[6.x] REST API Authentication (#12051)

duncanmcclean · jasonvarga · web-flow · commit cb12e54cc8f5 · 2025-09-04T13:10:54.000-04:00
Co-authored-by: Jason Varga &lt;jason@pixelfear.com&gt;
diff --git a/config/api.php b/config/api.php
@@ -31,12 +31,24 @@
 
     /*
     |--------------------------------------------------------------------------
-    | Middleware & Authentication
+    | Authentication
+    |--------------------------------------------------------------------------
+    |
+    | By default, the API will be publicly accessible. However, you may define
+    | an API token here which will be used to authenticate requests.
+    |
+    */
+
+    'auth_token' => env('STATAMIC_API_AUTH_TOKEN'),
+
+    /*
+    |--------------------------------------------------------------------------
+    | Middleware
     |--------------------------------------------------------------------------
     |
     | Define the middleware / middleware group that will be applied to the
     | API route group. If you want to externally expose this API, here
-    | you can configure a middleware based authentication layer.
+    | you can configure a middleware-based authentication layer.
     |
     */
 
diff --git a/routes/routes.php b/routes/routes.php
@@ -2,13 +2,15 @@
 
 use Illuminate\Support\Facades\Route;
 use Statamic\API\Middleware\Cache;
+use Statamic\API\Middleware\HandleAuthentication;
 use Statamic\Facades\Glide;
 use Statamic\Http\Middleware\CP\SwapExceptionHandler as SwapCpExceptionHandler;
 use Statamic\Http\Middleware\RequireStatamicPro;
 
 if (config('statamic.api.enabled')) {
     Route::middleware([
         RequireStatamicPro::class,
+        HandleAuthentication::class,
         Cache::class,
     ])->group(function () {
         Route::middleware(config('statamic.api.middleware'))
diff --git a/src/API/Middleware/HandleAuthentication.php b/src/API/Middleware/HandleAuthentication.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace Statamic\API\Middleware;
+
+use Closure;
+
+class HandleAuthentication
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        if (
+            ($token = config('statamic.api.auth_token'))
+            && ($request->bearerToken() !== $token)
+        ) {
+            abort(401);
+        }
+
+        return $next($request);
+    }
+}
diff --git a/tests/API/AuthenticationTest.php b/tests/API/AuthenticationTest.php
@@ -0,0 +1,80 @@
+<?php
+
+namespace vendor\statamic\cms\tests\API;
+
+use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades;
+use Tests\PreventSavingStacheItemsToDisk;
+use Tests\TestCase;
+
+class AuthenticationTest extends TestCase
+{
+    use PreventSavingStacheItemsToDisk;
+
+    private $collection;
+
+    public function setUp(): void
+    {
+        parent::setUp();
+
+        Facades\Config::set('statamic.api.enabled', true);
+        Facades\Config::set('statamic.api.resources.collections', true);
+
+        $this->collection = Facades\Collection::make('articles')->save();
+    }
+
+    #[Test]
+    public function it_can_authenticate_using_auth_token()
+    {
+        Facades\Config::set('statamic.api.auth_token', 'foobar');
+
+        $this
+            ->withToken('foobar')
+            ->getJson('/api/collections/articles/entries')
+            ->assertOk();
+    }
+
+    #[Test]
+    public function it_cant_authenticate_with_invalid_auth_token()
+    {
+        Facades\Config::set('statamic.api.auth_token', 'foobar');
+
+        $this
+            ->withToken($token = 'invalid')
+            ->getJson($url = '/api/collections/articles/entries')
+            ->assertUnauthorized();
+
+        $this
+            ->withToken($token)
+            ->get($url)
+            ->assertUnauthorized();
+    }
+
+    #[Test]
+    public function it_cant_authenticate_without_auth_token()
+    {
+        Facades\Config::set('statamic.api.auth_token', 'foobar');
+
+        $this
+            ->getJson($url = '/api/collections/articles/entries')
+            ->assertUnauthorized();
+
+        $this
+            ->get($url)
+            ->assertUnauthorized();
+    }
+
+    #[Test]
+    public function authentication_only_required_when_auth_token_is_set()
+    {
+        Facades\Config::set('statamic.api.auth_token', null);
+
+        $this
+            ->getJson($url = '/api/collections/articles/entries')
+            ->assertOk();
+
+        $this
+            ->get($url)
+            ->assertOk();
+    }
+}
