From 512d56b7ea270f05bb361f70fdb089f81986b8f9 Mon Sep 17 00:00:00 2001
From: Alex Tselegidis <alextselegidis@gmail.com>
Date: Sat, 9 Jul 2016 12:24:52 +0200
Subject: [PATCH] Corrected API authorization procedure.

---
 .../controllers/api/v1/API_V1_Controller.php  | 36 ++++++++++++++--
 src/engine/Api/V1/Authorization.php           | 41 ++++++++++++++++++-
 test/php/engine/Api/V1/AuthorizationTest.php  | 14 +++++--
 3 files changed, 81 insertions(+), 10 deletions(-)

diff --git a/src/application/controllers/api/v1/API_V1_Controller.php b/src/application/controllers/api/v1/API_V1_Controller.php
index 9b06fc2c..e308f321 100644
--- a/src/application/controllers/api/v1/API_V1_Controller.php
+++ b/src/application/controllers/api/v1/API_V1_Controller.php
@@ -38,11 +38,16 @@ class API_V1_Controller extends CI_Controller {
             return $this->_requestAuthentication();
         }
 
-        $username = new NonEmptyString($_SERVER['PHP_AUTH_USER']);
-        $password = new NonEmptyString($_SERVER['PHP_AUTH_PW']);
-        $authorization = new \EA\Engine\Api\V1\Authorization($this); 
-        $authorization->basic($username, $password); 
         parent::__construct();
+
+        try {
+            $username = new NonEmptyString($_SERVER['PHP_AUTH_USER']);
+            $password = new NonEmptyString($_SERVER['PHP_AUTH_PW']);
+            $authorization = new \EA\Engine\Api\V1\Authorization($this); 
+            $authorization->basic($username, $password); 
+        } catch(\Exception $exception) {
+            $this->_handleException($exception); 
+        }
     }
 
     /**
@@ -53,6 +58,29 @@ class API_V1_Controller extends CI_Controller {
         header('HTTP/1.0 401 Unauthorized');
         echo 'You are not authorized to use the API.';
     }
+
+    /**
+     * Outputs the required headers and messages for exception handling.
+     *
+     * Call this method from catch blocks of child controller callbacks.
+     * 
+     * @param \Exception $exception Thrown exception to be outputed.
+     */
+    protected function _handleException(\Exception $exception) {
+        $error = [
+            'code' => $exception->getCode() ?: 500,
+            'message'=> $exception->getMessage(), 
+        ];   
+
+        $header = $exception instanceof \EA\Engine\Api\V1\Exception 
+            ? $exception->getCode() . ' ' . $exception->getHeader() 
+            : '500 Internal Server Error';
+
+        header('HTTP/1.0 ' . $header);
+        header('Content-Type: application/json');
+
+        echo json_encode($error, JSON_UNESCAPED_SLASHES|JSON_PRETTY_PRINT);
+    }
 }
 
 /* End of file API_V1_Controller.php */
diff --git a/src/engine/Api/V1/Authorization.php b/src/engine/Api/V1/Authorization.php
index 459ccb2f..92460dd0 100644
--- a/src/engine/Api/V1/Authorization.php
+++ b/src/engine/Api/V1/Authorization.php
@@ -11,8 +11,45 @@
  * @since       v1.2.0
  * ---------------------------------------------------------------------------- */
 
-namespace \EA\Engine\Api\V1; 
+namespace EA\Engine\Api\V1; 
 
+use \EA\Engine\Types\NonEmptyString;
+
+/**
+ * API v1 Authorization Class 
+ *
+ * This class will handle the authorization procedure.
+ */
 class Authorization {
-    
+    /**
+     * Framework Instance 
+     * 
+     * @var CI_Controller
+     */
+    protected $framework; 
+
+    /**
+     * Class Constructor 
+     * 
+     * @param \CI_Controller $framework
+     */
+    public function __construct(\CI_Controller $framework) {
+        $this->framework = $framework;
+    }
+
+    /**
+     * Perform Basic Authentication
+     * 
+     * @param NonEmptyString $username Admin Username
+     * @param NonEmptyString $password Admin Password
+     *
+     * @throws \EA\Engine\Api\V1\Exception Throws 401-Unauthorized exception if the authentication fails.
+     */
+    public function basic(NonEmptyString $username, NonEmptyString $password) {
+        $this->framework->load->model('user_model'); 
+
+        if (!$this->framework->user_model->check_login($username->get(), $password->get())) { 
+            throw new Exception('The provided credentials do not match any admin user!', 401, 'Unauthorized');
+        }
+    }
 }
diff --git a/test/php/engine/Api/V1/AuthorizationTest.php b/test/php/engine/Api/V1/AuthorizationTest.php
index 7878b5b4..85ce9f90 100644
--- a/test/php/engine/Api/V1/AuthorizationTest.php
+++ b/test/php/engine/Api/V1/AuthorizationTest.php
@@ -11,10 +11,16 @@
  * @since       v1.2.0
  * ---------------------------------------------------------------------------- */
  
-namespace \EA\Engine\Api\V1;
+namespace EA\Engine\Api\V1;
 
-use PHPUnit\Framework\TestCase;
+use \EA\Engine\Types\NonEmptyString;
 
-class AuthorizationTest extends \TestCase {
-    
+class AuthorizationTest extends \PHPUnit_Framework_TestCase {
+    public function testBasicMethodPerformsBasicAuthentication() {
+        $this->markTestIncomplete();
+    }   
+
+    public function testBasicMethodReturnsForbiddenResponse() {
+        $this->markTestIncomplete();
+    } 
 }