From b8bc5d5b587b4e901df4d27160f814bee6cb8514 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Jaussoin?=
 <timothee.jaussoin@belledonne-communications.com>
Date: Thu, 30 Jan 2025 10:23:58 +0000
Subject: [PATCH] Fix FLEXIAPI-262 Bypass the JWT auth if we have an API

---
 CHANGELOG.md                                     | 1 +
 flexiapi/app/Http/Middleware/AuthenticateJWT.php | 7 ++++++-
 flexiapi/tests/Feature/ApiAccountApiKeyTest.php  | 9 ++++++++-
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f7a55ff..f67972a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@ v1.6
 - Fix FLEXIAPI-242 Add stricter validation for the AccountCreationToken Push Notification endpoint
 - Fix FLEXIAPI-252 Update the hCaptcha Laravel library, use file instead of cookies to store the session to prevent empty errors bags
 - Fix FLEXIAPI-254 Allow no data on POST requests to not trigger the ValidateJSON middleware
+- Fix FLEXIAPI-262 Bypass the JWT auth if we have an API Key
 
 v1.5
 ---
diff --git a/flexiapi/app/Http/Middleware/AuthenticateJWT.php b/flexiapi/app/Http/Middleware/AuthenticateJWT.php
index 571608f..d99d24d 100644
--- a/flexiapi/app/Http/Middleware/AuthenticateJWT.php
+++ b/flexiapi/app/Http/Middleware/AuthenticateJWT.php
@@ -99,7 +99,12 @@ class AuthenticateJWT
             return $next($request);
         }
 
-        if (!empty(config('app.account_authentication_bearer'))) {
+        if (
+            !empty(config('app.account_authentication_bearer'))
+            // Bypass the JWT auth if we have an API Key
+            && !$request->header('x-api-key')
+            && !$request->cookie('x-api-key')
+        ) {
             $response = new Response();
 
             $response->header(
diff --git a/flexiapi/tests/Feature/ApiAccountApiKeyTest.php b/flexiapi/tests/Feature/ApiAccountApiKeyTest.php
index d53cbaf..171e5ab 100644
--- a/flexiapi/tests/Feature/ApiAccountApiKeyTest.php
+++ b/flexiapi/tests/Feature/ApiAccountApiKeyTest.php
@@ -64,13 +64,20 @@ class ApiAccountApiKeyTest extends TestCase
             ->json($this->method, '/api/accounts/me')
             ->assertStatus(200);
 
+        $this->keyAuthenticated($account)
+            ->json($this->method, '/api/accounts/me')
+            ->assertStatus(200);
+
+        // Bypass the JWT middleware
+        config()->set('app.account_authentication_bearer', 'fake-bearer');
+
         $this->keyAuthenticated($account)
             ->json($this->method, '/api/accounts/me')
             ->assertStatus(200);
 
         $this->assertDatabaseHas('api_keys', [
             'account_id' => $account->id,
-            'requests' => 2
+            'requests' => 3
         ]);
 
         DB::table('api_keys')->update(['ip' => 'no_localhost']);