From b6553d65361eea9411c5ce3523140da7b2838e72 Mon Sep 17 00:00:00 2001 From: Kris Date: Fri, 22 Sep 2023 15:37:03 +0200 Subject: [PATCH] :fire: Remove API login endpoint (#1921) --- .../Controllers/API/v1/AuthController.php | 28 ++----------- config/l5-swagger.php | 42 +++++++++---------- resources/lang/de.json | 1 + resources/lang/en.json | 1 + resources/views/dev/access-token.blade.php | 2 + resources/views/settings/api-token.blade.php | 4 +- routes/api.php | 1 - 7 files changed, 30 insertions(+), 49 deletions(-) diff --git a/app/Http/Controllers/API/v1/AuthController.php b/app/Http/Controllers/API/v1/AuthController.php index 0b68437e9..c208f554a 100644 --- a/app/Http/Controllers/API/v1/AuthController.php +++ b/app/Http/Controllers/API/v1/AuthController.php @@ -2,7 +2,6 @@ namespace App\Http\Controllers\API\v1; -use App\Http\Controllers\Backend\Auth\LoginController; use App\Http\Resources\UserSettingsResource; use App\Providers\AuthServiceProvider; use Illuminate\Http\JsonResponse; @@ -11,28 +10,6 @@ class AuthController extends Controller { - /** - * @param Request $request - * - * @return JsonResponse - * @deprecated Remove before 2023-10! Maybe earlier - if possible. Deprecation is already announced since - * November'22. - */ - public function login(Request $request): JsonResponse { - $validated = $request->validate(['login' => ['required', 'max:255'], 'password' => ['required', 'min:8', 'max:255']]); - - if (LoginController::login($validated['login'], $validated['password'])) { - $token = $request->user()->createToken('token', array_keys(AuthServiceProvider::$scopes)); - return $this->sendResponse([ - 'WARNING' => 'This endpoint (login) is deprecated and will be removed in the following weeks. Please migrate to use OAuth2. More information: https://github.com/Traewelling/traewelling/issues/1772', - 'token' => $token->accessToken, - 'expires_at' => $token->token->expires_at->toIso8601String(), - ]) - ->header('Authorization', $token->accessToken); - } - return $this->sendError('Non-matching credentials', 401); - } - /** * @OA\Post( * path="/auth/logout", @@ -134,7 +111,8 @@ public function refresh(Request $request): JsonResponse { $oldToken->revoke(); return $this->sendResponse([ 'token' => $newToken->accessToken, - 'expires_at' => $newToken->token->expires_at->toIso8601String()] - )->header('Authorization', $newToken->accessToken); + 'expires_at' => $newToken->token->expires_at->toIso8601String() + ]) + ->header('Authorization', $newToken->accessToken); } } diff --git a/config/l5-swagger.php b/config/l5-swagger.php index 17f05e9e2..fb22d1057 100644 --- a/config/l5-swagger.php +++ b/config/l5-swagger.php @@ -174,28 +174,28 @@ /* Open API 3.0 support */ - 'passport' => [ // Unique name of security - 'type' => 'oauth2', - 'description' => 'OAuth2 authorizationCode Flow. ' . - 'Get your token from https://traewelling.de/settings/applications. ' . - 'Set the redirect URL to https://traewelling.de/api/oauth2-callback to use it ' . - 'here. See also https://laravel.com/docs/9.x/passport', - 'in' => 'header', - 'scheme' => 'https', - 'flows' => [ - "authorizationCode" => [ - "authorizationUrl" => config('app.url') . '/oauth/authorize', - "tokenUrl" => config('app.url') . '/oauth/token', - "refreshUrl" => config('app.url') . '/auth/refresh', - "scopes" => AuthServiceProvider::$scopes - ], - ], + 'passport' => [ // Unique name of security + 'type' => 'oauth2', + 'description' => 'OAuth2 authorizationCode Flow. ' . + 'Get your token from https://traewelling.de/settings/applications. ' . + 'Set the redirect URL to https://traewelling.de/api/oauth2-callback to use it ' . + 'here. See also https://laravel.com/docs/9.x/passport', + 'in' => 