Refactor to user company_key instead of company_token

app/Http/Controllers/BaseController.php

@@ -270,7 +270,7 @@ class BaseController extends Controller
 
         $query->with($includes);
 
-        if (!auth()->user()->hasPermission('view_'.lcfirst(class_basename($this->entity_type)))) {
+        if (auth()->user() && !auth()->user()->hasPermission('view_'.lcfirst(class_basename($this->entity_type)))) {
             $query->where('user_id', '=', auth()->user()->id);
         }
 

app/Http/Controllers/Shop/ClientController.php

@@ -50,10 +50,10 @@ class ClientController extends BaseController
 
     public function show(string $contact_key)
     {
-        $company_token = CompanyToken::with(['company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first();
+        $company = Company::where('company_key', $request->header('X-API-COMPANY_KEY'))->first();
 
         $contact = ClientContact::with('client')
-                            ->where('company_id', $company_token->company->id)
+                            ->where('company_id', $company->id)
                             ->where('contact_key', $contact_key)
                             ->firstOrFail();
 
@@ -62,15 +62,19 @@ class ClientController extends BaseController
 
     public function store(StoreClientRequest $request)
     {
-        $company_token = CompanyToken::with(['company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first();
+        $company = Company::where('company_key', $request->header('X-API-COMPANY_KEY'))->first();
 
-        $client = $this->client_repo->save($request->all(), ClientFactory::create($company_token->company_id, $company_token->user_id));
+        app('queue')->createPayloadUsing(function () use ($company) {
+            return ['db' => $company->db];
+        });
+
+        $client = $this->client_repo->save($request->all(), ClientFactory::create($company->id, $company->owner()->id));
 
         $client->load('contacts', 'primary_contact');
 
-        $this->uploadLogo($request->file('company_logo'), $client->company, $client);
+        $this->uploadLogo($request->file('company_logo'), $company, $client);
 
-        event(new ClientWasCreated($client, $client->company, Ninja::eventVars()));
+        event(new ClientWasCreated($client, $company, Ninja::eventVars()));
 
         return $this->itemResponse($client);
     }

app/Http/Controllers/Shop/InvoiceController.php

@@ -52,10 +52,10 @@ class InvoiceController extends BaseController
 
     public function show(string $invitation_key)
     {
-        $company_token = CompanyToken::with(['company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first();
+        $company = Company::where('company_key', $request->header('X-API-COMPANY_KEY'))->first();
 
         $invitation = InvoiceInvitation::with(['invoice'])
-                                        ->where('company_id', $company_token->company->id)
+                                        ->where('company_id', $company->id)
                                         ->where('key',$invitation_key)
                                         ->firstOrFail();
 
@@ -65,13 +65,17 @@ class InvoiceController extends BaseController
 
     public function store(StoreInvoiceRequest $request)
     {
-        $company_token = CompanyToken::with(['company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first();
+        app('queue')->createPayloadUsing(function () use ($company) {
+            return ['db' => $company->db];
+        });
+                
+        $company = Company::where('company_key', $request->header('X-API-COMPANY_KEY'))->first();
 
         $client = Client::find($request->input('client_id'));
 
-        $invoice = $this->invoice_repo->save($request->all(), InvoiceFactory::create($company_token->company_id, $company_token->user_id));
+        $invoice = $this->invoice_repo->save($request->all(), InvoiceFactory::create($company_id, $company->owner()->id));
 
-        event(new InvoiceWasCreated($invoice, $invoice->company, Ninja::eventVars()));
+        event(new InvoiceWasCreated($invoice, $company, Ninja::eventVars()));
 
