I have a plugin that has a routes.php file that defines some routes to backend controller methods.

Route::group(['middleware' => ['web']], function () {
     // I've changed the backend URI from backend to admin
    Route::get('admin/neil/myplugin/api/data', 'Neil\MyPlugin\Controllers\MyPluginController@data');
});

Although this does work, it's not protected by any authentication, meaning I get data without being logged into the backend,

Do I have to include some sort of middleware or should this be handled automatically because the url starts with "/admin" ?

Last updated 3 years ago

Good point, let me investigate.

I think you need to handle the Authentication in your controller, since you're pretty much bypassing the regular routing.

So fetch the currently logged in user with BackendAuth::getUser() and check if the user has permission to access your plugin. If no user is logged in, just refuse the request.

You can also use the BackendAuth::check() method for this.

ref. https://github.com/octobercms/library/blob/develop/src/Auth/Manager.php#L450-L525

Last updated 3 years ago

Isn't there a middleware that can be used at routes level or could I at least make my own?

So be able to do something like this...

Route::group(['middleware' => ['web', 'admin']], function () {
    Route::get('admin/neil/myplugin/api/data', 'Neil\MyPlugin\Controllers\MyPluginController@data');
});

And then have an admin middleware somewhere that checks for a logged in backend User?

Sure, that would work too.

mjauvin said:

Sure, that would work too.

It just seems really odd that there isn't some middleware that I could use that does this already

This maybe? \Illuminate\Auth\Middleware\Authenticate

But I would write my own middleware for this, it's pretty straightforward.

Last updated 3 years ago

The backend controller's run() method does this check, but in your case you're calling the data() method of your controller... maybe if you call @run instead !?

mjauvin said:

The backend controller's run() method does this check, but in your case you're calling the data() method of your controller... maybe if you call @run instead !?

I tried this, I just want the raw data, doing this and following octobers controller/method logic for uris, means that running that run() method gets all the menu structure and html which is no good for me in this instance.

It must be that run() method that does the check for auth at some point that we're bypassing.

Yes, it is. That's why in that case you need to define your own middleware.

class AuthMiddleware
{   
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {   
        if (! \BackendAuth::check()) {
                return \Response::make('Forbidden', 403);
        }

        return $next($request);
    }   
}   

As an alternative, you can override your controller's constructor like this:

public function __construct()
{
    parent::__construct();

    $this->middleware(function ($request, $response) {
        if (!\BackendAuth::check()) {
                return Response::make('Forbidden', 403);
        }
    });
}

What I would recommend is to implement your API route handler as an action on your backend controller and then just let the Backend\Classes\BackendController class handle all the authentication like any other regular action on your backend controller:

public function api_data()
{
    // return my API data here
}

backend/myauthor/myplugin/mycontroller/api_data

LukeTowers said:

What I would recommend is to implement your API route handler as an action on your backend controller and then just let the Backend\Classes\BackendController class handle all the authentication like any other regular action on your backend controller:

public function api_data()
{
   // return my API data here
}

backend/myauthor/myplugin/mycontroller/api_data

Hi Luke,

Although this does work in terms of protecting the route, it doesn't just bring back the raw data. It seems to return all HTML for the backend navigation and page layout.

Is there a way to tell the controller method not to do that?

Update: Scratch that. I think I can just do something like

return response()->json($data, 200);

Last updated 3 years ago

That should be correct Neil, additionally I believe you can set $this->layout = false and it won't use the backend layout if you needed a controller action with a completely custom layout.

LukeTowers said:

That should be correct Neil, additionally I believe you can set $this->layout = false and it won't use the backend layout if you needed a controller action with a completely custom layout.

Sweet. Thanks Luke.