Fix FLEXIAPI-262 Bypass the JWT auth if we have an API

CHANGELOG.md

@@ -17,6 +17,7 @@ v1.6
 - Fix FLEXIAPI-242 Add stricter validation for the AccountCreationToken Push Notification endpoint
 - Fix FLEXIAPI-252 Update the hCaptcha Laravel library, use file instead of cookies to store the session to prevent empty errors bags
 - Fix FLEXIAPI-254 Allow no data on POST requests to not trigger the ValidateJSON middleware
+- Fix FLEXIAPI-262 Bypass the JWT auth if we have an API Key
 
 v1.5
 ---

flexiapi/app/Http/Middleware/AuthenticateJWT.php

@@ -99,7 +99,12 @@ class AuthenticateJWT
             return $next($request);
         }
 
-        if (!empty(config('app.account_authentication_bearer'))) {
+        if (
+            !empty(config('app.account_authentication_bearer'))
+            // Bypass the JWT auth if we have an API Key
+            && !$request->header('x-api-key')
+            && !$request->cookie('x-api-key')
+        ) {
             $response = new Response();
 
             $response->header(

flexiapi/tests/Feature/ApiAccountApiKeyTest.php

@@ -64,13 +64,20 @@ class ApiAccountApiKeyTest extends TestCase
             ->json($this->method, '/api/accounts/me')
             ->assertStatus(200);
 
+        $this->keyAuthenticated($account)
+            ->json($this->method, '/api/accounts/me')
+            ->assertStatus(200);
+
+        // Bypass the JWT middleware
+        config()->set('app.account_authentication_bearer', 'fake-bearer');
+
         $this->keyAuthenticated($account)
             ->json($this->method, '/api/accounts/me')
             ->assertStatus(200);
 
         $this->assertDatabaseHas('api_keys', [
             'account_id' => $account->id,
-            'requests' => 2
+            'requests' => 3
         ]);
 
         DB::table('api_keys')->update(['ip' => 'no_localhost']);