994fa0733f
- Bearer token auth middleware on POST /register and /records - Throttle: 10 registrations/min, 20 DNS updates/min - Token configurable via API_TOKEN env var (disabled when empty) - Daemon alias validation: a-z 0-9 . - up to 255 chars Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
37 lines
803 B
PHP
37 lines
803 B
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
use Closure;
|
|
use Illuminate\Http\Request;
|
|
|
|
/**
|
|
* Bearer token auth for write API endpoints.
|
|
*
|
|
* Set API_TOKEN in .env. Blesta module sends it in Authorization header.
|
|
* Read-only endpoints are public.
|
|
*/
|
|
class ApiTokenAuth
|
|
{
|
|
public function handle(Request $request, Closure $next): mixed
|
|
{
|
|
$token = config('chain.api_token', '');
|
|
|
|
// Skip auth if no token configured (dev mode)
|
|
if (empty($token)) {
|
|
return $next($request);
|
|
}
|
|
|
|
$bearer = $request->bearerToken();
|
|
|
|
if ($bearer !== $token) {
|
|
return response()->json([
|
|
'error' => 'Unauthorised. Bearer token required.',
|
|
], 401);
|
|
}
|
|
|
|
return $next($request);
|
|
}
|
|
}
|