API: Prevented non-GET requests when using cookie-based auth

Added test to cover.

Author: ssddanbrown

app/Http/Middleware/ApiAuthenticate.php

@@ -17,7 +17,7 @@ class ApiAuthenticate
     public function handle(Request $request, Closure $next)
     {
         // Validate the token and it's users API access
-        $this->ensureAuthorizedBySessionOrToken();
+        $this->ensureAuthorizedBySessionOrToken($request);
 
         return $next($request);
     }
@@ -28,15 +28,21 @@ public function handle(Request $request, Closure $next)
      *
      * @throws ApiAuthException
      */
-    protected function ensureAuthorizedBySessionOrToken(): void
+    protected function ensureAuthorizedBySessionOrToken(Request $request): void
     {
         // Return if the user is already found to be signed in via session-based auth.
-        // This is to make it easy to browser the API via browser after just logging into the system.
+        // This is to make it easy to browse the API via browser when exploring endpoints via the UI.
         if (!user()->isGuest() || session()->isStarted()) {
+            // Ensure the user has API access permission
             if (!$this->sessionUserHasApiAccess()) {
                 throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
             }
 
+            // Only allow GET requests for cookie-based API usage
+            if ($request->method() !== 'GET') {
+                throw new ApiAuthException(trans('errors.api_cookie_auth_only_get'), 403);
+            }
+
             return;
         }
 

lang/en/errors.php

@@ -125,6 +125,7 @@
     'api_incorrect_token_secret' => 'The secret provided for the given used API token is incorrect',
     'api_user_no_api_permission' => 'The owner of the used API token does not have permission to make API calls',
     'api_user_token_expired' => 'The authorization token used has expired',
+    'api_cookie_auth_only_get' => 'Only GET requests are allowed when using the API with cookie-based authentication',
 
     // Settings & Maintenance
     'maintenance_test_email_failure' => 'Error thrown when sending a test email:',

tests/Api/ApiAuthTest.php

@@ -112,6 +112,27 @@ public function test_access_prevented_for_guest_users_with_api_permission_while_
         $resp->assertStatus(200);
     }
 
+    public function test_only_get_requests_are_supported_with_session_auth()
+    {
+        $user = $this->users->admin();
+        $this->actingAs($user, 'standard');
+
+        $uriByMethods = [
+            'POST' => '/books',
+            'PUT' => '/books/1',
+            'DELETE' => '/books/1',
+            'HEAD' => '/books',
+        ];
+
+        foreach ($uriByMethods as $method => $uri) {
+            $resp = $this->withCredentials()->json($method, "/api{$uri}");
+            $resp->assertStatus(403);
+            if ($method !== 'HEAD') {
+                $resp->assertJson($this->errorResponse('Only GET requests are allowed when using the API with cookie-based authentication', 403));
+            }
+        }
+    }
+
     public function test_token_expiry_checked()
     {
         $editor = $this->users->editor();