HiEventsDev · grablair · Jan 18, 2025 · Jan 21, 2025 · daveearley · Jan 21, 2025
diff --git a/backend/app/Exceptions/Handler.php b/backend/app/Exceptions/Handler.php
@@ -3,6 +3,7 @@
 namespace HiEvents\Exceptions;
 
 use Illuminate\Foundation\Exceptions\Handler as ExceptionHandler;
+use Laravel\Sanctum\Exceptions\MissingAbilityException;
 use Symfony\Component\Routing\Exception\ResourceNotFoundException;
 use Throwable;
 
@@ -52,6 +53,10 @@ public function render($request, Throwable $exception)
             return response()->json([
                 'message' => $exception->getMessage() ?: 'Resource not found',
             ], 404);
+        } else if ($exception instanceof MissingAbilityException) {
+            return response()->json([
+                'message' => $exception->getMessage(),
+            ], 403);
         }
 
         return parent::render($request, $exception);

diff --git a/backend/app/Http/Actions/Auth/CreateApiKeyAction.php b/backend/app/Http/Actions/Auth/CreateApiKeyAction.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace HiEvents\Http\Actions\Auth;
+
+use App\Models\Sanctum\PersonalAccessToken;
+use HiEvents\DomainObjects\Enums\Role;
+use HiEvents\Http\Actions\BaseAction;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use \DateTime;
+
+class CreateApiKeyAction extends BaseAction
+{
+    public function __invoke(Request $request): JsonResponse
+    {
+        $this->minimumAllowedRole(Role::ADMIN);
+
+        $abilities = ['*'];
+        $expiryDateTime = null;
+        if ($request->abilities && count($request->abilities) > 0) {
+            $abilities = $request->abilities;
+        }
+        if ($request->expires_at) {
+            $expiryDateTime = DateTime::createFromFormat("U", strtotime($request->expires_at));
+        }
+        return $this->jsonResponse($request->user()->createToken(
+            $request->token_name,
+            $abilities,
+            $expiryDateTime));
+    }
+}
diff --git a/backend/app/Http/Actions/Auth/GetApiKeysAction.php b/backend/app/Http/Actions/Auth/GetApiKeysAction.php
@@ -0,0 +1,20 @@
+<?php
+
+namespace HiEvents\Http\Actions\Auth;
+
+use HiEvents\DomainObjects\Enums\Role;
+use HiEvents\Http\Actions\BaseAction;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Laravel\Sanctum\PersonalAccessToken;
+
+class GetApiKeysAction extends BaseAction
+{
+    public function __invoke(Request $request): JsonResponse
+    {
+        $this->minimumAllowedRole(Role::ADMIN);
+
+        $tokens = $request->user()->tokens;
+        return $this->jsonResponse($tokens);
+    }
+}
diff --git a/backend/app/Http/Actions/Auth/RevokeApiKeyAction.php b/backend/app/Http/Actions/Auth/RevokeApiKeyAction.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace HiEvents\Http\Actions\Auth;
+
+use App\Models\Sanctum\PersonalAccessToken;
+use HiEvents\DomainObjects\Enums\Role;
+use HiEvents\Http\Actions\BaseAction;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+
+class RevokeApiKeyAction extends BaseAction
+{
+    public function __invoke(Request $request, int $apiKey): Response
+    {
+        $this->minimumAllowedRole(Role::ADMIN);
+
+        if ($request->user()->tokens()->where('id', $apiKey)->delete()) {
+            return $this->deletedResponse();
+        } else {
+            return $this->notFoundResponse();
+        }
+    }
+}
diff --git a/backend/app/Http/Kernel.php b/backend/app/Http/Kernel.php
@@ -90,5 +90,7 @@ class Kernel extends HttpKernel
         'signed' => ValidateSignature::class,
         'throttle' => ThrottleRequests::class,
         'verified' => EnsureEmailIsVerified::class,
+        'abilities' => \Laravel\Sanctum\Http\Middleware\CheckAbilities::class,
+        'ability' => \Laravel\Sanctum\Http\Middleware\CheckForAnyAbility::class,
     ];
 }
diff --git a/backend/app/Http/Middleware/SetAccountContext.php b/backend/app/Http/Middleware/SetAccountContext.php
@@ -5,16 +5,31 @@
 use Closure;
 use HiEvents\Models\User;
 use Illuminate\Support\Facades\Auth;
+use Laravel\Sanctum\TransientToken;
 
 class SetAccountContext
 {
+
     public function handle($request, Closure $next)
     {
         if (Auth::check()) {
-            $accountId = Auth::payload()->get('account_id');
+            if (Auth::user()->currentAccessToken()) {
+                if (Auth::user()->currentAccessToken() instanceof TransientToken) {
+                    // assume logged in
+                    $accountId = auth()->guard('api')->payload()->get('account_id');
+
+                    if ($accountId) {
+                        User::setCurrentAccountId($accountId);
+                    }
+                } else {
+                    User::setCurrentAccountId(Auth::user()->currentAccessToken()->account_id);
+                }
+            } else {
+                $accountId = Auth::payload()->get('account_id');
 
