makes otadmin api routes public for authorized ips

ot_admin/Classes/Http/ApiController.php

@@ -6,6 +6,7 @@ namespace Opentalent\OtAdmin\Http;
 use Opentalent\OtAdmin\Controller\SiteController;
 use Psr\Log\LoggerAwareInterface;
 use Psr\Log\LoggerAwareTrait;
+use TYPO3\CMS\Core\Core\Bootstrap;
 use TYPO3\CMS\Core\Http\JsonResponse;
 use TYPO3\CMS\Core\Http\ServerRequest;
 
@@ -20,18 +21,18 @@ class ApiController implements LoggerAwareInterface
     ];
 
     /**
-     * Retrieve the organization's id from the given request parameters
+     * Returns true if the client Ip is allowed
      *
-     * @param ServerRequest $request
-     * @return int
+     * @param string $clientIp
+     * @return bool
      */
-    private function getOrganizationId(ServerRequest $request) {
-        $params = $request->getQueryParams();
-        $organizationId = $params['organization-id'];
-        if (!$organizationId) {
-            throw new \RuntimeException("Missing parameter: 'organization-id'");
+    public static function isIpAllowed(string $clientIp) {
+        foreach (self::ALLOWED_IPS as $ipRule) {
+            if (preg_match($ipRule, $clientIp)) {
+                return true;
+            }
         }
-        return (int)$organizationId;
+        return false;
     }
 
     /**
@@ -41,16 +42,29 @@ class ApiController implements LoggerAwareInterface
      */
     private function assertIpAllowed() {
         $clientIp = $_SERVER['REMOTE_ADDR'];
-        foreach (self::ALLOWED_IPS as $ipRule) {
-            if (preg_match($ipRule, $clientIp)) {
-                return true;
-            }
+        if (!self::isIpAllowed($clientIp)){
+            $route = $_REQUEST['route'];
+            $this->logger->error(sprintf(
+                "OtAdmin API: an attempt was made to call the route " .
+                $route . " from an non-allowed IP (" . $clientIp . ")"));
+            throw new \RuntimeException("Not allowed");
+        }
+        return true;
+    }
+
+    /**
+     * Retrieve the organization's id from the given request parameters
+     *
+     * @param ServerRequest $request
+     * @return int
+     */
+    private function getOrganizationId(ServerRequest $request) {
+        $params = $request->getQueryParams();
+        $organizationId = $params['organization-id'];
+        if (!$organizationId) {
+            throw new \RuntimeException("Missing parameter: 'organization-id'");
         }
-        $route = $_REQUEST['route'];
-        $this->logger->error(sprintf(
-            "OtAdmin API: an attempt was made to call the route " .
-            $route . " from an non-allowed IP (" . $clientIp . ")"));
-        throw new \RuntimeException("Not allowed");
+        return (int)$organizationId;
     }
 
     /**

ot_admin/Classes/Middleware/OtBackendUserAuthenticator.php

@@ -0,0 +1,31 @@
+<?php
+namespace Opentalent\OtAdmin\Middleware;
+
+use Opentalent\OtAdmin\Http\ApiController;
+use TYPO3\CMS\Backend\Middleware\BackendUserAuthenticator;
+
+/**
+ * Overrides (XClass) the core BackendUserAuthenticator middleware to extend
+ * the public routes to the /otadmin/* routes (only for authorized Ips)
+ *
+ * @internal
+ */
+class OtBackendUserAuthenticator extends BackendUserAuthenticator
+{
+    /**
+     * Check if the user is required for the request
+     * If we're trying to do a login or an ajax login, don't require a user
+     *
+     * @param string $routePath the Route path to check against, something like '
+     * @return bool whether the request can proceed without a login required
+     */
+    protected function isLoggedInBackendUserRequired(string $routePath): bool
+    {
+        $isOtAdminRoute = (bool)preg_match('/\/otadmin\/.+/', $routePath);
+        $ipAllowed = ApiController::isIpAllowed($_SERVER['REMOTE_ADDR']);
+        if ($isOtAdminRoute && $ipAllowed) {
+            return true;
+        }
+        return parent::isLoggedInBackendUserRequired($routePath);
+    }
+}

ot_admin/Configuration/Backend/Routes.php

@@ -8,26 +8,22 @@ use Opentalent\OtAdmin\Http\ApiController;
 return [
         // Create a new organization's website
         'site_create' => [
-            'path' => '/site/create',
-            'referrer' => 'required,refresh-empty',
+            'path' => '/otadmin/site/create',
             'target' => ApiController::class . '::createSiteAction',
             'access' => 'public'
         ],
         'site_delete' => [
-            'path' => '/site/delete',
-            'referrer' => 'required,refresh-empty',
+            'path' => '/otadmin/site/delete',
             'target' => ApiController::class . '::deleteSiteAction',
             'access' => 'public'
         ],
         'site_undelete' => [
-            'path' => '/site/undelete',
-            'referrer' => 'required,refresh-empty',
+            'path' => '/otadmin/site/undelete',
             'target' => ApiController::class . '::undeleteSiteAction',
             'access' => 'public'
         ],
         'site_update' => [
-            'path' => '/site/update',
-            'referrer' => 'required,refresh-empty',
+            'path' => '/otadmin/site/update',
             'target' => ApiController::class . '::updateSiteConstantsAction',
             'access' => 'public'
         ],

ot_admin/Readme.md

@@ -45,8 +45,8 @@ Les commandes disponibles sont:
 
 |||
 |---|---|
-| Create a new organization | `<typo3_host>/typo3/index.php?route=/site/create&organization-id=<organization_id>` |
-| Update an organization | `<typo3_host>/typo3/index.php?route=/site/update&organization-id=<organization_id>` |
-| Soft-delete an organization | `<typo3_host>/typo3/index.php?route=/site/delete&organization-id=<organization_id>` |
-| Restore a soft-deleted organization | `<typo3_host>/typo3/index.php?route=/site/undelete&organization-id=<organization_id>` |
+| Create a new organization | `<typo3_host>/typo3/index.php?route=/otadmin/site/create&organization-id=<organization_id>` |
+| Update an organization | `<typo3_host>/typo3/index.php?route=/otadmin/site/update&organization-id=<organization_id>` |
+| Soft-delete an organization | `<typo3_host>/typo3/index.php?route=/otadmin/site/delete&organization-id=<organization_id>` |
+| Restore a soft-deleted organization | `<typo3_host>/typo3/index.php?route=/otadmin/site/undelete&organization-id=<organization_id>` |
 

ot_admin/ext_localconf.php

@@ -0,0 +1,10 @@
+<?php
+defined('TYPO3_MODE') || die();
+
+// Because of this issue https://forge.typo3.org/issues/89449,
+// we have to xclass the BackendUserAuthenticator backend middleware
+// to allow routes to be public (but restricted to authorized ips)
+$GLOBALS['TYPO3_CONF_VARS']['SYS']['Objects'][TYPO3\CMS\Backend\Middleware\BackendUserAuthenticator::class] = [
+    'className' => Opentalent\OtAdmin\Middleware\OtBackendUserAuthenticator::class
+];
+