Rename CheckScopes and CheckForAnyScope to CheckAbilities and CheckForAnyAbility (#312)

* Rename CheckScopes and CheckForAnyScope

* add tests

* remove unused imports

Author: filippofortino

src/Exceptions/MissingAbilityException.php

@@ -0,0 +1,40 @@
+<?php
+
+namespace Laravel\Sanctum\Exceptions;
+
+use Illuminate\Auth\Access\AuthorizationException;
+use Illuminate\Support\Arr;
+
+class MissingAbilityException extends AuthorizationException
+{
+    /**
+     * The abilities that the user did not have.
+     *
+     * @var array
+     */
+    protected $abilities;
+
+    /**
+     * Create a new missing scope exception.
+     *
+     * @param  array|string  $abilities
+     * @param  string  $message
+     * @return void
+     */
+    public function __construct($abilities = [], $message = 'Invalid ability provided.')
+    {
+        parent::__construct($message);
+
+        $this->abilities = Arr::wrap($abilities);
+    }
+
+    /**
+     * Get the abilities that the user did not have.
+     *
+     * @return array
+     */
+    public function abilities()
+    {
+        return $this->abilities;
+    }
+}

src/Http/Middleware/CheckAbilities.php

@@ -0,0 +1,34 @@
+<?php
+
+namespace Laravel\Sanctum\Http\Middleware;
+
+use Illuminate\Auth\AuthenticationException;
+use Laravel\Sanctum\Exceptions\MissingAbilityException;
+
+class CheckAbilities
+{
+    /**
+     * Handle the incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @param  mixed  ...$abilities
+     * @return \Illuminate\Http\Response
+     *
+     * @throws \Illuminate\Auth\AuthenticationException|\Laravel\Sanctum\Exceptions\MissingAbilityException
+     */
+    public function handle($request, $next, ...$abilities)
+    {
+        if (! $request->user() || ! $request->user()->currentAccessToken()) {
+            throw new AuthenticationException;
+        }
+
+        foreach ($abilities as $ability) {
+            if (! $request->user()->tokenCan($ability)) {
+                throw new MissingAbilityException($ability);
+            }
+        }
+
+        return $next($request);
+    }
+}

src/Http/Middleware/CheckForAnyAbility.php

@@ -0,0 +1,34 @@
+<?php
+
+namespace Laravel\Sanctum\Http\Middleware;
+
+use Illuminate\Auth\AuthenticationException;
+use Laravel\Sanctum\Exceptions\MissingAbilityException;
+
+class CheckForAnyAbility
+{
+    /**
+     * Handle the incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @param  mixed  ...$abilities
+     * @return \Illuminate\Http\Response
+     *
+     * @throws \Illuminate\Auth\AuthenticationException|\Laravel\Sanctum\Exceptions\MissingAbilityException
+     */
+    public function handle($request, $next, ...$abilities)
+    {
+        if (! $request->user() || ! $request->user()->currentAccessToken()) {
+            throw new AuthenticationException;
+        }
+
+        foreach ($abilities as $ability) {
+            if ($request->user()->tokenCan($ability)) {
+                return $next($request);
+            }
+        }
+
+        throw new MissingAbilityException($abilities);
+    }
+}

src/Http/Middleware/CheckForAnyScope.php

@@ -2,9 +2,12 @@
 
 namespace Laravel\Sanctum\Http\Middleware;
 
-use Illuminate\Auth\AuthenticationException;
 use Laravel\Sanctum\Exceptions\MissingScopeException;
 
+/**
+ * @deprecated
+ * @see \Laravel\Sanctum\Http\Middleware\CheckForAnyAbility
+ */
 class CheckForAnyScope
 {
     /**
@@ -19,16 +22,10 @@ class CheckForAnyScope
      */
     public function handle($request, $next, ...$scopes)
     {
-        if (! $request->user() || ! $request->user()->currentAccessToken()) {
-            throw new AuthenticationException;
+        try {
+            return (new CheckForAnyAbility())->handle($request, $next, ...$scopes);
+        } catch (\Laravel\Sanctum\Exceptions\MissingAbilityException $e) {
+            throw new MissingScopeException($e->abilities());
         }
-
-        foreach ($scopes as $scope) {
-            if ($request->user()->tokenCan($scope)) {
-                return $next($request);
-            }
-        }
-
-        throw new MissingScopeException($scopes);
     }
 }

src/Http/Middleware/CheckScopes.php

@@ -2,9 +2,12 @@
 
 namespace Laravel\Sanctum\Http\Middleware;
 