         $invoice = $invoice->service()->triggeredActions($request)->save();
         

app/Http/Controllers/Shop/ProductController.php

@@ -12,6 +12,7 @@
 namespace App\Http\Controllers\Shop;
 
 use App\Http\Controllers\BaseController;
+use App\Models\Company;
 use App\Models\CompanyToken;
 use App\Models\Product;
 use App\Transformers\ProductTransformer;
@@ -31,20 +32,20 @@ class ProductController extends BaseController
      *
      * @return \Illuminate\Http\Response
      */
-    public function index()
+    public function index(Request $request)
     {
-        $company_token = CompanyToken::with(['company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first();
+        $company = Company::where('company_key', $request->header('X-API-COMPANY_KEY'))->first();
 
-        $products = Product::where('company_id', $company_token->company->id);
+        $products = Product::where('company_id', $company->id);
 
         return $this->listResponse($products);
     }
 
-    public function show(string $product_key)
+    public function show(Request $request, string $product_key)
     {
-        $company_token = CompanyToken::with(['company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first();
+        $company = Company::where('company_key', $request->header('X-API-COMPANY_KEY'))->first();
 
-        $product = Product::where('company_id', $company_token->company->id)
+        $product = Product::where('company_id', $company->id)
                             ->where('product_key', $product_key)
                             ->first();
 

app/Http/Kernel.php

@@ -111,9 +111,10 @@ class Kernel extends HttpKernel
         'url_db' =>  \App\Http\Middleware\UrlSetDb::class,
         'web_db' => \App\Http\Middleware\SetWebDb::class,
         'api_db' => \App\Http\Middleware\SetDb::class,
+        'company_key_db' => \App\Http\Middleware\SetDbByCompanyKey::class,
         'locale' => \App\Http\Middleware\Locale::class,
         'contact.register' => \App\Http\Middleware\ContactRegister::class,
-        'shop_token_auth' => \App\Http\Middleware\ShopTokenAuth::class,
+        'shop_token_auth' => \App\Http\Middleware\Shop\ShopTokenAuth::class,
 
     ];
 }

app/Http/Middleware/SetDbByCompanyKey.php

@@ -0,0 +1,48 @@
+<?php
+/**
+ * Invoice Ninja (https://invoiceninja.com)
+ *
+ * @link https://github.com/invoiceninja/invoiceninja source repository
+ *
+ * @copyright Copyright (c) 2020. Invoice Ninja LLC (https://invoiceninja.com)
+ *
+ * @license https://opensource.org/licenses/AAL
+ */
+
+namespace App\Http\Middleware;
+
+use App\Libraries\MultiDB;
+use App\Models\CompanyToken;
+use Closure;
+
+class SetDbByCompanyKey
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    
+    public function handle($request, Closure $next)
+    {
+        $error = [
+            'message' => 'Invalid Token',
+            'errors' => []
+        ];
+
+
+        if ($request->header('X-API-COMPANY_KEY') && config('ninja.db.multi_db_enabled')) {
+            if (! MultiDB::findAndSetDbByCompanyKey($request->header('X-API-COMPANY_KEY'))) {
+                return response()->json($error, 403);
+            }
+        } elseif (!config('ninja.db.multi_db_enabled')) {
+            return $next($request);
+        } else {
+            return response()->json($error, 403);
+        }
+
+        return $next($request);
+    }
+}

