Added module code

Author: rimi-itk

README.md

@@ -1,2 +1,136 @@
 # OS2Forms REST API
 
+We use [Webform REST](https://www.drupal.org/project/webform_rest) to expose a
+number of API endpoints.
+
+## Authentication
+
+We use [Key auth](https://www.drupal.org/project/key_auth) for authenticating
+api users.
+
+A user can access the REST API if
+
+1. it has the “API user” (`api_user`) role and
+2. has a generated key (User > Edit > Key authentication; `/user/«user
+   id»/key-auth`).
+
+The “API user” role gives read-only access to the API. To get read access, a
+user must also have the “API user (write)” (`api_user_write`) role.
+
+## Endpoints
+
+| Name               | Path                                           | Methods |
+|--------------------|------------------------------------------------|---------|
+| Webform Elements   | `/webform_rest/{webform_id}/elements`          | GET     |
+| Webform Fields     | `/webform_rest/{webform_id}/fields`            | GET     |
+| Webform Submission | `/webform_rest/{webform_id}/submission/{uuid}` | GET     |
+| Webform Submit     | `/webform_rest/submit`                         | POST    |
+| File               | `/entity/file/{file_id}`                       | GET     |
+
+## Examples
+
+### Submit webform
+
+Request:
+
+```sh
+> curl --silent --location --header 'api-key: …' --header 'content-type: application/json' https://127.0.0.1:8000/webform_rest/submit --data @- <<'JSON'
+{
+  "webform_id": "{webform_id}",
+  "//": "Webform field values (cf. /webform_rest/{webform_id}/fields)",
+  "navn_": "Mikkel",
+  "adresse": "Livets landevej",
+  "mail_": "[email protected]",
+  "telefonnummer_": "12345678"
+}
+JSON
+```
+
+Response:
+
+```json
+{"sid":"6d95afe9-18d1-4a7d-a1bf-fd38c58c7733"}
+```
+
+(the `sid`value is a webform submission uuid).
+
+### Get document from webform id and submission uuid
+
+Example uses `some_webform_id` as webform id, `some_submission_id` as
+submission id and `dokumenter` as the webform document element key.
+
+Request:
+
+```sh
+> curl --silent --header 'api-key: …' https://127.0.0.1:8000/webform_rest/some_webform_id/submission/some_submission_uuid
+```
+
+Response:
+
+```json
+{
+  …,
+  "data": {
+    "navn": "Jeppe",
+    "telefon": "87654321"
+    "dokumenter": {
+      "some_document_id",
+      "some_other_docuent_id"
+    }
+  }
+}
+```
+
+Use the file endpoint from above to get information on a file,
+substituting `{file_id}` with the actual file id (`some_document_id`)
+from the previous request.
+
+Request:
+
+```sh
+> curl --silent --header 'api-key: …' https://127.0.0.1:8000/webform_rest/entity/file/some_document_id
+```
+
+Response:
+
+```json
+{
+  …,
+  "uri": [
+    {
+      "value": "private:…",
+      "url": "/system/files/webform/some_webform_id/…"
+    }
+  ],
+  …
+}
+```
+
+Finally, you can get the actual file by combining the base url
+with the url from above response:
+
+```sh
+> curl --silent --header 'api-key: …' http://127.0.0.1:8000/system/files/webform/some_webform_id/…
+```
+
+Response:
+The actual document.
+
+## Custom access control
+
+To limit access to webforms, you can specify a list of API users that are
+allowed to access a webform's data via the API.
+
+Go to Settings > General > Third party settings > OS2Forms > REST API to specify
+which users can access a webform's data. **If no users are specified, all API
+users can access the data.**
+
+### Technical details
+
+The custom access check is implemented in an event subscriber listening on the
+`KernelEvents::REQUEST` event. See
+[EventSubscriber::onRequest](src/EventSubscriber/EventSubscriber.php) for
+details.
+
+In order to make documents accessible for api users the Key auth `authentication_provider`
+service has been overwritten to be global. See [os2forms_rest_api.services](os2forms_rest_api.services.yml).

composer.json

@@ -0,0 +1,22 @@
+{
+    "name": "os2forms/os2forms_rest_api",
+    "description": "OS2Forms REST API",
+    "type": "drupal-module",
+    "license": "MIT",
+    "authors": [
+        {
+            "name": "Mikkel Ricky",
+            "email": "[email protected]"
+        }
+    ],
+    "minimum-stability": "dev",
+    "prefer-stable": true,
+    "require-dev": {
+        "drupal/coder": "^8.3",
+        "dealerdirect/phpcodesniffer-composer-installer": "^0.7.1"
+    },
+    "scripts": {
+        "coding-standards-check": "phpcs --standard=phpcs.xml.dist",
+        "coding-standards-apply": "phpcbf --standard=phpcs.xml.dist"
+    }
+}

os2forms_rest_api.info.yml

@@ -0,0 +1,7 @@
+name: 'OS2Form REST API'
+type: module
+description: 'OS2Form REST API'
+package: Web services
+core_version_requirement: ^9
+dependencies:
+  - drupal:key_auth

