Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions app/Http/Controllers/Api/V1/ConversionController.php
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
use App\Http\Resources\Api\V1\ConversionResource;
use App\Models\ConversionJob;
use App\Models\FileRecord;
use App\Support\Api\ApiOwnershipGuard;
use App\Support\Conversions\Exceptions\UnsupportedConversionException;
use App\Support\Converters\ConverterRegistry;
use Illuminate\Http\JsonResponse;
Expand All @@ -24,13 +25,14 @@ final class ConversionController
public function __construct(
private readonly ConverterRegistry $registry,
private readonly CreditLedger $creditLedger,
private readonly ApiOwnershipGuard $ownershipGuard,
) {}

public function estimate(EstimateConversionRequest $request): JsonResponse
{
$file = FileRecord::findOrFail($request->integer('file_id'));

abort_if($file->user_id !== $request->user()->id, 403, 'You do not own this file.');
$this->ownershipGuard->ensureFileOwner($request->user(), $file);

$converter = $this->registry->find($file->extension, $request->string('target_format')->toString());

Expand All @@ -57,7 +59,7 @@ public function store(CreateConversionRequest $request): JsonResponse
{
$file = FileRecord::findOrFail($request->integer('file_id'));

abort_if($file->user_id !== $request->user()->id, 403, 'You do not own this file.');
$this->ownershipGuard->ensureFileOwner($request->user(), $file);

$job = app(CreateConversionJobAction::class)->handle(
user: $request->user(),
Expand All @@ -73,14 +75,14 @@ public function store(CreateConversionRequest $request): JsonResponse

public function show(Request $request, ConversionJob $conversion): JsonResponse
{
abort_if($conversion->user_id !== $request->user()->id, 403, 'You do not own this conversion.');
$this->ownershipGuard->ensureConversionOwner($request->user(), $conversion);

return response()->json(['data' => (new ConversionResource($conversion))->resolve()]);
}

public function download(Request $request, ConversionJob $conversion): mixed
{
abort_if($conversion->user_id !== $request->user()->id, 403, 'You do not own this conversion.');
$this->ownershipGuard->ensureConversionOwner($request->user(), $conversion);

if ($conversion->status !== ConversionStatus::Completed) {
return response()->json([
Expand Down
8 changes: 3 additions & 5 deletions app/Http/Controllers/Api/V1/FileController.php
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
use App\Http\Resources\Api\V1\FileResource;
use App\Http\Resources\Api\V1\TargetFormatResource;
use App\Models\FileRecord;
use App\Support\Api\ApiOwnershipGuard;
use App\Support\Converters\ConverterRegistry;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
Expand All @@ -18,6 +19,7 @@ final class FileController
{
public function __construct(
private readonly ConverterRegistry $registry,
private readonly ApiOwnershipGuard $ownershipGuard,
) {}

public function store(UploadFileRequest $request): JsonResponse
Expand All @@ -34,11 +36,7 @@ public function store(UploadFileRequest $request): JsonResponse

public function targets(Request $request, FileRecord $file): JsonResource
{
abort_if(
$file->user_id !== $request->user()->id,
403,
'You do not own this file.',
);
$this->ownershipGuard->ensureFileOwner($request->user(), $file);

$targets = $this->registry->targetsFor($file->extension);

Expand Down
16 changes: 16 additions & 0 deletions app/Support/Api/ApiExceptionMapper.php
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
use Illuminate\Auth\Access\AuthorizationException;
use Illuminate\Auth\AuthenticationException;
use Illuminate\Http\Exceptions\ThrottleRequestsException;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Throwable;

final class ApiExceptionMapper
Expand Down Expand Up @@ -62,6 +63,21 @@ public function map(Throwable $e): ?MappedApiError
message: 'Too many requests.',
status: 429,
),
$e instanceof HttpException && $e->getStatusCode() === 401 => new MappedApiError(
code: 'unauthorized',
message: 'Unauthenticated.',
status: 401,
),
$e instanceof HttpException && $e->getStatusCode() === 403 => new MappedApiError(
code: 'forbidden',
message: 'Forbidden.',
status: 403,
),
$e instanceof HttpException && $e->getStatusCode() === 404 => new MappedApiError(
code: 'not_found',
message: 'Resource not found.',
status: 404,
),
default => null,
};
}
Expand Down
27 changes: 27 additions & 0 deletions app/Support/Api/ApiOwnershipGuard.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
<?php