-            if ($accountId) {
-                User::setCurrentAccountId($accountId);
+                if ($accountId) {
+                    User::setCurrentAccountId($accountId);
+                }
             }
         }
 

diff --git a/backend/app/Models/PersonalAccessToken.php b/backend/app/Models/PersonalAccessToken.php
@@ -0,0 +1,21 @@
+<?php
+
+namespace HiEvents\Models;
+
+use Laravel\Sanctum\PersonalAccessToken as SanctumAccessToken;
+
+class PersonalAccessToken extends SanctumAccessToken
+{
+    /**
+     * Create a new Eloquent model instance.
+     *
+     * @param  array  $attributes
+     * @return void
+     */
+    public function __construct(array $attributes = [])
+    {
+        parent::__construct($attributes);
+
+        $this->mergeFillable(['account_id']);
+    }
+}
diff --git a/backend/app/Models/User.php b/backend/app/Models/User.php
@@ -11,12 +11,17 @@
 use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
 use Illuminate\Contracts\Auth\CanResetPassword as CanResetPasswordContract;
 use Illuminate\Database\Eloquent\Relations\BelongsToMany;
+use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Relations\HasOne;
 use Illuminate\Database\Eloquent\Relations\HasOneThrough;
 use Illuminate\Foundation\Auth\Access\Authorizable;
 use Illuminate\Notifications\Notifiable;
+use Illuminate\Support\Str;
+use Laravel\Sanctum\HasApiTokens;
+use Laravel\Sanctum\NewAccessToken;
 use PHPOpenSourceSaver\JWTAuth\Contracts\JWTSubject;
 use RuntimeException;
+use DateTimeInterface;
 
 class User extends BaseModel implements AuthenticatableContract, AuthorizableContract, CanResetPasswordContract, JWTSubject
 {
@@ -25,6 +30,8 @@ class User extends BaseModel implements AuthenticatableContract, AuthorizableCon
     use Authorizable;
     use CanResetPassword;
     use MustVerifyEmail;
+    use HasApiTokens;
+    use HasFactory;
 
     /** @var array */
     protected $guarded = [];
@@ -92,4 +99,19 @@ public function currentAccountUser(): HasOne
         return $this->hasOne(AccountUser::class)
             ->where('account_id', static::getCurrentAccountId());
     }
+
+    public function createToken(string $name, array $abilities = ['*'], ?DateTimeInterface $expiresAt = null)
+    {
+        $plainTextToken = $this->generateTokenString();
+
+        $token = $this->tokens()->create([
+            'name' => $name,
+            'token' => hash('sha256', $plainTextToken),
+            'abilities' => $abilities,
+            'expires_at' => $expiresAt,
+            'account_id' => $this->getCurrentAccountId(),
+        ]);
+
+        return new NewAccessToken($token, $token->getKey().'|'.$plainTextToken);
+    }
 }
diff --git a/backend/app/Providers/AppServiceProvider.php b/backend/app/Providers/AppServiceProvider.php
@@ -9,11 +9,14 @@
 use HiEvents\DomainObjects\OrganizerDomainObject;
 use HiEvents\Models\Event;
 use HiEvents\Models\Organizer;
+use HiEvents\Models\PersonalAccessToken;
+use HiEvents\Models\User;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\Relations\Relation;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\File;
 use Illuminate\Support\ServiceProvider;
+use Laravel\Sanctum\Sanctum;
 use Stripe\StripeClient;
 
 class AppServiceProvider extends ServiceProvider
@@ -40,11 +43,14 @@ static function ($query) {
             );
         }
 
+        Sanctum::usePersonalAccessTokenModel(PersonalAccessToken::class);
+
         Model::preventLazyLoading(!app()->isProduction());
 
         Relation::enforceMorphMap([
             EventDomainObject::class => Event::class,
             OrganizerDomainObject::class => Organizer::class,
+            'user' => User::class,
         ]);
     }
 

diff --git a/backend/app/Services/Domain/Auth/AuthUserService.php b/backend/app/Services/Domain/Auth/AuthUserService.php
@@ -6,7 +6,9 @@
 use HiEvents\DomainObjects\UserDomainObject;
 use HiEvents\Models\User;
 use HiEvents\Repository\Interfaces\AccountUserRepositoryInterface;
+use Illuminate\Support\Facades\Auth;
 use Illuminate\Auth\AuthManager;
+use Laravel\Sanctum\TransientToken;
 use PHPOpenSourceSaver\JWTAuth\Exceptions\JWTException;
 use PHPOpenSourceSaver\JWTAuth\Payload;
 
@@ -28,6 +30,15 @@ public function getAuthenticatedAccountId(): ?int
             return null;
         }
 
+        if (Auth::user()->currentAccessToken()) {
+            if (Auth::user()->currentAccessToken() instanceof TransientToken) {
+                // assume logged in
+                return auth()->guard('api')->payload()->get('account_id');
+            } else {
+                return Auth::user()->currentAccessToken()->account_id;
+            }
+        }
+
         try {
             /** @var Payload $payload */
             $payload = $this->authManager->payload();

diff --git a/backend/config/auth.php b/backend/config/auth.php
@@ -44,6 +44,10 @@
             'driver' => 'jwt',
             'provider' => 'users',
         ],
+        'sanctum' => [
+            'driver' => 'sanctum', // For Sanctum
+            'provider' => 'users',
+        ],
     ],
 
     /*

diff --git a/backend/config/sanctum.php b/backend/config/sanctum.php
@@ -33,7 +33,7 @@
     |
     */
 
-    'guard' => ['web'],
+    'guard' => ['api'],
 
     /*
     |--------------------------------------------------------------------------

diff --git a/backend/database/migrations/2025_01_16_161633_add_account_id_to_access_tokens.php b/backend/database/migrations/2025_01_16_161633_add_account_id_to_access_tokens.php
@@ -0,0 +1,25 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('personal_access_tokens', static function (Blueprint $table) {
+            $table->foreignId('account_id')
+                ->constrained()
+                ->onDelete('cascade');
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('personal_access_tokens', static function (Blueprint $table) {
+            $table->dropColumn('account_id');
+        });
+    }
+};
-Original file line number
+Diff line change
@@ Expand Up / @@ -33,7 +33,7 @@ @@
         |
         */
-        'guard' => ['web'],
+        'guard' => ['api'],
         /*
         |--------------------------------------------------------------------------
@@ Expand Down @@