os2forms_rest_api.module

@@ -0,0 +1,25 @@
+<?php
+
+/**
+ * @file
+ * Contains hooks related to OS2Forms REST API module.
+ */
+
+use Drupal\Core\Form\FormStateInterface;
+use Drupal\os2forms_rest_api\WebformHelper;
+
+/**
+ * Implements hook_webform_third_party_settings_form_alter().
+ *
+ * @see WebformHelper::webformThirdPartySettingsFormAlter()
+ */
+function os2forms_rest_api_webform_third_party_settings_form_alter(array &$form, FormStateInterface $form_state) {
+  \Drupal::service(WebformHelper::class)->webformThirdPartySettingsFormAlter($form, $form_state);
+}
+
+/**
+ * Implements hook_file_download().
+ */
+function os2forms_rest_api_file_download(string $uri) {
+  return \Drupal::service(WebformHelper::class)->fileDownload($uri);
+}

os2forms_rest_api.services.yml

@@ -0,0 +1,22 @@
+services:
+  Drupal\os2forms_rest_api\WebformHelper:
+    arguments:
+      - '@entity_type.manager'
+      - '@current_user'
+      - '@key_auth.authentication.key_auth'
+
+  Drupal\os2forms_rest_api\EventSubscriber\EventSubscriber:
+    arguments:
+      - '@current_route_match'
+      - '@current_user'
+      - '@Drupal\os2forms_rest_api\WebformHelper'
+    tags:
+      - { name: 'event_subscriber' }
+
+  # Overwrite, adding global tag
+  # @see https://www.drupal.org/docs/drupal-apis/services-and-dependency-injection/altering-existing-services-providing-dynamic-services
+  key_auth.authentication.key_auth:
+    class: Drupal\key_auth\Authentication\Provider\KeyAuth
+    arguments: [ '@key_auth' ]
+    tags:
+      - { name: authentication_provider, provider_id: 'key_auth', priority: 200, global: true }

src/EventSubscriber/EventSubscriber.php

@@ -0,0 +1,105 @@
+<?php
+
+namespace Drupal\os2forms_rest_api\EventSubscriber;
+
+use Drupal\Core\Routing\RouteMatchInterface;
+use Drupal\Core\Session\AccountProxyInterface;
+use Drupal\os2forms_rest_api\WebformHelper;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpKernel\Event\KernelEvent;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+use Symfony\Component\HttpKernel\KernelEvents;
+
+/**
+ * Event subscriber.
+ */
+class EventSubscriber implements EventSubscriberInterface {
+  /**
+   * The route match.
+   *
+   * @var \Drupal\Core\Routing\RouteMatchInterface
+   */
+  private RouteMatchInterface $routeMatch;
+
+  /**
+   * The current user.
+   *
+   * @var \Drupal\Core\Session\AccountProxyInterface
+   */
+  private AccountProxyInterface $currentUser;
+
+  /**
+   * The webform helper.
+   *
+   * @var \Drupal\os2forms_rest_api\WebformHelper
+   */
+  private WebformHelper $webformHelper;
+
+  /**
+   * Constructor.
+   */
+  public function __construct(RouteMatchInterface $routeMatch, AccountProxyInterface $currentUser, WebformHelper $webformHelper) {
+    $this->routeMatch = $routeMatch;
+    $this->currentUser = $currentUser;
+    $this->webformHelper = $webformHelper;
+  }
+
+  /**
+   * On request handler.
+   *
+   * Check for user access to webform API resource.
+   */
+  public function onRequest(KernelEvent $event) {
+    $routeName = $this->routeMatch->getRouteName();
+    $restRouteNames = [
+      'rest.webform_rest_elements.GET',
+      'rest.webform_rest_fields.GET',
+      'rest.webform_rest_submission.GET',
+      'rest.webform_rest_submission.PATCH',
+      'rest.webform_rest_submit.POST',
+    ];
+    if ($this->currentUser->isAnonymous() || !in_array($routeName, $restRouteNames, TRUE)) {
+      return;
+    }
+
+    $webformId = $this->routeMatch->getParameter('webform_id');
+    $submissionUuid = $this->routeMatch->getParameter('uuid');
+
+    // Handle webform submission.
+    if ('rest.webform_rest_submit.POST' === $routeName) {
+      try {
+        $content = json_decode($event->getRequest()->getContent(), TRUE, 512, JSON_THROW_ON_ERROR);
+        $webformId = (string) $content['webform_id'];
+      }
+      catch (\JsonException $exception) {
+      }
+    }
+
+    if (!isset($webformId)) {
+      throw new BadRequestHttpException('Cannot get webform id');
+    }
+
+    $webform = $this->webformHelper->getWebform($webformId, $submissionUuid);
+
+    if (NULL === $webform) {
+      return;
+    }
+
+    $allowedUsers = $this->webformHelper->getAllowedUsers($webform);
+    if (!empty($allowedUsers) && !isset($allowedUsers[$this->currentUser->id()])) {
+      throw new AccessDeniedHttpException('Access denied');
+    }
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function getSubscribedEvents() {
+    return [
+      // @see https://www.drupal.org/project/drupal/issues/2924954#comment-12350447
+      KernelEvents::REQUEST => ['onRequest', 31],
+    ];
+  }
+
+}