feat: Laravel Sanctum API implementation

app/Console/Commands/AddSiteSettings.php

@@ -95,6 +95,10 @@ public function handle() {
 
         $this->addSiteSetting('allow_users_to_delete_profile_comments', 0, '0: Users cannot delete profile comments, 1: Users can delete profile comments.');
 
+        $this->addSiteSetting('allow_users_to_generate_tokens', 0, '0: Users cannot generate their own API tokens, 1: Users can generate their own API tokens.');
+
+        $this->addSiteSetting('allow_token_generation_via_api', 0, '0: Tokens can not be generated via the API, 1: Users can directly generate tokens via username/password authentication with the API.');
+
         $this->line("\nSite settings up to date!");
     }
 

app/Http/Controllers/Admin/Users/UserController.php

@@ -421,4 +421,41 @@ public function postReactivate(Request $request, UserService $service, $name) {
 
         return redirect()->back();
     }
+
+    /**
+     * Show a user's token revokation page.
+     *
+     * @param mixed $name
+     *
+     * @return \Illuminate\Contracts\Support\Renderable
+     */
+    public function getRevokeTokensConfirmation($name) {
+        $user = User::where('name', $name)->with('settings')->first();
+
+        if (!$user) {
+            abort(404);
+        }
+
+        return view('admin.users._user_revoke_token_confirmation', [
+            'user' => $user,
+        ]);
+    }
+
+    public function postRevokeTokens(Request $request, UserService $service, $name) {
+        $user = User::where('name', $name)->first();
+
+        if (!$user) {
+            flash('Invalid user.')->error();
+        } elseif (!Auth::user()->canEditRank($user->rank)) {
+            flash('You cannot edit the information of a user that has a higher rank than yourself.')->error();
+        } elseif ($service->revokeTokens($user, Auth::user())) {
+            flash('Revoked all user API tokens successfully.')->success();
+        } else {
+            foreach ($service->errors()->getMessages()['error'] as $error) {
+                flash($error)->error();
+            }
+        }
+
+        return redirect()->back();
+    }
 }

app/Http/Controllers/Api/AuthController.php

@@ -0,0 +1,41 @@
+<?php
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Controllers\Controller;
+use App\Models\User\User;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Validation\ValidationException;
+
+class AuthController extends Controller {
+    /**
+     * Authenticate with email/password and receive a PAT through the API.
+     */
+    public function postGenerateToken(Request $request) {
+        if (!Settings::get('allow_token_generation_via_api')) {
+            return response()->json([
+                'message' => 'Token generation via API is not allowed.',
+            ], 403);
+        }
+
+        $request->validate([
+            'email'      => 'required|email',
+            'password'   => 'required',
+            'token_name' => 'required',
+        ]);
+
+        $user = User::where('email', $request->email)->first();
+
+        if (!$user || !Hash::check($request->password, $user->password)) {
+            throw ValidationException::withMessages([
+                'email' => ['The provided credentials are incorrect.'],
+            ]);
+        }
+
+        // Delete any pre-existing tokens
+        $user->tokens()->delete();
+
+        return $user->createToken($request->token_name)->plainTextToken;
+    }
+}

app/Http/Controllers/Api/InfoController.php

@@ -0,0 +1,21 @@
+<?php
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Controllers\Controller;
+use App\Models\Character\Character;
+use Illuminate\Http\Request;
+
+class InfoController extends Controller {
+    public function getCharacter(Request $request) {
+        $character = Character::find($request->id);
+
+        if ($character) {
+            return response()->json($character);
+        } else {
+            return response()->json([
+                'message' => 'No character found.',
+            ], 404);
+        }
+    }
+}

