|
| 1 | +<?php |
| 2 | +namespace Kyte\Core\Auth; |
| 3 | + |
| 4 | +use Kyte\Core\Api; |
| 5 | +use Kyte\Core\ModelObject; |
| 6 | +use Kyte\Exception\SessionException; |
| 7 | + |
| 8 | +/** |
| 9 | + * Anonymous application-context strategy — JWT-mode public/anonymous access. |
| 10 | + * |
| 11 | + * Lets a site running in JWT auth mode (endpoint + appId, no embedded HMAC |
| 12 | + * key/secret) serve `requireAuth=false` controllers to ANONYMOUS visitors |
| 13 | + * (no user, before any login) using only the `x-kyte-appid` header — no |
| 14 | + * Bearer, no HMAC identity/signature. This closes the gap where JWT mode |
| 15 | + * could not serve public/catalog browsing the way HMAC mode can. |
| 16 | + * |
| 17 | + * SECURITY INVARIANT (load-bearing): preAuth() resolves the application's |
| 18 | + * ACCOUNT for query scoping but deliberately resolves NO user and NEVER sets |
| 19 | + * `$api->session->hasSession`. ModelController::authenticate() throws unless |
| 20 | + * BOTH `$api->user->id` and `$api->session->hasSession` are set, so every |
| 21 | + * `requireAuth=true` controller keeps returning 403 to anonymous requests. |
| 22 | + * Only controllers that explicitly opt out (`requireAuth=false`) are |
| 23 | + * reachable, and even those are READ-ONLY for this path (ModelController |
| 24 | + * restricts an app_context request to GET). |
| 25 | + * |
| 26 | + * Per-app opt-in: an application must set `Application.allow_public = 1` to |
| 27 | + * serve anonymous requests. A non-opted-in app's appid-only request is |
| 28 | + * rejected in preAuth (so anonymous access is never silently enabled). |
| 29 | + * |
| 30 | + * matches() is STRICT and header-only: it claims a request ONLY when an |
| 31 | + * `x-kyte-appid` is present AND there is no Authorization Bearer, no |
| 32 | + * `x-kyte-signature`, and no `x-kyte-identity`. That is mutually exclusive |
| 33 | + * with every authenticated flow, so it can never shadow HMAC or JWT. Slotted |
| 34 | + * in AuthDispatcher AFTER JwtSessionStrategy and BEFORE HmacSessionStrategy. |
| 35 | + */ |
| 36 | +class AppContextStrategy implements AuthStrategy |
| 37 | +{ |
| 38 | + public function name(): string |
| 39 | + { |
| 40 | + return 'app_context'; |
| 41 | + } |
| 42 | + |
| 43 | + /** |
| 44 | + * Claim only genuine anonymous app-only requests: an appid is present and |
| 45 | + * NO authenticated credential (Bearer / HMAC signature / HMAC identity) |
| 46 | + * accompanies it. Pure header inspection, no side effects. |
| 47 | + */ |
| 48 | + public function matches(): bool |
| 49 | + { |
| 50 | + if (empty($_SERVER['HTTP_X_KYTE_APPID'])) { |
| 51 | + return false; |
| 52 | + } |
| 53 | + // A Bearer token belongs to McpToken or Jwt; an identity/signature |
| 54 | + // belongs to Hmac. If any is present, this is not an anonymous request. |
| 55 | + if ($this->authorizationHeader() !== null) { |
| 56 | + return false; |
| 57 | + } |
| 58 | + if (!empty($_SERVER['HTTP_X_KYTE_SIGNATURE'])) { |
| 59 | + return false; |
| 60 | + } |
| 61 | + if (!empty($_SERVER['HTTP_X_KYTE_IDENTITY'])) { |
| 62 | + return false; |
| 63 | + } |
| 64 | + return true; |
| 65 | + } |
| 66 | + |
| 67 | + /** |
| 68 | + * Establish anonymous application context: resolve the account from the |
| 69 | + * already-resolved app (Api::route() resolves $api->app from x-kyte-appid |
| 70 | + * before auth). Resolves NO user and never sets hasSession. |
| 71 | + */ |
| 72 | + public function preAuth(Api $api): void |
| 73 | + { |
| 74 | + if ($api->app === null || $api->appId === null) { |
| 75 | + throw new SessionException('Anonymous access requires a valid application context (x-kyte-appid).'); |
| 76 | + } |
| 77 | + |
| 78 | + // Per-app opt-in. Without an explicit Application.allow_public=1, an |
| 79 | + // appid-only request is rejected — anonymous access is never implicit. |
| 80 | + if ((int)($api->app->allow_public ?? 0) !== 1) { |
| 81 | + throw new SessionException('Anonymous access is not enabled for this application.'); |
| 82 | + } |
| 83 | + |
| 84 | + // Resolve the account from the application for query scoping only. |
| 85 | + $account = new ModelObject(KyteAccount); |
| 86 | + if (!$account->retrieve('id', (int)$api->app->kyte_account)) { |
| 87 | + throw new SessionException('Unable to resolve account for application.'); |
| 88 | + } |
| 89 | + $api->account = $account; |
| 90 | + |
| 91 | + // Anonymous response markers. NOT setting $api->user->id and NOT |
| 92 | + // touching $api->session->hasSession is the security invariant. |
| 93 | + $api->response['session'] = '0'; |
| 94 | + $api->response['uid'] = '0'; |
| 95 | + |
| 96 | + // Language resolution from account/app only (no user). |
| 97 | + $finalLanguage = defined('APP_LANG') ? APP_LANG : 'en'; |
| 98 | + if (isset($api->account->default_language) && !empty($api->account->default_language)) { |
| 99 | + $finalLanguage = $api->account->default_language; |
| 100 | + } |
| 101 | + if (isset($api->app->language) && !empty($api->app->language)) { |
| 102 | + $finalLanguage = $api->app->language; |
| 103 | + } |
| 104 | + \Kyte\Util\I18n::setLanguage($finalLanguage); |
| 105 | + } |
| 106 | + |
| 107 | + /** |
| 108 | + * No signature/token to verify — anonymous app context is fully |
| 109 | + * established in preAuth. |
| 110 | + */ |
| 111 | + public function verify(Api $api): void |
| 112 | + { |
| 113 | + } |
| 114 | + |
| 115 | + /** |
| 116 | + * Read the Authorization header across the SAPI variants (mirrors |
| 117 | + * JwtSessionStrategy / McpTokenStrategy). |
| 118 | + */ |
| 119 | + private function authorizationHeader(): ?string |
| 120 | + { |
| 121 | + $candidates = [ |
| 122 | + $_SERVER['HTTP_AUTHORIZATION'] ?? null, |
| 123 | + $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ?? null, |
| 124 | + ]; |
| 125 | + foreach ($candidates as $value) { |
| 126 | + if (is_string($value) && $value !== '') { |
| 127 | + return $value; |
| 128 | + } |
| 129 | + } |
| 130 | + if (\function_exists('apache_request_headers')) { |
| 131 | + $headers = \apache_request_headers(); |
| 132 | + if (is_array($headers)) { |
| 133 | + foreach ($headers as $hname => $value) { |
| 134 | + if (strcasecmp($hname, 'Authorization') === 0 && is_string($value) && $value !== '') { |
| 135 | + return $value; |
| 136 | + } |
| 137 | + } |
| 138 | + } |
| 139 | + } |
| 140 | + return null; |
| 141 | + } |
| 142 | +} |
0 commit comments