Move access to middleware

Author: nasrulhazim

config/laravel-media-secure.php

@@ -1,49 +1,87 @@
 <?php
 
 use CleaniqueCoders\LaravelMediaSecure\Http\Controllers\MediaController;
+use CleaniqueCoders\LaravelMediaSecure\Http\Middleware\ValidateMediaAccess;
 
 return [
     /**
-     * Spatie's Model Class Name
+     * Spatie's Media Library Model Class
+     *
+     * This specifies the Media model class from Spatie's MediaLibrary package
+     * that will be used for media file management and database operations.
      */
     'model' => \Spatie\MediaLibrary\MediaCollections\Models\Media::class,
 
     /**
-     * Spatie's Model Media Policy
+     * Media Access Policy Class
+     *
+     * This policy class handles authorization logic for media access.
+     * It determines whether a user can view, download, or stream specific media files.
      */
     'policy' => \CleaniqueCoders\LaravelMediaSecure\Policies\MediaPolicy::class,
 
     /**
-     * Controller to manage access to the media.
+     * Media Controller Configuration
+     *
+     * Defines the controller class and method responsible for handling
+     * media requests after middleware validation and authorization.
      */
     'controller' => [
         MediaController::class, '__invoke',
     ],
 
     /**
-     * Middleware want to apply to the media route.
+     * Route Middleware Stack
+     *
+     * Middleware applied to media routes in the specified order:
+     * - 'auth': Ensures user is authenticated
+     * - 'verified': Ensures user has verified their email (optional)
+     * - ValidateMediaAccess: Validates media access type, authorizes user, and prepares media (MANDATORY)
+     *
+     * Note: The ValidateMediaAccess middleware is required and cannot be removed
+     * as it handles critical security validation and media preparation.
      */
     'middleware' => [
-        'auth', 'verified',
+        'auth',
+        'verified',
+        ValidateMediaAccess::class, // Mandatory - handles validation, authorization, and media preparation
     ],
 
     /**
-     * Media URI.
+     * Media Route URI Prefix
+     *
+     * The URL prefix for all media routes. Media files will be accessible
+     * at URLs like: /media/{type}/{uuid}
+     *
+     * Example: /media/view/abc123-def456-ghi789
      */
     'prefix' => 'media',
 
     /**
-     * Route name.
+     * Media Route Name
+     *
+     * The named route identifier for media access routes.
+     * Used for generating URLs with route() helper: route('media', ['type' => 'view', 'uuid' => $uuid])
      */
     'route_name' => 'media',
 
     /**
-     * By default, all media require to be login.
+     * Authentication Requirement
+     *
+     * Determines whether authentication is required for media access.
+     * When true, users must be logged in to access any media files.
+     * Set to false only if you want to allow public media access.
      */
     'require_auth' => env('LARAVEL_MEDIA_SECURE_REQUIRE_AUTH', true),
 
     /**
-     * Strict mode - by default all media's model require policy.
+     * Strict Authorization Mode
+     *
+     * When enabled, all media access requests must pass through the MediaPolicy
+     * authorization checks. This provides fine-grained control over media access.
+     *
+     * When disabled, basic authentication (if required) is sufficient.
+     * Recommended to keep enabled for maximum security.
      */
     'strict' => env('LARAVEL_MEDIA_SECURE_STRICT', true),
 ];

routes/web.php

@@ -10,5 +10,5 @@
         config('laravel-media-secure.route_name')
     )
     ->middleware(
-        config('laravel-media-secure.middleware', ['auth', 'verified'])
+        config('laravel-media-secure.middleware', ['auth', 'verified', 'validate-media-access'])
     );

src/Http/Controllers/MediaController.php

@@ -14,11 +14,8 @@ class MediaController extends Controller
      */
     public function __invoke(Request $request, string $type, string $uuid)
     {
-        abort_if(! MediaAccess::acceptable($type), 422, 'Invalid request type of '.$type);
-
-        $media = config('laravel-media-secure.model')::whereUuid($uuid)->firstOrFail();
-
-        abort_if($request->user()->cannot($type, $media), 403, 'Unauthorized Access.');
+        // Media has been fetched and authorized in the ValidateMediaAccess middleware
+        $media = $request->attributes->get('media');
 
         if ($type == MediaAccess::VIEW->value || $type == MediaAccess::STREAM->value) {
             return response()->make(file_get_contents($media->getPath()), 200, [

