Add Bearer authentication support as alternative (#1565)

Author: Seldaek

css/app.scss

@@ -1832,3 +1832,26 @@ body {
 .icon-lock:before { content: '🔒'; } /* '\1f512' */
 .icon-lock-open:before { content: '🔓'; } /* '\1f513' */
 .icon-rocket:before { content: '🚀'; } /* '\1f680' */
+
+// API Documentation badges
+.badge {
+    display: inline-block;
+    min-width: 10px;
+    padding: 3px 7px;
+    font-size: 11px;
+    font-weight: 600;
+    line-height: 1;
+    color: #fff;
+    text-align: center;
+    white-space: nowrap;
+    vertical-align: middle;
+    border-radius: 10px;
+    margin-left: 8px;
+
+    &.bg-success {
+        background-color: #83c129;
+    }
+    &.bg-warning {
+        background-color: #ed9e2e;
+    }
+}

src/Controller/ApiController.php

@@ -514,6 +514,20 @@ protected function findUser(Request $request, ApiType $apiType = ApiType::Unsafe
             ? $request->request->get('apiToken')
             : $request->query->get('apiToken');
 
+        // Check for Bearer token authentication in format "username:apiToken"
+        // Bearer token takes precedence over query parameters
+        if ($request->headers->has('Authorization')) {
+            $authHeader = $request->headers->get('Authorization', '');
+            if (str_starts_with($authHeader, 'Bearer ')) {
+                $bearerToken = substr($authHeader, 7); // Remove 'Bearer ' prefix
+                if (str_contains($bearerToken, ':')) {
+                    [$bearerUsername, $bearerApiToken] = explode(':', $bearerToken, 2);
+                    $username = $bearerUsername;
+                    $apiToken = $bearerApiToken;
+                }
+            }
+        }
+
         if (!$apiToken || !$username) {
             return null;
         }

templates/api_doc/index.html.twig

@@ -5,6 +5,7 @@
 
 <ul class="toc">
   <li><a href="#best-practices">Best practices</a></li>
+  <li><a href="#authentication">Authentication</a></li>
   <li><a href="#list-packages">{{ 'api_doc.listing_names'|trans }}</a>
     <ul>
       <li><a href="#list-packages-all">{{ 'api_doc.all_packages'|trans }}</a></li>
@@ -43,7 +44,19 @@
 </section>
 
 <section class="col-d-12">
-<h3 id="list-packages">{{ 'api_doc.listing_names'|trans }}</h3>
+<h3 id="authentication">Authentication</h3>
+<p>A lot of our API is accessible <span class="badge bg-success">Anonymously</span>. For API endpoints that <span class="badge bg-warning">require authentication</span>, you can authenticate using either Bearer token authorization or query/request parameters:</p>
+<ul>
+    <li><strong>Bearer token:</strong> <code>Authorization: Bearer [username]:[apiToken]</code> header</li>
+    <li><strong>Query or request parameters:</strong> <code>username</code> and <code>apiToken</code> as query or POST parameters</li>
+</ul>
+<p>The Bearer token method is recommended as it keeps credentials out of URLs and logs.</p>
+<p>You have two API tokens accessible in your <a href="{{ path('my_profile') }}">profile page</a>. The SAFE one is meant to be used for readonly-style operations and can be leaked without causing too much trouble, so use this if possible when putting it in CI systems etc where it might not remain safe. The MAIN token is required for all API endpoints that are marked UNSAFE.</p>
+</p>
+</section>
+
+<section class="col-d-12">
+<h3 id="list-packages">{{ 'api_doc.listing_names'|trans }} <span class="badge bg-success">Anonymous</span></h3>
 <h4 id="list-packages-all">{{ 'api_doc.all_packages'|trans }}</h4>
 <pre>
 GET https://{{ packagist_host }}/packages/list.json
@@ -108,7 +121,7 @@ GET https://{{ packagist_host }}/packages/list.json?vendor=[type]&amp;fields[]=t
 
 
 <section class="col-d-12">
-<h3 id="list-popular-packages">List popular packages</h3>
+<h3 id="list-popular-packages">List popular packages <span class="badge bg-success">Anonymous</span></h3>
     <p>If you need to retrieve the most popular (this is sorted by downloads over the last week, not overall downloads to ensure we demote formerly-popular packages) packages please use this endpoint to avoid having to request the download stats for all of our 300K+ packages individually. This also includes faver count (github stars + packagist.org favorites) and downloads count. The API is paginated if you need more than 100.</p>
 <pre>
 GET https://{{ packagist_host }}/explore/popular.json?per_page=100
@@ -134,7 +147,7 @@ GET https://{{ packagist_host }}/explore/popular.json?per_page=100
 