app/Http/Controllers/Users/ApiController.php

@@ -0,0 +1,65 @@
+<?php
+
+namespace App\Http\Controllers\Users;
+
+use App\Http\Controllers\Controller;
+use App\Services\UserService;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+
+class ApiController extends Controller {
+    /*
+    |--------------------------------------------------------------------------
+    | Admin / Api Controller
+    |--------------------------------------------------------------------------
+    |
+    | Handles creation/editing of API access.
+    |
+    */
+
+    /**
+     * Generates (or re-generates) an API token.
+     *
+     * @return \Illuminate\Contracts\Support\Renderable
+     */
+    public function postGenerateToken(Request $request, UserService $service) {
+        if (!Settings::get('allow_users_to_generate_tokens')) {
+            abort(404);
+        }
+
+        if (!$service->generateToken(Auth::user())) {
+            foreach ($service->errors()->getMessages()['error'] as $error) {
+                flash($error)->error();
+            }
+        }
+
+        return redirect()->back()->withInput();
+    }
+
+    /**
+     * Generates (or re-generates) an API token.
+     *
+     * @return \Illuminate\Contracts\Support\Renderable
+     */
+    public function postRevokeToken(Request $request, UserService $service) {
+        if (!$service->revokeTokens(Auth::user())) {
+            foreach ($service->errors()->getMessages()['error'] as $error) {
+                flash($error)->error();
+            }
+        } else {
+            flash('Token(s) revoked successfully.')->success();
+        }
+
+        return redirect()->back()->withInput();
+    }
+
+    /**
+     * Generates (or re-generates) an API token without CSRF protection.
+     * This token is different from the one provided to the user via settings.
+     *
+     * @return mixed
+     */
+    public function getGenerateToken(Request $request, UserService $service) {
+        return $service->generateTokenAPI();
+    }
+}

app/Http/Kernel.php

@@ -38,8 +38,9 @@ class Kernel extends HttpKernel {
         ],
 
         'api' => [
+            \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
             'throttle:60,1',
-            'bindings',
+            \Illuminate\Routing\Middleware\SubstituteBindings::class,
         ],
     ];
 
@@ -65,6 +66,8 @@ class Kernel extends HttpKernel {
         'throttle'      => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'verified'      => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
         'post.throttle' => Middleware\PostRequestThrottleMiddleware::class,
+        'abilities'     => \Laravel\Sanctum\Http\Middleware\CheckAbilities::class,
+        'ability'       => \Laravel\Sanctum\Http\Middleware\CheckForAnyAbility::class,
     ];
 
     /**

app/Http/Middleware/VerifyCsrfToken.php

@@ -18,6 +18,6 @@ class VerifyCsrfToken extends Middleware {
      * @var array
      */
     protected $except = [
-        //
+        'account/api/token',
     ];
 }

app/Models/User/User.php

@@ -27,9 +27,10 @@
 use Illuminate\Notifications\Notifiable;
 use Illuminate\Support\Facades\Auth;
 use Laravel\Fortify\TwoFactorAuthenticatable;
+use Laravel\Sanctum\HasApiTokens;
 
 class User extends Authenticatable implements MustVerifyEmail {
-    use Commenter, Notifiable, TwoFactorAuthenticatable;
+    use Commenter, HasApiTokens, Notifiable, TwoFactorAuthenticatable;
 
     /**
      * The attributes that are mass assignable.

