From fad38837855c74501003e40aa0ee28527b9a0dd7 Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Mon, 28 Aug 2023 21:45:31 +0900
Subject: [PATCH] Support Authorization header

---
 Resource/config/services_dev.yaml           |  4 +
 Resource/template/admin/OAuth/graphiql.twig | 25 +++---
 Security/GraphiQLSecurityContext.php        | 84 +++++++++++++++++++++
 3 files changed, 102 insertions(+), 11 deletions(-)
 create mode 100644 Resource/config/services_dev.yaml
 create mode 100644 Security/GraphiQLSecurityContext.php

diff --git a/Resource/config/services_dev.yaml b/Resource/config/services_dev.yaml
new file mode 100644
index 0000000..6f371d1
--- /dev/null
+++ b/Resource/config/services_dev.yaml
@@ -0,0 +1,4 @@
+services:
+    Eccube\Security\SecurityContext:
+        class: Plugin\Api42\Security\GraphiQLSecurityContext
+        autowire: true
diff --git a/Resource/template/admin/OAuth/graphiql.twig b/Resource/template/admin/OAuth/graphiql.twig
index 0987e0a..9fb56ab 100644
--- a/Resource/template/admin/OAuth/graphiql.twig
+++ b/Resource/template/admin/OAuth/graphiql.twig
@@ -165,17 +165,20 @@
   }
 }
 `;
-      const graphQLFetcher = graphQLParams =>
-        fetch('{{ url('admin_api_graphiql_api') }}', {
-          method: 'post',
-          headers: {
-            'Content-Type': 'application/json',
-            'ECCUBE-CSRF-TOKEN': '{{ csrf_token(constant('Eccube\\Common\\Constant::TOKEN_NAME')) }}'
-          },
-          body: JSON.stringify(graphQLParams),
-        })
-          .then(response => response.json())
-          .catch(() => response.text());
+     const graphQLFetcher = (graphQLParams, opts) => {
+         const { headers = {} } = opts;
+         return fetch('{{ url('admin_api_graphiql_api') }}', {
+             method: 'post',
+             headers: {
+                 'Content-Type': 'application/json',
+                 'ECCUBE-CSRF-TOKEN': '{{ csrf_token(constant('Eccube\\Common\\Constant::TOKEN_NAME')) }}',
+                 ...headers,
+             },
+             body: JSON.stringify(graphQLParams),
+         })
+             .then(response => response.json())
+             .catch(() => response.text());
+     };
       ReactDOM.render(
         React.createElement(GraphiQL, { fetcher: graphQLFetcher, defaultQuery: defaultQuery }),
         document.getElementById('graphiql'),
diff --git a/Security/GraphiQLSecurityContext.php b/Security/GraphiQLSecurityContext.php
new file mode 100644
index 0000000..7ff3612
--- /dev/null
+++ b/Security/GraphiQLSecurityContext.php
@@ -0,0 +1,84 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Plugin\Api42\Security;
+
+use Doctrine\ORM\EntityManagerInterface;
+use Eccube\Entity\Customer;
+use Eccube\Http\RequestStack;
+use Eccube\Security\SecurityContext;
+use Lcobucci\Clock\SystemClock;
+use Lcobucci\JWT\JwtFacade;
+use Lcobucci\JWT\Signer\Rsa\Sha256;
+use Lcobucci\JWT\Signer\Key\InMemory;
+use Lcobucci\JWT\Token\RegisteredClaims;
+use Lcobucci\JWT\Validation\Constraint\StrictValidAt;
+use Lcobucci\JWT\Validation\Constraint\SignedWith;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
+
+class GraphiQLSecurityContext extends SecurityContext
+{
+    private RequestStack $requestStack;
+    private EntityManagerInterface $entityManager;
+    private ContainerInterface $container;
+
+    public function __construct(
+        TokenStorageInterface $tokenStorage,
+        AuthorizationCheckerInterface $authorizationChecker,
+        CsrfTokenManagerInterface $csrfTokenManager,
+        RequestStack $requestStack,
+        EntityManagerInterface $entityManager,
+        ContainerInterface $container
+    ) {
+        parent::__construct($tokenStorage, $authorizationChecker, $csrfTokenManager);
+        $this->requestStack = $requestStack;
+        $this->entityManager = $entityManager;
+        $this->container = $container;
+    }
+
+    public function getLoginUser()
+    {
+        $token = $this->getToken();
+        if (!$token) {
+            return null;
+        }
+        $request = $this->requestStack->getCurrentRequest();
+        if (null !== $request) {
+            $bearerToken = $request->headers->get('Authorization');
+            if ($bearerToken) {
+                $rawJwt = \trim((string) \preg_replace('/^\s*Bearer\s/', '', $bearerToken));
+
+                try {
+                    $jwt = (new JwtFacade())->parse(
+                        $rawJwt,
+                        new SignedWith(new Sha256, InMemory::file($this->container->getParameter('plugin_data_realdir').'/Api42/oauth/public.key')),
+                        new StrictValidAt(SystemClock::fromSystemTimezone())
+                    );
+
+                    $identifier = $jwt->claims()->get(RegisteredClaims::SUBJECT);
+
+                    return $this->entityManager->getRepository(Customer::class)->findOneBy(['email' => $identifier]);
+                } catch (\Exception $e) {
+                    log_error($e->getMessage(), [$e]);
+
+                    return null;
+                }
+            }
+        }
+
+        return $token->getUser();
+    }
+}