 
 <section class="col-d-12">
-<h3 id="search-packages">{{ 'api_doc.searching'|trans }}</h3>
+<h3 id="search-packages">{{ 'api_doc.searching'|trans }} <span class="badge bg-success">Anonymous</span></h3>
 
 <p>Search results are paginated and you can change the pagination step by using the per_page parameter. For example <code>https://{{ packagist_host }}/search.json?q=[query]&amp;per_page=5</code></p>
 
@@ -206,7 +219,7 @@ GET https://{{ packagist_host }}/search.json?q=[query]&amp;type=symfony-bundle
 
 
 <section class="col-d-12">
-<h3 id="get-package-data">{{ 'api_doc.get_package_data'|trans }}</h3>
+<h3 id="get-package-data">{{ 'api_doc.get_package_data'|trans }} <span class="badge bg-success">Anonymous</span></h3>
 
 <h4 id="get-package-metadata-v2">Using the Composer v2 metadata</h4>
 
@@ -319,7 +332,7 @@ GET https://{{ packagist_host }}/packages/[vendor]/[package].json
 </section>
 
 <section class="col-d-12">
-<h3 id="get-package-stats">Get package download stats</h3>
+<h3 id="get-package-stats">Get package download stats <span class="badge bg-success">Anonymous</span></h3>
 <p>If you need complete package information and use <a href="#get-package-by-name">the JSON API</a> already then please use the <code>downloads</code> key to retrieve stats from that response.</p>
 
 <p>However if you are only interested in download stats for a set of package names, you can use the stats endpoint which includes overall download stats + the faver count (github stars + packagist.org favorites):</p>
@@ -345,7 +358,7 @@ GET https://{{ packagist_host }}/packages/[vendor]/[package]/stats.json
 
 
 <section class="col-d-12">
-<h3 id="track-package-updates">Track package updates</h3>
+<h3 id="track-package-updates">Track package updates <span class="badge bg-success">Anonymous</span></h3>
 
 <p>This endpoint provides you with a feed of metadata changes you can poll to know what packages you need to update.</p>
 
@@ -416,7 +429,7 @@ GET https://{{ packagist_host }}/metadata/changes.json?since=16140636710498
 
 
 <section class="col-d-12">
-    <h3 id="get-statistics">{{ 'api_doc.get_statistics'|trans }}</h3>
+    <h3 id="get-statistics">{{ 'api_doc.get_statistics'|trans }} <span class="badge bg-success">Anonymous</span></h3>
 
     <p>This endpoint provides basic some statistics.</p>
 
@@ -434,7 +447,7 @@ GET https://{{ packagist_host }}/statistics.json
 </section>
 
 <section class="col-d-12">
-    <h3 id="list-security-advisories">{{ 'api_doc.list_security_advisory'|trans }}</h3>
+    <h3 id="list-security-advisories">{{ 'api_doc.list_security_advisory'|trans }} <span class="badge bg-success">Anonymous</span></h3>
 
     <p>This endpoint provides a list of security advisories. Either a list of packages as query or request parameter or a timestamp as updatedSince query parameter need to be passed.</p>
 
@@ -479,60 +492,60 @@ GET https://{{ packagist_host }}/api/security-advisories/?updatedSince=[timestam
 
 
 <section class="col-d-12">
-    <h3 id="create-package">{{ 'api_doc.api_create_package'|trans }}</h3>
+    <h3 id="create-package">{{ 'api_doc.api_create_package'|trans }} <span class="badge bg-warning">Authentication Required</span></h3>
 
-    <p>This endpoint creates a package for a specific repo. Parameters <code>username</code> and <code>apiToken</code> are required. Only the <code>POST</code> method is allowed. The <code>content-type: application/json</code> header is required.</p>
+    <p>This endpoint creates a package for a specific repo. Only the <code>POST</code> method is allowed. The <code>content-type: application/json</code> header is required.</p>
     <p>This endpoint is considered UNSAFE and requires your main <a href="{{ path('my_profile') }}">API token</a> to be used.</p>
 
