SkinbaseNova/app/Http/Requests/Uploads/UploadStatusRequest.php

<?php

declare(strict_types=1);

namespace App\Http\Requests\Uploads;

use App\Repositories\Uploads\UploadSessionRepository;
use App\Services\Uploads\UploadTokenService;
use Illuminate\Foundation\Http\FormRequest;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;

final class UploadStatusRequest extends FormRequest
{
    public function authorize(): bool
    {
        $user = $this->user();
        if (! $user) {
            $this->logUnauthorized('missing_user');
            $this->denyAsNotFound();
        }

        $sessionId = (string) $this->route('id');
        if ($sessionId === '') {
            $this->logUnauthorized('missing_session_id');
            $this->denyAsNotFound();
        }

        $sessions = $this->container->make(UploadSessionRepository::class);
        $session = $sessions->get($sessionId);
        if (! $session || $session->userId !== $user->id) {
            $this->logUnauthorized('not_owned_or_missing');
            $this->denyAsNotFound();
        }

        $token = $this->header('X-Upload-Token') ?: $this->input('upload_token');
        if ($token) {
            $tokens = $this->container->make(UploadTokenService::class);
            $payload = $tokens->get((string) $token);
            if (! $payload) {
                $this->logUnauthorized('invalid_token');
                $this->denyAsNotFound();
            }

            if (($payload['session_id'] ?? null) !== $sessionId) {
                $this->logUnauthorized('token_session_mismatch');
                $this->denyAsNotFound();
            }

            if ((int) ($payload['user_id'] ?? 0) !== (int) $user->id) {
                $this->logUnauthorized('token_user_mismatch');
                $this->denyAsNotFound();
            }
        }

        return true;
    }

    private function denyAsNotFound(): void
    {
        throw new NotFoundHttpException();
    }

    private function logUnauthorized(string $reason): void
    {
        logger()->warning('Upload status unauthorized access', [
            'reason' => $reason,
            'session_id' => (string) $this->route('id'),
            'user_id' => $this->user()?->id,
            'ip' => $this->ip(),
        ]);
    }

    public function rules(): array
    {
        return [
            'id' => 'required|uuid',
            'upload_token' => 'nullable|string|min:40|max:200',
        ];
    }

    protected function prepareForValidation(): void
    {
        $this->merge([
            'id' => $this->route('id'),
        ]);
    }
}