Drupal8 AuthenticationProvider Example

RestAuth.php

<?php

namespace Drupal\rest_auth\Authentication;

use Drupal\Core\Authentication\AuthenticationProviderInterface;
use Symfony\Component\HttpFoundation\Request;
use Drupal\Core\Session\UserSession;
use Symfony\Component\HttpKernel\Exception\HttpException;

/**
 * Authentication provider to validate requests with x-api-key directive in header.
 */
class RestAuth implements AuthenticationProviderInterface {

  /**
   * {@inheritdoc}
   */
  public function applies(Request $request) {
    /**
     * Buy default the authentication plugin will be triggered on all routes/paths
     * visited by the user. For HTML pages we do not want to this authentictor to
     * execute, but executed maily for REST API reqests.
     * Hence we should allow this authenticator to verify the header value only on those routes/paths
     * when it is present. This functions returns bool (true/false), if true below authenticate function will be 
     * executed else 403 Forbidden.
     */
    return $request->headers->has('x-api-key');
  }

  /**
   * {@inheritdoc}
   */
  public function authenticate(Request $request) {
    /**
     * Return user account data if the header value matches.
     */
    if ($request->headers->get('x-api-key') == 'some-value') {
      // Pseudo logic to decode JWT token, although this is similar to the original logic.
      $userInfo = JWT::decode($request->headers->get('userinfo));
      $email = $userInfo['email'];
      // Return the user object.
      $user = user_load_mail($email);
      if (!$user) {
        throw new HttpException(400, 'Incorrect user');
      }
      return $user;  
    } else {
      return new HttpException(400, 'Specified x-api-key value is incorrect');
    }
  }

}