-use Illuminate\Auth\AuthenticationException;
 use Laravel\Sanctum\Exceptions\MissingScopeException;
 
+/**
+ * @deprecated
+ * @see \Laravel\Sanctum\Http\Middleware\CheckAbilities
+ */
 class CheckScopes
 {
     /**
@@ -19,16 +22,10 @@ class CheckScopes
      */
     public function handle($request, $next, ...$scopes)
     {
-        if (! $request->user() || ! $request->user()->currentAccessToken()) {
-            throw new AuthenticationException;
+        try {
+            return (new CheckAbilities())->handle($request, $next, ...$scopes);
+        } catch (\Laravel\Sanctum\Exceptions\MissingAbilityException $e) {
+            throw new MissingScopeException($e->abilities());
         }
-
-        foreach ($scopes as $scope) {
-            if (! $request->user()->tokenCan($scope)) {
-                throw new MissingScopeException($scope);
-            }
-        }
-
-        return $next($request);
     }
 }

tests/ActingAsTest.php

@@ -7,6 +7,8 @@
 use Illuminate\Support\Facades\Route;
 use Laravel\Sanctum\Contracts\HasApiTokens as HasApiTokensContract;
 use Laravel\Sanctum\HasApiTokens;
+use Laravel\Sanctum\Http\Middleware\CheckAbilities;
+use Laravel\Sanctum\Http\Middleware\CheckForAnyAbility;
 use Laravel\Sanctum\Http\Middleware\CheckForAnyScope;
 use Laravel\Sanctum\Http\Middleware\CheckScopes;
 use Laravel\Sanctum\Sanctum;
@@ -73,6 +75,36 @@ public function testActingAsWhenTheRouteIsProtectedByCheckForAnyScopeMiddleware(
         $response->assertSee('bar');
     }
 
+    public function testActingAsWhenTheRouteIsProtectedByCheckAbilitiesMiddleware()
+    {
+        $this->withoutExceptionHandling();
+
+        Route::get('/foo', function () {
+            return 'bar';
+        })->middleware(CheckAbilities::class.':admin,footest');
+
+        Sanctum::actingAs(new SanctumUser(), ['admin', 'footest']);
+
+        $response = $this->get('/foo');
+        $response->assertSuccessful();
+        $response->assertSee('bar');
+    }
+
+    public function testActingAsWhenTheRouteIsProtectedByCheckForAnyAbilityMiddleware()
+    {
+        $this->withoutExceptionHandling();
+
+        Route::get('/foo', function () {
+            return 'bar';
+        })->middleware(CheckForAnyAbility::class.':admin,footest');
+
+        Sanctum::actingAs(new SanctumUser(), ['footest']);
+
+        $response = $this->get('/foo');
+        $response->assertSuccessful();
+        $response->assertSee('bar');
+    }
+
     public function testActingAsWhenTheRouteIsProtectedUsingAbilities()
     {
         $this->artisan('migrate', ['--database' => 'testbench'])->run();

