From 9e2d7277b0d577e94cfa16a333ed8760a24577b7 Mon Sep 17 00:00:00 2001
From: Juan Pablo Vial <jpvialb@incoviba.cl>
Date: Mon, 12 May 2025 16:01:09 -0400
Subject: [PATCH] Validacion API/external

---
 app/setup/settings/urls.php      |  5 ++++
 app/setup/setups/middlewares.php |  3 ++-
 app/src/Middleware/API.php       | 41 +++++++++++++++++++++++++++++++-
 3 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/app/setup/settings/urls.php b/app/setup/settings/urls.php
index c0b5f8f..a227234 100644
--- a/app/setup/settings/urls.php
+++ b/app/setup/settings/urls.php
@@ -27,4 +27,9 @@ return [
         '/api/login/',
         '/api/logout'
     ],
+    'externalPaths' => [
+        '/api/external' => [
+            '/toku' => $_ENV['TOKU_TOKEN']
+        ],
+    ]
 ];
diff --git a/app/setup/setups/middlewares.php b/app/setup/setups/middlewares.php
index 1003a01..a6215a1 100644
--- a/app/setup/setups/middlewares.php
+++ b/app/setup/setups/middlewares.php
@@ -17,9 +17,10 @@ return [
             $container->get(Psr\Log\LoggerInterface::class),
             $container->get(Incoviba\Service\API::class),
             $container->get(Incoviba\Service\Login::class),
+            $container->get('API_KEY'),
             $container->get('permittedPaths'),
             $container->get('simplePaths'),
-            $container->get('API_KEY')
+            $container->get('externalPaths'),
         );
     }
 ];
diff --git a/app/src/Middleware/API.php b/app/src/Middleware/API.php
index 9eb0963..a7318b0 100644
--- a/app/src/Middleware/API.php
+++ b/app/src/Middleware/API.php
@@ -15,12 +15,16 @@ class API
                                 protected LoggerInterface $logger,
                                 protected Service\API $apiService,
                                 protected Service\Login $loginService,
+                                protected string $key,
                                 protected array $permittedPaths,
                                 protected array $simplePaths,
-                                protected string $key) {}
+                                protected array $externalPaths) {}
 
     public function __invoke(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
+        if ($this->validExternal($request)) {
+            return $handler->handle($request);
+        }
         try {
             $key = $this->apiService->getKey($request);
         } catch (MissingAuthorizationHeader $exception) {
@@ -63,4 +67,39 @@ class API
         $uri = $request->getUri();
         return in_array($uri->getPath(), $this->permittedPaths);
     }
+    protected function validExternal(ServerRequestInterface $request): bool
+    {
+        $uri = $request->getUri();
+        foreach ($this->externalPaths as $basePath => $paths) {
+            if (!str_starts_with($uri->getPath(), $basePath)) {
+                continue;
+            }
+            foreach ($paths as $subPath) {
+                $fullPath = "{$basePath}{$subPath}";
+                if ($uri->getPath() === $fullPath) {
+                    return $this->validateExternalKey($request, $basePath, $subPath);
+                }
+            }
+        }
+        return false;
+    }
+    protected function validateExternalKey(ServerRequestInterface $request, $basePath, $subPath): bool
+    {
+        if ($request->hasHeader('x-api-key')) {
+            $key = $request->getHeaderLine('x-api-key');
+            if ($key === $this->externalPaths[$basePath][$subPath]) {
+                return true;
+            }
+        }
+        if ($request->hasHeader('Authorization')) {
+            $key = $request->getHeaderLine('Authorization');
+            if (str_starts_with($key, 'Bearer ')) {
+                $key = substr($key, 7);
+                if ($key === $this->externalPaths[$basePath][$subPath]) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
 }