WIP

RhysLees · RhysLees · commit 1274c5e52794 · 2025-07-02T16:39:03.000+01:00
diff --git a/.phpunit.cache/test-results b/.phpunit.cache/test-results
diff --git a/README.md b/README.md
@@ -114,11 +114,67 @@ The package provides built-in routes for OAuth authentication:
 1. **Redirect to Bexio**: `/bexio/redirect`
 2. **OAuth Callback**: `/bexio/callback`
 
-You can customize the route prefix in your config file:
+You can customize the route prefix and middleware in your config file:
 
 ```php
 // config/bexio.php
 'route_prefix' => 'custom-bexio-prefix',
+
+// Add custom middleware to OAuth routes (in addition to 'web' middleware)
+'route_middleware' => ['auth', 'verified'],
+```
+
+#### OAuth Callback Response
+
+After the OAuth callback is processed, the user will be redirected to the URL specified in your configuration (`config('bexio.redirect_url')` or `/` by default) with flash session data indicating the result:
+
+**Success Response:**
+```php
+// When OAuth authentication is successful
+session()->get('bexio_oauth_success'); // true
+session()->get('bexio_oauth_message'); // 'Successfully authenticated with Bexio.'
+```
+
+**Error Responses:**
+```php
+// When user rejects authorization or OAuth returns an error
+session()->get('bexio_oauth_success'); // false
+session()->get('bexio_oauth_message'); // 'OAuth authorization failed: access_denied'
+
+// When required parameters (code or state) are missing
+session()->get('bexio_oauth_success'); // false
+session()->get('bexio_oauth_message'); // 'Missing required parameters: code or state.'
+```
+
+**Handling the callback in your controller:**
+```php
+<?php
+
+namespace App\Http\Controllers;
+
+use Illuminate\Http\Request;
+
+class DashboardController extends Controller
+{
+    public function index(Request $request)
+    {
+        if (session()->has('bexio_oauth_success')) {
+            $success = session()->get('bexio_oauth_success');
+            $message = session()->get('bexio_oauth_message');
+            
+            if ($success) {
+                // OAuth authentication was successful
+                // You can now use the BexioConnector to make API calls
+                return view('dashboard.index')->with('success', $message);
+            } else {
+                // OAuth authentication failed
+                return view('dashboard.index')->with('error', $message);
+            }
+        }
+
+        return view('dashboard.index');
+    }
+}
 ```
 
 ### Multi-Tenant Authentication
@@ -342,8 +398,42 @@ You can specify a custom cache store for OAuth token storage:
 // config/bexio.php
 'route_prefix' => 'api/bexio',        // Custom route prefix
 'redirect_url' => '/dashboard',       // Where to redirect after OAuth Callback
+
+// Add custom middleware to OAuth routes (in addition to 'web' middleware)
+'route_middleware' => ['auth', 'verified'],
+```
+
+#### Route Middleware
+
+The OAuth routes (`/bexio/redirect` and `/bexio/callback`) automatically include the `web` middleware group by default. You can add additional middleware using the `route_middleware` configuration:
+
+**Examples:**
+
+```php
+// Require authentication for OAuth routes
+'route_middleware' => ['auth'],
+
+// Require authentication and email verification
+'route_middleware' => ['auth', 'verified'],
+
+// Add custom middleware
+'route_middleware' => ['auth', 'custom-middleware'],
+
+// Multiple middleware with parameters
+'route_middleware' => ['auth:api', 'throttle:60,1'],
 ```
 
+**Common Use Cases:**
+
+- **Authentication Required**: Use `['auth']` to ensure only authenticated users can initiate OAuth flow
+- **Email Verification**: Use `['auth', 'verified']` for applications requiring email verification
+- **Rate Limiting**: Use `['throttle:10,1']` to limit OAuth attempts
+- **Custom Authorization**: Add your own middleware to control who can access OAuth routes
+
+The middleware will be applied to both OAuth routes:
+- `GET /bexio/redirect` - Initiates OAuth flow
+- `GET /bexio/callback` - Handles OAuth callback from Bexio
+
 ## Basic Usage
 
 After setting up authentication, create a connector instance:
diff --git a/config/bexio.php b/config/bexio.php
@@ -20,6 +20,10 @@
     // The prefix for the authentication routes
     'route_prefix' => null,
 
-    // Redirect after successful authentication
+    // Middleware for the authentication routes 'web' is included by default.
+    // You can add your own middleware here, e.g. ['auth', 'verified']
+    'route_middleware' => [],
+
+    // Redirect URL after OAuth callback
     'redirect_url' => env('BEXIO_REDIRECT_URL', ''),
 ];
diff --git a/routes/bexio.php b/routes/bexio.php
@@ -9,7 +9,7 @@
  * The default prefix is 'bexio'. It can be customized via 'route_prefix' in config/bexio.php.
  * If you change route names, update the connector accordingly.
  */
-Route::middleware(['web'])->prefix(config('bexio.route_prefix') ?? 'bexio')->group(function () {
+Route::middleware(array_merge(['web'], config('bexio.route_middleware')))->prefix(config('bexio.route_prefix') ?? 'bexio')->group(function () {
     Route::get('/redirect', [BexioOAuthController::class, 'redirect'])->name('bexio.oauth.redirect');
     Route::get('/callback', [BexioOAuthController::class, 'callback'])->name('bexio.oauth.callback');
 });
diff --git a/src/Http/Controllers/BexioOAuthController.php b/src/Http/Controllers/BexioOAuthController.php
@@ -44,6 +44,19 @@ public function redirect(): RedirectResponse
      */
     public function callback(Request $request): RedirectResponse
     {
+        // Handle OAuth errors (like user rejection)
+        if ($request->has('error')) {
+            return Redirect::to(config('bexio.redirect_url', '/'))
+                ->with('bexio_oauth_success', false)
+                ->with('bexio_oauth_message', 'OAuth authorization failed: ' . $request->get('error'));
+        }
+
+        if ($request->missing('code') || $request->missing('state')) {
+            return Redirect::to(config('bexio.redirect_url', '/'))
+                ->with('bexio_oauth_success', false)
+                ->with('bexio_oauth_message', 'Missing required parameters: code or state.');
+        }
+
         $authenticator = $this->connector()->getAccessToken(
             code: $request->get('code'),
             state: $request->get('state'),
@@ -53,6 +66,8 @@ public function callback(Request $request): RedirectResponse
         App::make(BexioOAuthAuthenticationStoreResolver::class)
             ->put(authenticator: $authenticator); // @phpstan-ignore-line
 
-        return Redirect::to(config('bexio.redirect_url', '/'));
+        return Redirect::to(config('bexio.redirect_url', '/'))
+            ->with('bexio_oauth_success', true)
+            ->with('bexio_oauth_message', 'Successfully authenticated with Bexio.');
     }
 }
