feat: implementado middleware de autenticacao jwt conforme especificacao

2026-05-03 22:13:41 -05:00
parent a23785b216
commit d7ed3d7fa5
5 changed files with 149 additions and 7 deletions
--- a/app/Http/Middleware/JwtAuthMiddleware.php
+++ b/app/Http/Middleware/JwtAuthMiddleware.php
@@ -0,0 +1,67 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+use Exception;
+
+class JwtAuthMiddleware
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        // 1. Ler Authorization e extrair Bearer <token>
+        $authHeader = $request->header('Authorization');
+
+        if (!$authHeader || !preg_match('/Bearer\s(\S+)/', $authHeader, $matches)) {
+            return response()->json(['message' => 'Missing or invalid Authorization header'], 401); // Retorna 401 se falhar
+        }
+
+        $token = $matches[1];
+
+        // Corrige as quebras de linha da chave pública que vêm do .env
+        $publicKey = str_replace('\\n', "\n", env('JWT_PUBLIC_KEY_PEM'));
+        $issuer = env('JWT_ISSUER');
+        $audience = env('JWT_AUDIENCE');
+
+        try {
+            // 2. Validar assinatura RS256 com JWT_PUBLIC_KEY_PEM e expiração (automático pela biblioteca)
+            $decoded = JWT::decode($token, new Key($publicKey, 'RS256'));
+
+            // 3. Validar iss e aud
+            if ($decoded->iss !== $issuer) {
+                throw new Exception('Invalid issuer');
+            }
+
+            $tokenAudience = is_array($decoded->aud) ? $decoded->aud[0] : $decoded->aud;
+            if ($tokenAudience !== $audience) {
+                throw new Exception('Invalid audience');
+            }
+
+            // 4. Validar se sub existe (nosso user_id confiável)
+            if (!isset($decoded->sub) || empty(trim((string)$decoded->sub))) {
+                throw new Exception('Invalid token claims: sub is missing');
+            }
+
+            // 5. Montar a identificação para as rotas usarem (equivalente ao request.auth = { id: sub, token })
+            $request->attributes->add([
+                'auth_id' => $decoded->sub,
+                'token'   => $token
+            ]);
+
+            return $next($request);
+
+        } catch (Exception $e) {
+            // Retorna 401 para token inválido ou expirado
+            return response()->json(['message' => 'Invalid or expired access token'], 401);
+        }
+    }
+}