Merge pull request #1 from achmadhadikurnia/main

achmadhadikurnia · web-flow · commit f5b416b1b4f4 · 2026-05-21T15:43:41.000+07:00
refactor: enforce API key via header only, remove query parameter check
diff --git a/app/Http/Middleware/ApiKeyMiddleware.php b/app/Http/Middleware/ApiKeyMiddleware.php
@@ -10,8 +10,7 @@ class ApiKeyMiddleware
     /**
      * Handle an incoming request.
      *
-     * Validates the API key from either the X-Api-Key header
-     * or the api_key query parameter.
+     * Validates the API key from the X-Api-Key header.
      *
      * @param  Request  $request
      * @param  Closure  $next
@@ -26,14 +25,13 @@ public function handle(Request $request, Closure $next)
             return $next($request);
         }
 
-        // Check header first, then query parameter
-        $providedKey = $request->header('X-Api-Key')
-            ?? $request->query('api_key');
+        // Check header only
+        $providedKey = $request->header('X-Api-Key');
 
         if (empty($providedKey) || $providedKey !== $configuredKey) {
             return response()->json([
                 'error' => 'Unauthorized',
-                'message' => 'Invalid or missing API key. Provide via X-Api-Key header or api_key query parameter.',
+                'message' => 'Invalid or missing API key. Provide via X-Api-Key header.',
             ], 401);
         }
 

Original file line number	Diff line number	Diff line change
`@@ -10,8 +10,7 @@ class ApiKeyMiddleware`
`10`	`10`	`/**`
`11`	`11`	`* Handle an incoming request.`
`12`	`12`	`*`
`13`		`- * Validates the API key from either the X-Api-Key header`
`14`		`- * or the api_key query parameter.`
	`13`	`+ * Validates the API key from the X-Api-Key header.`
`15`	`14`	`*`
`16`	`15`	`* @param Request $request`
`17`	`16`	`* @param Closure $next`
`@@ -26,14 +25,13 @@ public function handle(Request $request, Closure $next)`
`26`	`25`	`return $next($request);`
`27`	`26`	`}`
`28`	`27`
`29`		`- // Check header first, then query parameter`
`30`		`- $providedKey = $request->header('X-Api-Key')`
`31`		`- ?? $request->query('api_key');`
	`28`	`+ // Check header only`
	`29`	`+ $providedKey = $request->header('X-Api-Key');`
`32`	`30`
`33`	`31`	`if (empty($providedKey) \|\| $providedKey !== $configuredKey) {`
`34`	`32`	`return response()->json([`
`35`	`33`	`'error' => 'Unauthorized',`
`36`		`- 'message' => 'Invalid or missing API key. Provide via X-Api-Key header or api_key query parameter.',`
	`34`	`+ 'message' => 'Invalid or missing API key. Provide via X-Api-Key header.',`
`37`	`35`	`], 401);`
`38`	`36`	`}`
`39`	`37`