bearerToken(); if ($bearer === null || $bearer === '') { return null; } if (str_starts_with($bearer, config('api.token_prefix'))) { return $this->fromApiToken($bearer); } if ($ldap = $this->fromLdapJwt($bearer)) { return $ldap; } return $this->fromPassportToken($request); } private function fromApiToken(string $plain): ?ApiActor { $record = $this->apiTokens->findByPlainText($plain); if ($record === null) { return null; } $scopes = $record->scopes ?? []; $isAdmin = in_array('admin', $scopes, true); return new ApiActor('api_token', $record->name, $scopes, $isAdmin); } private function fromLdapJwt(string $jwt): ?ApiActor { $payload = $this->ldapJwt->validate($jwt); if ($payload === null || $payload['username'] === '') { return null; } return new ApiActor( 'ldap_jwt', $payload['username'], $payload['scopes'], $payload['is_admin'], $payload['groups'] ?? [], ); } private function fromPassportToken(Request $request): ?ApiActor { try { $psr = (new PsrHttpFactory)->createRequest($request); $validated = $this->resourceServer->validateAuthenticatedRequest($psr); $clientId = (string) $validated->getAttribute('oauth_client_id'); $scopes = array_filter(explode(' ', (string) $validated->getAttribute('oauth_scopes', ''))); $client = Client::find($clientId); $name = $client?->name ?? $clientId; return new ApiActor('oauth_client', $name, array_values($scopes), in_array('admin', $scopes, true)); } catch (OAuthServerException) { return null; } } }