Added api_secret_key for API request

mtcextendee · Mar 8, 2020 · 924e339 · 924e339
1 parent dcded4b
commit 924e339
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 8 deletions.
diff --git a/Controller/Api/LimiterApiController.php b/Controller/Api/LimiterApiController.php
@@ -19,6 +19,7 @@
 
 class LimiterApiController extends CommonApiController
 {
+    CONST API_SECRET_KEY = 'api_secret_key';
     /**
      * @var \Mautic\CoreBundle\Configurator\Configurator $configurator
      */
@@ -92,6 +93,9 @@ private function getViewFromLimiter($key)
     public function getAction()
     {
         $limiter = $this->coreParametersHelper->getParameter('limiter');
+        if (isset($limiter[self::API_SECRET_KEY])) {
+            unset($limiter[self::API_SECRET_KEY]);
+        }
         $view    = $this->view(['response' => $limiter], Codes::HTTP_OK);
 
         return $this->handleView($view);
@@ -139,11 +143,34 @@ private function processUpdate($key)
         $all   = $this->request->request->all();
         $value = ArrayHelper::getValue($key, $all);
         if ($value === null) {
-            $view = $this->view(['error' => sprintf("Parameter %s not found", $key)], Codes::HTTP_OK);;
+            $view = $this->view(['error' => sprintf("Parameter %s not found", $key)], Codes::HTTP_BAD_REQUEST);;
 
             return $this->handleView($view);
         }
         $limiter       = $this->coreParametersHelper->getParameter('limiter');
+
+        $apiSecretKeyFromRequest = ArrayHelper::getValue(self::API_SECRET_KEY, $all);
+        if (is_null($apiSecretKeyFromRequest)) {
+            $view = $this->view(['error' => "Request parameter '".self::API_SECRET_KEY."' not found. This parameter it's required"], Codes::HTTP_BAD_REQUEST);
+
+            return $this->handleView($view);
+        }
+
+        $apiSecretKey = ArrayHelper::getValue(self::API_SECRET_KEY, $limiter);
+        if (is_null($apiSecretKey)) {
+            $view = $this->view(['error' => "Configuration parameter '".self::API_SECRET_KEY."' not found. This parameter restrict API access and it's required"], Codes::HTTP_BAD_REQUEST);
+
+            return $this->handleView($view);
+        }
+
+        if ($apiSecretKey !== $apiSecretKeyFromRequest) {
+            $view = $this->view(['error' => self::API_SECRET_KEY." parameter ".$apiSecretKeyFromRequest." is not valid."], Codes::HTTP_BAD_REQUEST);
+
+            return $this->handleView($view);
+        }
+
+
+
         $limiter[$key] = $value;
         $toUpdate      = ['limiter' => $limiter];
         $this->configurator->mergeParameters($toUpdate);

diff --git a/README.md b/README.md
@@ -24,8 +24,9 @@ Configure Limiter from config (app/config/local.php)
          '*contacts/new',
          '*contacts/edit/*',
     ],
- 'message' => '<h3>Contacts limit: {numberOfContacts}/{actualLimit}</h3><p>You have reached the limit  of contacts. <a href="bttps://mtcextendee.com/contact"><strong>contact support</strong></a></p>',
+    'message' => '<h3>Contacts limit: {numberOfContacts}/{actualLimit}</h3><p>You have reached the limit  of contacts. <a href="bttps://mtcextendee.com/contact"><strong>contact support</strong></a></p>',
     'style'=>'.alert-limiter-custom { background:red; color:#fff; }',
+    'api_secret_key' => 'some hash'
 ]
 ```
 
@@ -35,6 +36,7 @@ Configure Limiter from config (app/config/local.php)
 - message - your message (allow HTML)
 - routes - array of url routes with wildcard
 - style - css style for alert message (class .alert-limiter-custom)
+- api_secret_key - add API secret key If you want use API. This key would be validate from request
 
 **Every change require clear cache (app/cache/prod/)**  
 
@@ -73,32 +75,36 @@ $api = new \Mautic\Api\Api($auth, $apiUrl);
 $response = $api->makeRequest(
     'limiter/message/update',
     [
-        'limit' => 'My custom message'
+        'message' => 'My custom message',
+        'api_secret_key' => 'somehash'
     ],
     'POST'
 );
 $response = $api->makeRequest(
     'limiter/style/update',
     [
-        'style' => 'My custom message'
+        'style' => '.alert-limiter-custom { background:red } ',
+        'api_secret_key' => 'somehash'
     ],
     'POST'
 );
 $response = $api->makeRequest(
     'limiter/limit/update',
     [
-        'limit' => 1000
+        'limit' => 1000,
+        'api_secret_key' => 'somehash'
     ],
     'POST'
 );
 $response = $api->makeRequest(
     'limiter/routes/update',
     [
         'routes' => [
-            'mautic_campaign_action' => [
-                'objectAction' => 'new',
-            ],
+           		'*contacts/new',
+           		'*contacts/edit*',
+           		'*campaigns/edit*'
         ],
+        'api_secret_key' => 'somehash'
     ],
     'POST'
 );