src/Http/Middleware/ValidateMediaAccess.php

@@ -0,0 +1,35 @@
+<?php
+
+namespace CleaniqueCoders\LaravelMediaSecure\Http\Middleware;
+
+use CleaniqueCoders\LaravelMediaSecure\Enums\MediaAccess;
+use Closure;
+use Illuminate\Http\Request;
+
+class ValidateMediaAccess
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @return mixed
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        $type = $request->route('type');
+        $uuid = $request->route('uuid');
+
+        // Validate media access type
+        abort_if(! MediaAccess::acceptable($type), 422, 'Invalid request type of '.$type);
+
+        // Get the media model
+        $media = config('laravel-media-secure.model')::whereUuid($uuid)->firstOrFail();
+
+        // Check authorization
+        abort_if($request->user()->cannot($type, $media), 403, 'Unauthorized Access.');
+
+        // Add media to the request for use in the controller
+        $request->attributes->add(['media' => $media]);
+
+        return $next($request);
+    }
+}

src/LaravelMediaSecureServiceProvider.php

@@ -27,5 +27,17 @@ public function bootingPackage()
             config('laravel-media-secure.model'),
             config('laravel-media-secure.policy'),
         );
+
+        $this->registerMiddleware();
+    }
+
+    protected function registerMiddleware()
+    {
+        $router = $this->app['router'];
+
+        // Register the middleware with its alias if using Laravel < 10.0
+        if (method_exists($router, 'aliasMiddleware')) {
+            $router->aliasMiddleware('validate-media-access', \CleaniqueCoders\LaravelMediaSecure\Http\Middleware\ValidateMediaAccess::class);
+        }
     }
 }