app/Services/UserService.php

@@ -14,6 +14,7 @@
 use App\Models\User\User;
 use App\Models\User\UserUpdateLog;
 use Carbon\Carbon;
+use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\File;
 use Illuminate\Support\Facades\Hash;
@@ -81,25 +82,28 @@ public function validator(array $data, $socialite = false) {
             'agreement' => ['required', 'accepted'],
             'password'  => ($socialite ? [] : ['required']) + ['string', 'min:8', 'confirmed'],
             'dob'       => [
-                'required', function ($attribute, $value, $fail) {
+                'required',
+                function ($attribute, $value, $fail) {
                     $formatDate = Carbon::createFromFormat('Y-m-d', $value);
                     $now = Carbon::now();
                     if ($formatDate->diffInYears($now) < 13) {
                         $fail('You must be 13 or older to access this site.');
                     }
                 },
             ],
-            'code'                 => ['string', function ($attribute, $value, $fail) {
-                if (!Settings::get('is_registration_open')) {
-                    if (!$value) {
-                        $fail('An invitation code is required to register an account.');
+            'code'                 => [
+                'string',
+                function ($attribute, $value, $fail) {
+                    if (!Settings::get('is_registration_open')) {
+                        if (!$value) {
+                            $fail('An invitation code is required to register an account.');
+                        }
+                        $invitation = Invitation::where('code', $value)->whereNull('recipient_id')->first();
+                        if (!$invitation) {
+                            $fail('Invalid code entered.');
+                        }
                     }
-                    $invitation = Invitation::where('code', $value)->whereNull('recipient_id')->first();
-                    if (!$invitation) {
-                        $fail('Invalid code entered.');
-                    }
-                }
-            },
+                },
             ],
         ] + (config('app.env') == 'production' && config('lorekeeper.extensions.use_recaptcha') ? [
             'g-recaptcha-response' => 'required|recaptchav3:register,0.5',
@@ -415,7 +419,7 @@ public function updateUsername($username, $user) {
                 if ($last_change && $last_change->created_at->diffInDays(Carbon::now()) < config('lorekeeper.settings.username_change_cooldown')) {
                     throw new \Exception('You must wait '
                         .config('lorekeeper.settings.username_change_cooldown') - $last_change->created_at->diffInDays(Carbon::now()).
-                    ' days before changing your username again.');
+                        ' days before changing your username again.');
                 }
             }
 
@@ -696,4 +700,71 @@ public function reactivate($user, $staff = null) {
 
         return $this->rollbackReturn(false);
     }
+
+    /**
+     * Generate a "public" API token for the user.
+     *
+     * @param User $user
+     *
+     * @return bool
+     */
+    public function generateToken($user) {
+        try {
+            $user->tokens()->where('personal_access_tokens.name', 'token')->delete();
+
+            $token = $user->createToken('token')->plainTextToken;
+
+            UserUpdateLog::create(['staff_id' => $user->id, 'user_id' => $user->id, 'data' => json_encode([]), 'type' => 'Generated API Token']);
+
+            flash('Token created successfully:')->success();
+            flash($token)->success();
+            flash('Copy this down! It will NOT be shown again.')->warning();
+
+            return true;
+        } catch (\Exception $e) {
+            $this->setError('error', $e->getMessage());
+        }
+
+        return false;
+    }
+
+    /**
+     * Revokes all of a user's API tokens.
+     *
+     * @param User $user
+     * @param User $staff
+     *
+     * @return bool
+     */
+    public function revokeTokens($user, $staff = null) {
+        try {
+            $user->tokens()->delete();
+
+            UserUpdateLog::create(['staff_id' => $staff ? $staff->id : $user->id, 'user_id' => $user->id, 'data' => json_encode([]), 'type' => 'Tokens Revoked']);
+
+            return true;
+        } catch (\Exception $e) {
+            $this->setError('error', $e->getMessage());
+        }
+
+        return false;
+    }
+
+    /**
+     * Generate a "hidden" API token for the user and return it as plain text.
+     *
+     * @return mixed
+     */
+    public function generateTokenAPI() {
+        try {
+            Auth::user()->tokens()->where('personal_access_tokens.name', 'hidden')->delete();
+            $token = Auth::user()->createToken('hidden')->plainTextToken;
+
+            UserUpdateLog::create(['staff_id' => Auth::user()->id, 'user_id' => Auth::user()->id, 'data' => json_encode([]), 'type' => 'Generated API Token w/o CSRF']);
+
+            return $token;
+        } catch (\Exception $e) {
+            return response()->json($e);
+        }
+    }
 }

composer.json

@@ -19,6 +19,7 @@
         "laravel/fortify": "^1.25",
         "laravel/framework": "^10.0",
         "laravel/helpers": "^1.4",
+        "laravel/sanctum": "^3.3",
         "laravel/socialite": "^5.2",
         "laravel/tinker": "^2.0",
         "laravelcollective/html": "^6.0",