API keys can be extracted from different sources

This commit allows API keys to be extracted both from request query
string and request headers.
The extraction technique can be configured and the parameter holding the
API key can also be changed.

There is no BC break with this commit as default settings match the
previous behavior.

Author: K-Phoen

src/Uecode/Bundle/ApiKeyBundle/DependencyInjection/Configuration.php

@@ -15,6 +15,21 @@ public function getConfigTreeBuilder()
         $treeBuilder = new TreeBuilder();
         $rootNode = $treeBuilder->root('uecode_api_key');
 
+        $rootNode
+            ->children()
+                ->scalarNode('delivery')
+                    ->defaultValue('query')
+                    ->validate()
+                        ->ifNotInArray(array('query', 'header'))
+                        ->thenInvalid('Unknown authentication delivery type "%s".')
+                     ->end()
+                 ->end()
+                ->scalarNode('parameter_name')
+                    ->defaultValue('api_key')
+                 ->end()
+            ->end()
+        ;
+
         return $treeBuilder;
     }
 }

src/Uecode/Bundle/ApiKeyBundle/DependencyInjection/UecodeApiKeyExtension.php

@@ -22,6 +22,14 @@ public function load(array $configs, ContainerBuilder $container)
             new FileLocator(__DIR__.'/../Resources/config')
         );
         $loader->load('services.yml');
+
+        $this->defineKeyExtractor($config, $container);
+    }
+
+    private function defineKeyExtractor(array $config, ContainerBuilder $container)
+    {
+        $container->setParameter('uecode.api_key.parameter_name', $config['parameter_name']);
+        $container->setAlias('uecode.api_key.extractor', 'uecode.api_key.extractor.'.$config['delivery']);
     }
 }
 

src/Uecode/Bundle/ApiKeyBundle/Extractor/HeaderExtractor.php

@@ -0,0 +1,39 @@
+<?php
+
+namespace Uecode\Bundle\ApiKeyBundle\Extractor;
+
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Extracts API keys from request headers.
+ *
+ * @author Kévin Gomez <contact@kevingomez.fr>
+ */
+class HeaderExtractor implements KeyExtractor
+{
+    private $parameterName;
+
+    /**
+     * @param string $parameterName The name of the URL parameter containing the API key.
+     */
+    public function __construct($parameterName)
+    {
+        $this->parameterName = $parameterName;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function hasKey(Request $request)
+    {
+        return $request->headers->has($this->parameterName);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function extractKey(Request $request)
+    {
+        return $request->headers->get($this->parameterName);
+    }
+}

src/Uecode/Bundle/ApiKeyBundle/Extractor/KeyExtractor.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace Uecode\Bundle\ApiKeyBundle\Extractor;
+
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * @author Kévin Gomez <contact@kevingomez.fr>
+ */
+interface KeyExtractor
+{
+    /**
+     * Tells if the given requests carries an API key.
+     *
+     * @param Request $request
+     *
+     * @return bool
+     */
+    function hasKey(Request $request);
+
+    /**
+     * Extract the API key from thhe given request
+     *
+     * @param Request $request
+     *
+     * @return string
+     */
+    function extractKey(Request $request);
+}

src/Uecode/Bundle/ApiKeyBundle/Extractor/QueryExtractor.php

@@ -0,0 +1,39 @@
+<?php
+
+namespace Uecode\Bundle\ApiKeyBundle\Extractor;
+
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Extracts API keys from a request query string.
+ *
+ * @author Kévin Gomez <contact@kevingomez.fr>
+ */
+class QueryExtractor implements KeyExtractor
+{
+    private $parameterName;
+
+    /**
+     * @param string $parameterName The name of the URL parameter containing the API key.
+     */
+    public function __construct($parameterName)
+    {
+        $this->parameterName = $parameterName;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function hasKey(Request $request)
+    {
+        return $request->query->has($this->parameterName);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function extractKey(Request $request)
+    {
+        return $request->query->get($this->parameterName);
+    }
+}

src/Uecode/Bundle/ApiKeyBundle/Resources/config/services.yml

@@ -3,6 +3,9 @@ parameters:
     uecode.api_key.provider.api_key.class:       Uecode\Bundle\ApiKeyBundle\Security\Authentication\Provider\ApiKeyProvider
     uecode.api_key.listener.api_key.class:       Uecode\Bundle\ApiKeyBundle\Security\Firewall\ApiKeyListener
 