'header', + 'scheme' => 'https', + 'flows' => [ + "authorizationCode" => [ + "authorizationUrl" => config('app.url') . '/oauth/authorize', + "tokenUrl" => config('app.url') . '/oauth/token', + "refreshUrl" => config('app.url') . '/auth/refresh', + "scopes" => AuthServiceProvider::$scopes + ], + ], ], - 'token' => [ // Unique name of security - 'type' => 'apiKey', // Valid values are "basic", "apiKey" or "oauth2". - 'description' => 'Enter token in format "Bearer \"', - 'name' => 'Authorization', // The name of the header or query parameter to be used. - 'in' => 'header', + 'token' => [ // Unique name of security + 'type' => 'apiKey', // Valid values are "basic", "apiKey" or "oauth2". + 'description' => 'Enter token in format "Bearer \". You can create your personal access token at https://traewelling.de/settings/applications. We recommend this method for prototyping purposes. For all other use cases please use the oAuth method above.', + 'name' => 'Authorization', // The name of the header or query parameter to be used. + 'in' => 'header', ], ], diff --git a/resources/lang/de.json b/resources/lang/de.json index 251c8606a..f3eba52b2 100644 --- a/resources/lang/de.json +++ b/resources/lang/de.json @@ -707,6 +707,7 @@ "access-token-remove-at": "Du kannst den AccessToken jederzeit in den Einstellungen unter 'API-Tokens' entfernen.", "your-access-token": "Dein AccessToken", "your-access-token-description": "Du kannst dir einen AccessToken generieren um auf deinen eigenen Account zuzugreifen.", + "your-access-token.ask": "Wir von Träwelling werden dich niemals nach deinem AccessToken fragen. Wenn du von jemandem danach gefragt wirst, ist das vermutlich ein Betrugsversuch.", "access-token-is-private": "Behandle deinen AccessToken wie ein Passwort. Gib ihn niemals an Dritte weiter.", "refresh": "Aktualisieren" } diff --git a/resources/lang/en.json b/resources/lang/en.json index 626f943f7..e0256c990 100644 --- a/resources/lang/en.json +++ b/resources/lang/en.json @@ -707,6 +707,7 @@ "access-token-remove-at": "You can remove the AccessToken at any time in the settings under 'API Tokens'.", "your-access-token": "Your AccessToken", "your-access-token-description": "You can generate an AccessToken to access your own account.", + "your-access-token.ask": "We at Träwelling will never ask you for your AccessToken. If you are asked for it, it is probably a scam.", "access-token-is-private": "Treat your AccessToken like a password. Never give it to third parties.", "refresh": "Refresh" } diff --git a/resources/views/dev/access-token.blade.php b/resources/views/dev/access-token.blade.php index b2977d7c5..9cf5cec2a 100644 --- a/resources/views/dev/access-token.blade.php +++ b/resources/views/dev/access-token.blade.php @@ -21,5 +21,7 @@ class="text-center">
{{__('access-token-is-private')}} +
+ {{__('your-access-token.ask')}}
diff --git a/resources/views/settings/api-token.blade.php b/resources/views/settings/api-token.blade.php index 5dcd659fa..70fd158f0 100644 --- a/resources/views/settings/api-token.blade.php +++ b/resources/views/settings/api-token.blade.php @@ -3,7 +3,7 @@ @section('content')
-
+
{{ __('settings.title-tokens') }}
@@ -42,7 +42,7 @@
-
+
@include('dev.access-token')
diff --git a/routes/api.php b/routes/api.php index 8a76200c9..754189bf0 100644 --- a/routes/api.php +++ b/routes/api.php @@ -32,7 +32,6 @@ Route::group(['prefix' => 'v1', 'middleware' => ['return-json']], static function() { Route::group(['prefix' => 'auth'], function() { - Route::post('login', [v1Auth::class, 'login']); Route::group(['middleware' => 'auth:api'], static function() { Route::post('refresh', [v1Auth::class, 'refresh']); Route::post('logout', [v1Auth::class, 'logout']);