Improve API client usability

[qwerty287]

• add an API token system. This assigns a token to every user which you can view, reset, copy etc. This token allows authorized access to API endpoints using the Authorization header.
• do not require Content-Type and Accept headers, if they allow any type or are missing, ignore them, only if they are wrong an exception is thrown.
• add an endpoint User::getCurrent which allows to get the user which is currently logged in

Closes #1356

[qwerty287]

Does anybody know why the SQLite rollback migration fails and how I can fix it?

[codecov]

Codecov Report

Merging #1368 (fc3fd82) into master (ed4240e) will decrease coverage by 0.50%.
The diff coverage is 97.14%.

❗ Current head fc3fd82 differs from pull request most recent head 35bac96. Consider uploading reports for the commit 35bac96 to get more accurate results

Additional details and impacted files

[qwerty287]

I think CI failure is not related. (Only pgsql fails, MariaDB and locally SQLite work)

[kamil4]

I left some (hopefully useful) comments, but somebody with a greater understanding of the api_key feature should have a look (I've never used it or even bothered to fully understand it).

[ildyria]

• Merged from master.
• fixed conflicts.
• tested.
• add possibility to disable the token feature by leaving it "empty".

[ildyria]

Tested - LGTM.

[ildyria]

@qwerty287 can you check if you are happy with my changes? :)

[nagmat84]

Please give me the chance to do a review, too, before merge.

[qwerty287]

@ildyria in general yes, but adding the old api key for the admin means that an api key that had no permissions before now has admin permissions. I can fix it.

[nagmat84]

No text (just a "review" such that GH remembers what I have already seen)

[nagmat84]

The only thing which remains to be done now, is step-debugging through user authentication middleware.

[nagmat84]

While I believe that the code is correct, I am currently unable to write proper tests for it. Again, the problem is that the application object survives between tests. As we already have had this problem once or twice and posted this question laravel/framework#44086.

In the past we could always help ourselves with some workaround, but in this case I am lost. I hope some answers.

[nagmat84]

And another one: laravel/framework#44088

[nagmat84]

I fixed the tests. While SessionOrTokenGuard has become more complicated than I initially thought, I am rather convinced that it should be fine. We have 96% test coverage and the only two lines which are not tested affect the "remember-me" token which we don't use.

Only two things remain:

@qwerty287 please check if you are fine with my changes and if the PR still does what you want it to do.

The issue #1368 (comment) needs to be addressed.

[qwerty287]

How should I fix the sqlite issue? Don't remove the column if it's SQLite?

Changes are fine otherwise.

[nagmat84]

How should I fix the sqlite issue? Don't remove the column if it's SQLite?

For the same issue in other cases, we decided to not delete the column for any DBMS in order to keep the tables consistent between SQLite, MySQL and PostgreSQL. Otherwise it will be a nightmare to clean it up later.

Simply add the column to #1321 such that we do not forget about it. When I will be ready with an PR for #1462, the tables need an extensive change such that we can clean up all the postponed changes, too.

[qwerty287]

Let's wait for the tests and merge then.

[qwerty287]

Hmm GH Actions seems not to work 🤔