+    uecode.api_key.extractor.query.class:        Uecode\Bundle\ApiKeyBundle\Extractor\QueryExtractor
+    uecode.api_key.extractor.header.class:       Uecode\Bundle\ApiKeyBundle\Extractor\HeaderExtractor
+
 services:
     uecode.api_key.provider.user_provider:
         class: %uecode.api_key.provider.user_provider.class%
@@ -12,5 +15,13 @@ services:
         arguments: [""]
     uecode.api_key.listener.api_key:
         class: %uecode.api_key.listener.api_key.class%
-        arguments: [@security.context, @security.authentication.manager]
+        arguments: [@security.context, @security.authentication.manager, @uecode.api_key.extractor]
 
+    uecode.api_key.extractor.query:
+        class: %uecode.api_key.extractor.query.class%
+        arguments: [%uecode.api_key.parameter_name%]
+        public: false
+    uecode.api_key.extractor.header:
+        class: %uecode.api_key.extractor.header.class%
+        arguments: [%uecode.api_key.parameter_name%]
+        public: false

src/Uecode/Bundle/ApiKeyBundle/Security/Firewall/ApiKeyListener.php

@@ -9,6 +9,7 @@
 use Symfony\Component\Security\Core\SecurityContextInterface;
 use Symfony\Component\Security\Http\Firewall\ListenerInterface;
 use Uecode\Bundle\ApiKeyBundle\Security\Authentication\Token\ApiKeyUserToken;
+use Uecode\Bundle\ApiKeyBundle\Extractor\KeyExtractor;
 
 /**
  * @author Aaron Scherer <aequasi@gmail.com>
@@ -25,10 +26,16 @@ class ApiKeyListener implements ListenerInterface
      */
     protected $authenticationManager;
 
-    public function __construct(SecurityContextInterface $context, AuthenticationManagerInterface $manager)
+    /**
+     * @var KeyExtractor
+     */
+    protected $keyExtractor;
+
+    public function __construct(SecurityContextInterface $context, AuthenticationManagerInterface $manager, KeyExtractor $keyExtractor)
     {
         $this->securityContext       = $context;
         $this->authenticationManager = $manager;
+        $this->keyExtractor          = $keyExtractor;
     }
 
     /**
@@ -39,15 +46,18 @@ public function __construct(SecurityContextInterface $context, AuthenticationMan
     public function handle(GetResponseEvent $event)
     {
         $request = $event->getRequest();
-        if (!$request->query->has('api_key')) {
+
+        if (!$this->keyExtractor->hasKey($request)) {
             $response = new Response();
             $response->setStatusCode(401);
             $event->setResponse($response);
             return ;
         }
 
+        $apiKey = $this->keyExtractor->extractKey($request);
+
         $token = new ApiKeyUserToken();
-        $token->setApiKey($request->query->get('api_key'));
+        $token->setApiKey($apiKey);
 
         try {
             $authToken = $this->authenticationManager->authenticate($token);
@@ -56,7 +66,7 @@ public function handle(GetResponseEvent $event)
             return;
         } catch (AuthenticationException $failed) {
             $token = $this->securityContext->getToken();
-            if ($token instanceof ApiKeyUserToken && $token->getCredentials() == $request->query->get('apiKey')) {
+            if ($token instanceof ApiKeyUserToken && $token->getCredentials() == $apiKey) {
                 $this->securityContext->setToken(null);
             }