mirror of
https://github.com/coollabsio/coolify.git
synced 2026-03-11 08:55:47 +00:00
Sanctum uses the numeric prefix (e.g. "69|...") in plaintext tokens to index and look up tokens. Stripping this prefix breaks token resolution.
142 lines
5.6 KiB
PHP
142 lines
5.6 KiB
PHP
<?php
|
|
|
|
namespace App\Livewire\Security;
|
|
|
|
use App\Models\InstanceSettings;
|
|
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
|
|
use Laravel\Sanctum\PersonalAccessToken;
|
|
use Livewire\Component;
|
|
|
|
class ApiTokens extends Component
|
|
{
|
|
use AuthorizesRequests;
|
|
|
|
public ?string $description = null;
|
|
|
|
public $tokens = [];
|
|
|
|
public array $permissions = ['read'];
|
|
|
|
public $isApiEnabled;
|
|
|
|
public bool $canUseRootPermissions = false;
|
|
|
|
public bool $canUseWritePermissions = false;
|
|
|
|
public bool $canUseDeployPermissions = false;
|
|
|
|
public bool $canUseSensitivePermissions = false;
|
|
|
|
public function render()
|
|
{
|
|
return view('livewire.security.api-tokens');
|
|
}
|
|
|
|
public function mount()
|
|
{
|
|
$this->isApiEnabled = InstanceSettings::get()->is_api_enabled;
|
|
$this->canUseRootPermissions = auth()->user()->can('useRootPermissions', PersonalAccessToken::class);
|
|
$this->canUseWritePermissions = auth()->user()->can('useWritePermissions', PersonalAccessToken::class);
|
|
$this->canUseDeployPermissions = auth()->user()->can('useDeployPermissions', PersonalAccessToken::class);
|
|
$this->canUseSensitivePermissions = auth()->user()->can('useSensitivePermissions', PersonalAccessToken::class);
|
|
$this->getTokens();
|
|
}
|
|
|
|
private function getTokens()
|
|
{
|
|
$this->tokens = auth()->user()->tokens->sortByDesc('created_at');
|
|
}
|
|
|
|
public function updatedPermissions($permissionToUpdate)
|
|
{
|
|
// Re-evaluate policies fresh — never trust stored snapshot booleans
|
|
if ($permissionToUpdate == 'root' && ! auth()->user()->can('useRootPermissions', PersonalAccessToken::class)) {
|
|
$this->dispatch('error', 'You do not have permission to use root permissions.');
|
|
$this->permissions = array_diff($this->permissions, ['root']);
|
|
|
|
return;
|
|
}
|
|
|
|
if (in_array($permissionToUpdate, ['write', 'write:sensitive']) && ! auth()->user()->can('useWritePermissions', PersonalAccessToken::class)) {
|
|
$this->dispatch('error', 'You do not have permission to use write permissions.');
|
|
$this->permissions = array_diff($this->permissions, ['write', 'write:sensitive']);
|
|
|
|
return;
|
|
}
|
|
|
|
if ($permissionToUpdate == 'deploy' && ! auth()->user()->can('useDeployPermissions', PersonalAccessToken::class)) {
|
|
$this->dispatch('error', 'You do not have permission to use deploy permissions.');
|
|
$this->permissions = array_diff($this->permissions, ['deploy']);
|
|
|
|
return;
|
|
}
|
|
|
|
if ($permissionToUpdate == 'read:sensitive' && ! auth()->user()->can('useSensitivePermissions', PersonalAccessToken::class)) {
|
|
$this->dispatch('error', 'You do not have permission to use read:sensitive permissions.');
|
|
$this->permissions = array_diff($this->permissions, ['read:sensitive']);
|
|
|
|
return;
|
|
}
|
|
|
|
if ($permissionToUpdate == 'root') {
|
|
$this->permissions = ['root'];
|
|
} elseif ($permissionToUpdate == 'read:sensitive' && ! in_array('read', $this->permissions)) {
|
|
$this->permissions[] = 'read';
|
|
} elseif ($permissionToUpdate == 'deploy') {
|
|
$this->permissions = ['deploy'];
|
|
} else {
|
|
if (count($this->permissions) == 0) {
|
|
$this->permissions = ['read'];
|
|
}
|
|
}
|
|
sort($this->permissions);
|
|
}
|
|
|
|
public function addNewToken()
|
|
{
|
|
try {
|
|
$this->authorize('create', PersonalAccessToken::class);
|
|
|
|
// Re-evaluate policies fresh against the current authenticated user.
|
|
// Never trust $this->canUse* booleans — they come from the Livewire
|
|
// snapshot which can be replayed from another user's session.
|
|
if (in_array('root', $this->permissions) && ! auth()->user()->can('useRootPermissions', PersonalAccessToken::class)) {
|
|
throw new \Exception('You do not have permission to create tokens with root permissions.');
|
|
}
|
|
|
|
if (array_intersect(['write', 'write:sensitive'], $this->permissions) && ! auth()->user()->can('useWritePermissions', PersonalAccessToken::class)) {
|
|
throw new \Exception('You do not have permission to create tokens with write permissions.');
|
|
}
|
|
|
|
if (in_array('deploy', $this->permissions) && ! auth()->user()->can('useDeployPermissions', PersonalAccessToken::class)) {
|
|
throw new \Exception('You do not have permission to create tokens with deploy permissions.');
|
|
}
|
|
|
|
if (in_array('read:sensitive', $this->permissions) && ! auth()->user()->can('useSensitivePermissions', PersonalAccessToken::class)) {
|
|
throw new \Exception('You do not have permission to create tokens with read:sensitive permissions.');
|
|
}
|
|
|
|
$this->validate([
|
|
'description' => 'required|min:3|max:255',
|
|
]);
|
|
$token = auth()->user()->createToken($this->description, array_values($this->permissions));
|
|
$this->getTokens();
|
|
// Do NOT strip the numeric prefix (e.g. "69|...") — Sanctum uses it to index and look up tokens.
|
|
session()->flash('token', $token->plainTextToken);
|
|
} catch (\Exception $e) {
|
|
return handleError($e, $this);
|
|
}
|
|
}
|
|
|
|
public function revoke(int $id)
|
|
{
|
|
try {
|
|
$token = auth()->user()->tokens()->where('id', $id)->firstOrFail();
|
|
$this->authorize('delete', $token);
|
|
$token->delete();
|
|
$this->getTokens();
|
|
} catch (\Exception $e) {
|
|
return handleError($e, $this);
|
|
}
|
|
}
|
|
}
|