tests/Feature/MediaMiddlewareTest.php

@@ -0,0 +1,224 @@
+<?php
+
+use CleaniqueCoders\LaravelMediaSecure\Http\Middleware\ValidateMediaAccess;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Artisan;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Support\Facades\Route;
+use Illuminate\Support\Facades\Schema;
+use Spatie\MediaLibrary\MediaCollections\Models\Media;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+
+uses(RefreshDatabase::class);
+
+// Set up a login route for redirects and migrations
+beforeEach(function () {
+    // Set up migrations if they don't exist
+    if (! Schema::hasTable('users')) {
+        Artisan::call('migrate', [
+            '--path' => '../../../../tests/database/migrations/',
+        ]);
+    }
+
+    Route::get('/login', fn () => 'login')->name('login');
+});
+
+it('validates access type in the middleware', function () {
+    // Set up test route with middleware
+    Route::get('/test-media/{type}/{uuid}', function (Request $request, $type, $uuid) {
+        return 'passed';
+    })->middleware(ValidateMediaAccess::class);
+
+    // Remove exception handling to see the actual exceptions
+    $this->withoutExceptionHandling();
+
+    // Create a real user for testing
+    $user = user();
+    login($user);
+
+    // Test with invalid type - should throw an exception
+    $this->expectException(HttpException::class);
+    $this->expectExceptionMessage('Invalid request type of invalid-type');
+
+    $this->get('/test-media/invalid-type/123-uuid');
+})->group('middleware');
+
+it('checks authorization in the middleware', function () {
+    // Set up test route with middleware
+    Route::get('/test-media/{type}/{uuid}', function (Request $request, $type, $uuid) {
+        return 'passed';
+    })->middleware(ValidateMediaAccess::class);
+
+    // Remove exception handling
+    $this->withoutExceptionHandling();
+
+    // Create a real user for testing
+    $user = user();
+    login($user);
+
+    // Create a fake media UUID that doesn't exist
+    $fakeUuid = 'fake-uuid-123';
+
+    // Should throw model not found exception because media doesn't exist
+    $this->expectException(\Illuminate\Database\Eloquent\ModelNotFoundException::class);
+
+    $this->get('/test-media/view/'.$fakeUuid);
+})->group('middleware');
+
+it('adds media to the request attributes', function () {
+    // Create test route that checks for media in request attributes
+    Route::get('/test-media-attributes/{type}/{uuid}', function (Request $request, $type, $uuid) {
+        return $request->attributes->has('media') ? 'has media' : 'no media';
+    })->middleware(ValidateMediaAccess::class);
+
+    // Create a real user for testing
+    $user = user();
+    login($user);
+
+    // Create a real media record in the database
+    $media = new \Spatie\MediaLibrary\MediaCollections\Models\Media([
+        'model_type' => get_class($user),
+        'model_id' => $user->id,
+        'uuid' => 'test-uuid-123',
+        'collection_name' => 'default',
+        'name' => 'test-file',
+        'file_name' => 'test.txt',
+        'mime_type' => 'text/plain',
+        'disk' => 'public',
+        'conversions_disk' => 'public',
+        'size' => 100,
+        'manipulations' => '[]',
+        'custom_properties' => '{}',
+        'generated_conversions' => '{}',
+        'responsive_images' => '{}',
+    ]);
+    $media->save();
+
+    // Mock the Gate to allow access
+    Gate::shouldReceive('forUser')->andReturnSelf();
+    Gate::shouldReceive('check')->andReturn(true);
+
+    // Test that media was added to the request attributes
+    $this->get('/test-media-attributes/view/'.$media->uuid)
+        ->assertSuccessful()
+        ->assertSee('has media');
+})->group('middleware');
+
+// Test for each media type
+it('handles view media type correctly', function () {
+    // Set up test route with middleware
+    Route::get('/test-media/{type}/{uuid}', function (Request $request, $type, $uuid) {
+        // Check that the type is correctly passed
+        return 'Type: '.$type;
+    })->middleware(ValidateMediaAccess::class);
+
+    // Create a real user for testing
+    $user = user();
+    login($user);
+
+    // Create a real media record in the database
+    $media = new \Spatie\MediaLibrary\MediaCollections\Models\Media([
+        'model_type' => get_class($user),
+        'model_id' => $user->id,
+        'uuid' => 'test-uuid-view',
+        'collection_name' => 'default',
+        'name' => 'test-file',
+        'file_name' => 'test.txt',
+        'mime_type' => 'text/plain',
+        'disk' => 'public',
+        'conversions_disk' => 'public',
+        'size' => 100,
+        'manipulations' => '[]',
+        'custom_properties' => '{}',
+        'generated_conversions' => '{}',
+        'responsive_images' => '{}',
+    ]);
+    $media->save();
+
+    // Mock the Gate to allow access
+    Gate::shouldReceive('forUser')->andReturnSelf();
+    Gate::shouldReceive('check')->andReturn(true);
+
+    $this->get('/test-media/view/'.$media->uuid)
+        ->assertSuccessful()
+        ->assertSee('Type: view');
+})->group('middleware');
+
+it('handles download media type correctly', function () {
+    // Set up test route with middleware
+    Route::get('/test-media/{type}/{uuid}', function (Request $request, $type, $uuid) {
+        // Check that the type is correctly passed
+        return 'Type: '.$type;
+    })->middleware(ValidateMediaAccess::class);
+
+    // Create a real user for testing
+    $user = user();
+    login($user);
+
+    // Create a real media record in the database
+    $media = new \Spatie\MediaLibrary\MediaCollections\Models\Media([
+        'model_type' => get_class($user),
+        'model_id' => $user->id,
+        'uuid' => 'test-uuid-download',
+        'collection_name' => 'default',
+        'name' => 'test-file',
+        'file_name' => 'test.txt',
+        'mime_type' => 'text/plain',
+        'disk' => 'public',
+        'conversions_disk' => 'public',
+        'size' => 100,
+        'manipulations' => '[]',
+        'custom_properties' => '{}',
+        'generated_conversions' => '{}',
+        'responsive_images' => '{}',
+    ]);
+    $media->save();
+
+    // Mock the Gate to allow access
+    Gate::shouldReceive('forUser')->andReturnSelf();
+    Gate::shouldReceive('check')->andReturn(true);
+
+    $this->get('/test-media/download/'.$media->uuid)
+        ->assertSuccessful()
+        ->assertSee('Type: download');
+})->group('middleware');
+
+it('handles stream media type correctly', function () {
+    // Set up test route with middleware
+    Route::get('/test-media/{type}/{uuid}', function (Request $request, $type, $uuid) {
+        // Check that the type is correctly passed
+        return 'Type: '.$type;
+    })->middleware(ValidateMediaAccess::class);
+
+    // Create a real user for testing
+    $user = user();
+    login($user);
+
+    // Create a real media record in the database
+    $media = new \Spatie\MediaLibrary\MediaCollections\Models\Media([
+        'model_type' => get_class($user),
+        'model_id' => $user->id,
+        'uuid' => 'test-uuid-stream',
+        'collection_name' => 'default',
+        'name' => 'test-file',
+        'file_name' => 'test.txt',
+        'mime_type' => 'text/plain',
+        'disk' => 'public',
+        'conversions_disk' => 'public',
+        'size' => 100,
+        'manipulations' => '[]',
+        'custom_properties' => '{}',
+        'generated_conversions' => '{}',
+        'responsive_images' => '{}',
+    ]);
+    $media->save();
+
+    // Mock the Gate to allow access
+    Gate::shouldReceive('forUser')->andReturnSelf();
+    Gate::shouldReceive('check')->andReturn(true);
+
+    $this->get('/test-media/stream/'.$media->uuid)
+        ->assertSuccessful()
+        ->assertSee('Type: stream');
+})->group('middleware');