declare(strict_types=1);

namespace App\Support\Api;

use App\Models\ConversionJob;
use App\Models\FileRecord;
use App\Models\User;
use Illuminate\Auth\Access\AuthorizationException;

final class ApiOwnershipGuard
{
public function ensureFileOwner(User $user, FileRecord $file): void
{
if ($file->user_id !== $user->id) {
throw new AuthorizationException('You do not own this file.');
}
}

public function ensureConversionOwner(User $user, ConversionJob $conversion): void
{
if ($conversion->user_id !== $user->id) {
throw new AuthorizationException('You do not own this conversion.');
}
}
}
82 changes: 82 additions & 0 deletions tests/Feature/Api/V1/ApiOwnershipGuardTest.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
<?php

declare(strict_types=1);

use App\Enums\Plan;
use App\Models\ConversionJob;
use App\Models\FileRecord;
use App\Models\User;
use App\Services\Api\ApiKeyGenerator;

it('does not allow api user to access another users file targets', function () {
$owner = User::factory()->create(['plan' => Plan::Pro]);
$other = User::factory()->create(['plan' => Plan::Pro]);

$file = FileRecord::factory()->for($owner)->create(['extension' => 'png']);
$token = app(ApiKeyGenerator::class)->create($other, 'Other')->plainToken;

$this->withToken($token)
->getJson("/api/v1/files/{$file->id}/targets")
->assertForbidden()
->assertJsonPath('error.code', 'forbidden');
});

it('does not allow api user to estimate cost on another users file', function () {
$owner = User::factory()->create(['plan' => Plan::Pro]);
$other = User::factory()->create(['plan' => Plan::Pro]);

$file = FileRecord::factory()->for($owner)->create(['extension' => 'png']);
$token = app(ApiKeyGenerator::class)->create($other, 'Other')->plainToken;

$this->withToken($token)
->postJson('/api/v1/conversions/estimate', [
'file_id' => $file->id,
'target_format' => 'jpg',
'options' => [],
])
->assertForbidden()
->assertJsonPath('error.code', 'forbidden');
});

it('does not allow api user to create conversion on another users file', function () {
$owner = User::factory()->create(['plan' => Plan::Pro]);
$other = User::factory()->create(['plan' => Plan::Pro]);

$file = FileRecord::factory()->for($owner)->create(['extension' => 'png']);
$token = app(ApiKeyGenerator::class)->create($other, 'Other')->plainToken;

$this->withToken($token)
->postJson('/api/v1/conversions', [
'file_id' => $file->id,
'target_format' => 'jpg',
'options' => [],
])
->assertForbidden()
->assertJsonPath('error.code', 'forbidden');
});

it('does not allow api user to get another users conversion status', function () {
$owner = User::factory()->create(['plan' => Plan::Pro]);
$other = User::factory()->create(['plan' => Plan::Pro]);

$job = ConversionJob::factory()->for($owner)->queued()->create();
$token = app(ApiKeyGenerator::class)->create($other, 'Other')->plainToken;

$this->withToken($token)
->getJson("/api/v1/conversions/{$job->id}")
->assertForbidden()
->assertJsonPath('error.code', 'forbidden');
});

it('does not allow api user to download another users conversion', function () {
$owner = User::factory()->create(['plan' => Plan::Pro]);
$other = User::factory()->create(['plan' => Plan::Pro]);

$job = ConversionJob::factory()->for($owner)->queued()->create();
$token = app(ApiKeyGenerator::class)->create($other, 'Other')->plainToken;

$this->withToken($token)
->getJson("/api/v1/conversions/{$job->id}/download")
->assertForbidden()
->assertJsonPath('error.code', 'forbidden');
});