app/Http/Middleware/Shop/ShopTokenAuth.php

@@ -1,78 +0,0 @@
-<?php
-/**
- * Invoice Ninja (https://invoiceninja.com)
- *
- * @link https://github.com/invoiceninja/invoiceninja source repository
- *
- * @copyright Copyright (c) 2020. Invoice Ninja LLC (https://invoiceninja.com)
- *
- * @license https://opensource.org/licenses/AAL
- */
-
-namespace App\Http\Middleware\Shop;
-
-use App\Events\User\UserLoggedIn;
-use App\Models\CompanyToken;
-use App\Models\User;
-use App\Utils\Ninja;
-use Closure;
-
-class ShopTokenAuth
-{
-    /**
-     * Handle an incoming request.
-     *
-     * @param  \Illuminate\Http\Request  $request
-     * @param  \Closure  $next
-     * @return mixed
-     */
-    public function handle($request, Closure $next)
-    {
-
-        if ($request->header('X-API-TOKEN') && ($company_token = CompanyToken::with(['user','company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first())) {
-
-            /* Check if this is a restricted token*/
-            if(!$company_token->shop_restricted){
-
-                $error = [
-                    'message' => 'Cannot use a unrestricted token on this route',
-                    'errors' => []
-                ];
-
-
-                return response()->json($error, 403);
-
-            }
-
-            $user = $company_token->user;
-
-            $error = [
-                'message' => 'User inactive',
-                'errors' => []
-            ];
-
-            //user who once existed, but has been soft deleted
-            if (!$user) {
-                return response()->json($error, 403);
-            }
-
-            /*
-            |
-            | Necessary evil here: As we are authenticating on CompanyToken,
-            | we need to link the company to the user manually. This allows
-            | us to decouple a $user and their attached companies completely.
-            |
-            */
-            $user->setCompany($company_token->company);
-            
-            config(['ninja.company_id' => $company_token->company->id]);
-
-            app('queue')->createPayloadUsing(function () use ($company_token) {
-                return ['db' => $company_token->company->db];
-            });
-
-        }
-
-        return $next($request);
-    }
-}

app/Http/Middleware/TokenAuth.php

@@ -30,19 +30,6 @@ class TokenAuth
     {
         if ($request->header('X-API-TOKEN') && ($company_token = CompanyToken::with(['user','company'])->whereRaw("BINARY `token`= ?", [$request->header('X-API-TOKEN')])->first())) {
 
-            if($company_token->shop_restricted){
-
-                $error = [
-                    'message' => 'Cannot use a restricted token on this route',
-                    'errors' => []
-                ];
-
-
-                return response()->json($error, 403);
-
-            }
-
-
             $user = $company_token->user;
 
             $error = [

app/Libraries/MultiDB.php

@@ -180,6 +180,17 @@ class MultiDB
         return false;
     }
 
+    public static function findAndSetDbByCompanyKey($company_key) :bool
+    {
+        foreach (self::$dbs as $db) {
+            if ($company = Company::on($db)->where('company_key', $company_key)->first()) {
+                self::setDb($company->db);
+                return true;
+            }
+        }
+        return false;
+    }
+
     public static function findAndSetDbByDomain($subdomain) :bool
     {
         foreach (self::$dbs as $db) {

database/migrations/2020_07_28_104218_shop_token.php

@@ -13,8 +13,8 @@ class ShopToken extends Migration
      */
     public function up()
     {
-        Schema::table('company_user', function (Blueprint $table) {
+        Schema::table('companies', function (Blueprint $table) {
-            $table->boolean('shop_restricted')->default(false);
+            $table->boolean('enable_shop_api')->default(false);
         });
     }
 

routes/shop.php

@@ -2,13 +2,13 @@
 
 use Illuminate\Support\Facades\Route;
 
-Route::group(['middleware' => ['api_db','shop_token_auth','locale']], function () {
+Route::group(['middleware' => ['company_key_db','locale'], 'prefix' => 'api/v1'], function () {
 
-	Route::get('products', 'Shop\ProductController@index');
+	Route::get('shop/products', 'Shop\ProductController@index');
-	Route::get('clients', 'Shop\ClientController@index');
+	Route::get('shop/clients', 'Shop\ClientController@index');
-	Route::get('invoices', 'Shop\InvoiceController@index');
+	Route::get('shop/invoices', 'Shop\InvoiceController@index');
-	Route::get('client/{contact_key}', 'Shop\ClientController@show');
+	Route::get('shop/client/{contact_key}', 'Shop\ClientController@show');
-	Route::get('invoice/{invitation_key}', 'Shop\InvoiceController@show');
+	Route::get('shop/invoice/{invitation_key}', 'Shop\InvoiceController@show');
-	Route::get('product/{product_key}', 'Shop\ProductController@show');
+	Route::get('shop/product/{product_key}', 'Shop\ProductController@show');
 
 });