     <pre>
-POST https://{{ packagist_host }}/api/create-package?username=[username]&amp;apiToken=[apiToken] {"repository":"[url]"}
+POST https://{{ packagist_host }}/api/create-package {"repository":"[url]"}
 <code>
 {
   "status": "success"
 }
 </code></pre>
     <p>Working example:<br/>
-        <code>curl -X POST -H'Content-Type:application/json' 'https://{{ packagist_host }}/api/create-package?username={{ app.user.username|default('USERNAME') }}&amp;apiToken=********' -d '{"repository":"https://github.com/Seldaek/monolog"}'</code>
+        <code>curl -X POST -H'Content-Type:application/json' -H'Authorization: Bearer {{ app.user.username|default('USERNAME') }}:********' 'https://{{ packagist_host }}/api/create-package' -d '{"repository":"https://github.com/Seldaek/monolog"}'</code>
     </p>
 
 </section>
 
 <section class="col-d-12">
-    <h3 id="edit-package">Edit a package</h3>
+    <h3 id="edit-package">Edit a package <span class="badge bg-warning">Authentication Required</span></h3>
 
-    <p>This endpoint allows you to edit a package URL. Parameters <code>username</code> and <code>apiToken</code> are required. Only the <code>PUT</code> method is allowed. The <code>content-type: application/json</code> header is required.</p>
+    <p>This endpoint allows you to edit a package URL. Only the <code>PUT</code> method is allowed. The <code>content-type: application/json</code> header is required.</p>
     <p>This endpoint is considered UNSAFE and requires your main <a href="{{ path('my_profile') }}">API token</a> to be used.</p>
 
     <pre>
-PUT https://{{ packagist_host }}/api/packages/[package name]?username=[username]&amp;apiToken=[apiToken] {"repository":"[url]"}
+PUT https://{{ packagist_host }}/api/packages/[package name] {"repository":"[url]"}
 <code>
 {
   "status": "success"
 }
 </code></pre>
     <p>Working example:<br/>
-        <code>curl -X POST -H'Content-Type:application/json' 'https://{{ packagist_host }}/api/packages/monolog/monolog?username={{ app.user.username|default('USERNAME') }}&amp;apiToken=********' -d '{"repository":"https://github.com/Seldaek/monolog"}'</code>
+        <code>curl -X PUT -H'Content-Type:application/json' -H'Authorization: Bearer {{ app.user.username|default('USERNAME') }}:********' 'https://{{ packagist_host }}/api/packages/monolog/monolog' -d '{"repository":"https://github.com/Seldaek/monolog"}'</code>
     </p>
 
 </section>
 
 <section class="col-d-12">
-    <h3 id="update-package">Update a package</h3>
+    <h3 id="update-package">Update a package <span class="badge bg-warning">Authentication Required</span></h3>
 
-    <p>This endpoint updates a package by canonical repository URL or packagist.org package URL. Parameters <code>username</code> and <code>apiToken</code> are required. Only the <code>POST</code> method is allowed. The <code>content-type: application/json</code> header is required.</p>
+    <p>This endpoint updates a package by canonical repository URL or packagist.org package URL. Only the <code>POST</code> method is allowed. The <code>content-type: application/json</code> header is required.</p>
     <p>This endpoint is considered SAFE and allows either your main or safe <a href="{{ path('my_profile') }}">API token</a> to be used.</p>
 
     <pre>
-POST https://{{ packagist_host }}/api/update-package?username=[username]&amp;apiToken=[apiToken] {"repository":"[url]"}
+POST https://{{ packagist_host }}/api/update-package {"repository":"[url]"}
 <code>
 {
   "status": "success",
   "jobs": ["job-id", ".."]
 }
 </code></pre>
     <p>Working examples:<br/>
-        <code>curl -X POST -H'Content-Type:application/json' 'https://{{ packagist_host }}/api/update-package?username={{ app.user.username|default('USERNAME') }}&amp;apiToken=********' -d '{"repository":"https://github.com/Seldaek/monolog"}'</code><br/>
-        <code>curl -X POST -H'Content-Type:application/json' 'https://{{ packagist_host }}/api/update-package?username={{ app.user.username|default('USERNAME') }}&amp;apiToken=********' -d '{"repository":"https://packagist.org/monolog/monolog"}'</code>
+        <code>curl -X POST -H'Content-Type:application/json' -H'Authorization: Bearer {{ app.user.username|default('USERNAME') }}:********' 'https://{{ packagist_host }}/api/update-package' -d '{"repository":"https://github.com/Seldaek/monolog"}'</code><br/>
+        <code>curl -X POST -H'Content-Type:application/json' -H'Authorization: Bearer {{ app.user.username|default('USERNAME') }}:********' 'https://{{ packagist_host }}/api/update-package' -d '{"repository":"https://packagist.org/monolog/monolog"}'</code>
     </p>
 
