API: Prevented non-GET requests when using cookie-based auth

Added test to cover.
2026-02-05 00:29:48 +03:00 · 2026-01-29 03:37:16 +00:00
parent ff59bbdc07
commit 6a63b38bb3
3 changed files with 31 additions and 3 deletions
--- a/app/Http/Middleware/ApiAuthenticate.php
+++ b/app/Http/Middleware/ApiAuthenticate.php
@@ -17,7 +17,7 @@ class ApiAuthenticate
    public function handle(Request $request, Closure $next)
    {
        // Validate the token and it's users API access
-        $this->ensureAuthorizedBySessionOrToken();
+        $this->ensureAuthorizedBySessionOrToken($request);

        return $next($request);
    }
@@ -28,15 +28,21 @@ class ApiAuthenticate
     *
     * @throws ApiAuthException
     */
-    protected function ensureAuthorizedBySessionOrToken(): void
+    protected function ensureAuthorizedBySessionOrToken(Request $request): void
    {
        // Return if the user is already found to be signed in via session-based auth.
-        // This is to make it easy to browser the API via browser after just logging into the system.
+        // This is to make it easy to browse the API via browser when exploring endpoints via the UI.
        if (!user()->isGuest() || session()->isStarted()) {
+            // Ensure the user has API access permission
            if (!$this->sessionUserHasApiAccess()) {
                throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
            }

+            // Only allow GET requests for cookie-based API usage
+            if ($request->method() !== 'GET') {
+                throw new ApiAuthException(trans('errors.api_cookie_auth_only_get'), 403);
+            }
+
            return;
        }

--- a/lang/en/errors.php
+++ b/lang/en/errors.php
@@ -125,6 +125,7 @@ return [
    'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect',
    'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls',
    'api_user_token_expired' => 'The authorization token used has expired',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',

    // Settings & Maintenance
    'maintenance_test_email_failure' => 'Error thrown when sending a test email:',
--- a/tests/Api/ApiAuthTest.php
+++ b/tests/Api/ApiAuthTest.php
@@ -112,6 +112,27 @@ class ApiAuthTest extends TestCase
        $resp->assertStatus(200);
    }

+    public function test_only_get_requests_are_supported_with_session_auth()
+    {
+        $user = $this->users->admin();
+        $this->actingAs($user, 'standard');
+
+        $uriByMethods = [
+            'POST' => '/books',
+            'PUT' => '/books/1',
+            'DELETE' => '/books/1',
+            'HEAD' => '/books',
+        ];
+
+        foreach ($uriByMethods as $method => $uri) {
+            $resp = $this->withCredentials()->json($method, "/api{$uri}");
+            $resp->assertStatus(403);
+            if ($method !== 'HEAD') {
+                $resp->assertJson($this->errorResponse('Only GET requests are allowed when using the API with cookie-based authentication', 403));
+            }
+        }
+    }
+
    public function test_token_expiry_checked()
    {
        $editor = $this->users->editor();