApi->findUserByName($requestedUsername);
         if ($requestedUser === null) {
             return Response::createNotFound();
         }