 </section>

tests/Controller/ApiControllerTest.php

@@ -179,4 +179,106 @@ public function testSecurityAdvisories(): void
         $this->assertArrayHasKey('acme/package', $content['advisories']);
         $this->assertCount(1, $content['advisories']['acme/package']);
     }
+
+    public function testBearerTokenAuthentication(): void
+    {
+        $url = 'https://github.com/composer/composer';
+        $user = self::createUser();
+        $package = self::createPackage('test/'.bin2hex(random_bytes(10)), $url, maintainers: [$user]);
+        $this->store($user, $package);
+
+        $payload = json_encode(['repository' => $url]);
+
+        // Test with Bearer token in format username:apiToken
+        $this->client->request(
+            'POST',
+            '/api/update-package',
+            [],
+            [],
+            ['HTTP_Authorization' => 'Bearer test:api-token', 'CONTENT_TYPE' => 'application/json'],
+            $payload
+        );
+
+        $this->assertEquals(202, $this->client->getResponse()->getStatusCode(), $this->client->getResponse()->getContent());
+    }
+
+    public function testBearerTokenAuthenticationWithSafeToken(): void
+    {
+        $url = 'https://github.com/composer/composer';
+        $user = self::createUser();
+        $package = self::createPackage('test/'.bin2hex(random_bytes(10)), $url, maintainers: [$user]);
+        $this->store($user, $package);
+
+        $payload = json_encode(['repository' => $url]);
+
+        // Test with Bearer token using safe API token for safe endpoint
+        $this->client->request(
+            'POST',
+            '/api/update-package',
+            [],
+            [],
+            ['HTTP_Authorization' => 'Bearer test:safe-api-token', 'CONTENT_TYPE' => 'application/json'],
+            $payload
+        );
+
+        $this->assertEquals(202, $this->client->getResponse()->getStatusCode(), $this->client->getResponse()->getContent());
+    }
+
+    public function testBearerTokenAuthenticationInvalidCredentials(): void
+    {
+        $payload = json_encode(['repository' => 'https://github.com/composer/composer']);
+
+        // Test with invalid Bearer token
+        $this->client->request(
+            'POST',
+            '/api/update-package',
+            [],
+            [],
+            ['HTTP_Authorization' => 'Bearer invalid:invalid-token', 'CONTENT_TYPE' => 'application/json'],
+            $payload
+        );
+
+        $this->assertEquals(403, $this->client->getResponse()->getStatusCode(), $this->client->getResponse()->getContent());
+        $this->assertEquals(json_encode(['status' => 'error', 'message' => 'Missing or invalid username/apiToken in request']), $this->client->getResponse()->getContent());
+    }
+
+    public function testBearerTokenAuthenticationMalformed(): void
+    {
+        $payload = json_encode(['repository' => 'https://github.com/composer/composer']);
+
+        // Test with malformed Bearer token (no colon)
+        $this->client->request(
+            'POST',
+            '/api/update-package',
+            [],
+            [],
+            ['HTTP_Authorization' => 'Bearer invalidtoken', 'CONTENT_TYPE' => 'application/json'],
+            $payload
+        );
+
+        $this->assertEquals(403, $this->client->getResponse()->getStatusCode(), $this->client->getResponse()->getContent());
+        $this->assertEquals(json_encode(['status' => 'error', 'message' => 'Missing or invalid username/apiToken in request']), $this->client->getResponse()->getContent());
+    }
+
+    public function testBearerTokenAuthenticationOverridesQuery(): void
+    {
+        $url = 'https://github.com/composer/composer';
+        $user = self::createUser();
+        $package = self::createPackage('test/'.bin2hex(random_bytes(10)), $url, maintainers: [$user]);
+        $this->store($user, $package);
+
+        $payload = json_encode(['repository' => $url]);
+
+        // Test that Bearer token is used even when query params are present but invalid
+        $this->client->request(
+            'POST',
+            '/api/update-package?username=invalid&apiToken=invalid',
+            [],
+            [],
+            ['HTTP_Authorization' => 'Bearer test:api-token', 'CONTENT_TYPE' => 'application/json'],
+            $payload
+        );
+
+        $this->assertEquals(202, $this->client->getResponse()->getStatusCode(), $this->client->getResponse()->getContent());
+    }
 }