tests/CheckAbilitiesTest.php

@@ -0,0 +1,75 @@
+<?php
+
+namespace Laravel\Sanctum\Tests;
+
+use Laravel\Sanctum\Http\Middleware\CheckAbilities;
+use Mockery;
+use PHPUnit\Framework\TestCase;
+
+class CheckAbilitiesTest extends TestCase
+{
+    protected function tearDown(): void
+    {
+        parent::tearDown();
+
+        Mockery::close();
+    }
+
+    public function test_request_is_passed_along_if_abilities_are_present_on_token()
+    {
+        $middleware = new CheckAbilities;
+        $request = Mockery::mock();
+        $request->shouldReceive('user')->andReturn($user = Mockery::mock());
+        $user->shouldReceive('currentAccessToken')->andReturn($token = Mockery::mock());
+        $user->shouldReceive('tokenCan')->with('foo')->andReturn(true);
+        $user->shouldReceive('tokenCan')->with('bar')->andReturn(true);
+
+        $response = $middleware->handle($request, function () {
+            return 'response';
+        }, 'foo', 'bar');
+
+        $this->assertSame('response', $response);
+    }
+
+    public function test_exception_is_thrown_if_token_doesnt_have_ability()
+    {
+        $this->expectException('Laravel\Sanctum\Exceptions\MissingAbilityException');
+
+        $middleware = new CheckAbilities;
+        $request = Mockery::mock();
+        $request->shouldReceive('user')->andReturn($user = Mockery::mock());
+        $user->shouldReceive('currentAccessToken')->andReturn($token = Mockery::mock());
+        $user->shouldReceive('tokenCan')->with('foo')->andReturn(false);
+
+        $middleware->handle($request, function () {
+            return 'response';
+        }, 'foo', 'bar');
+    }
+
+    public function test_exception_is_thrown_if_no_authenticated_user()
+    {
+        $this->expectException('Illuminate\Auth\AuthenticationException');
+
+        $middleware = new CheckAbilities;
+        $request = Mockery::mock();
+        $request->shouldReceive('user')->once()->andReturn(null);
+
+        $middleware->handle($request, function () {
+            return 'response';
+        }, 'foo', 'bar');
+    }
+
+    public function test_exception_is_thrown_if_no_token()
+    {
+        $this->expectException('Illuminate\Auth\AuthenticationException');
+
+        $middleware = new CheckAbilities;
+        $request = Mockery::mock();
+        $request->shouldReceive('user')->andReturn($user = Mockery::mock());
+        $user->shouldReceive('currentAccessToken')->andReturn(null);
+
+        $middleware->handle($request, function () {
+            return 'response';
+        }, 'foo', 'bar');
+    }
+}

tests/CheckForAnyAbilityTest.php

@@ -0,0 +1,76 @@
+<?php
+
+namespace Laravel\Sanctum\Tests;
+
+use Laravel\Sanctum\Http\Middleware\CheckForAnyAbility;
+use Mockery;
+use PHPUnit\Framework\TestCase;
+
+class CheckForAnyAbilityTest extends TestCase
+{
+    protected function tearDown(): void
+    {
+        parent::tearDown();
+
+        Mockery::close();
+    }
+
+    public function test_request_is_passed_along_if_abilities_are_present_on_token()
+    {
+        $middleware = new CheckForAnyAbility;
+        $request = Mockery::mock();
+        $request->shouldReceive('user')->andReturn($user = Mockery::mock());
+        $user->shouldReceive('currentAccessToken')->andReturn($token = Mockery::mock());
+        $user->shouldReceive('tokenCan')->with('foo')->andReturn(true);
+        $user->shouldReceive('tokenCan')->with('bar')->andReturn(false);
+
+        $response = $middleware->handle($request, function () {
+            return 'response';
+        }, 'foo', 'bar');
+
+        $this->assertSame('response', $response);
+    }
+
+    public function test_exception_is_thrown_if_token_doesnt_have_ability()
+    {
+        $this->expectException('Laravel\Sanctum\Exceptions\MissingAbilityException');
+
+        $middleware = new CheckForAnyAbility;
+        $request = Mockery::mock();
+        $request->shouldReceive('user')->andReturn($user = Mockery::mock());
+        $user->shouldReceive('currentAccessToken')->andReturn($token = Mockery::mock());
+        $user->shouldReceive('tokenCan')->with('foo')->andReturn(false);
+        $user->shouldReceive('tokenCan')->with('bar')->andReturn(false);
+
+        $middleware->handle($request, function () {
+            return 'response';
+        }, 'foo', 'bar');
+    }
+
+    public function test_exception_is_thrown_if_no_authenticated_user()
+    {
+        $this->expectException('Illuminate\Auth\AuthenticationException');
+
+        $middleware = new CheckForAnyAbility;
+        $request = Mockery::mock();
+        $request->shouldReceive('user')->once()->andReturn(null);
+
+        $middleware->handle($request, function () {
+            return 'response';
+        }, 'foo', 'bar');
+    }
+
+    public function test_exception_is_thrown_if_no_token()
+    {
+        $this->expectException('Illuminate\Auth\AuthenticationException');
+
+        $middleware = new CheckForAnyAbility;
+        $request = Mockery::mock();
+        $request->shouldReceive('user')->andReturn($user = Mockery::mock());
+        $user->shouldReceive('currentAccessToken')->andReturn(null);
+
+        $middleware->handle($request, function () {
+            return 'response';
+        }, 'foo', 'bar');
+    }
+}