siteworxpro/Php-Template
Template
1
Fork 0
Code Pull Requests Actions Releases 9 Activity

fix: make Scope attribute repeatable and improve scope handling in middleware
All checks were successful
🧪✨ Tests Workflow / 🛡️ 🔒 License Check (push) Successful in 4m18s
Details
🧪✨ Tests Workflow / 🧪 ✨ Database Migrations (push) Successful in 4m36s
Details
🧪✨ Tests Workflow / 🛡️ 🔒 Library Audit (push) Successful in 4m33s
Details
🧪✨ Tests Workflow / 📝 ✨ Code Lint (push) Successful in 4m24s
Details
🧪✨ Tests Workflow / 🐙 🔍 Code Sniffer (push) Successful in 4m28s
Details
🧪✨ Tests Workflow / 🧪 ✅ Unit Tests (push) Successful in 3m5s
Details

Browse Source
This commit is contained in:
Ron Rise
2025-11-19 14:08:54 -05:00
parent 9b736eb879
commit 2f447305b9
2 changed files with 31 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/Attributes/Guards/Scope.php
View File

@@ -6,7 +6,7 @@ namespace Siteworxpro\App\Attributes\Guards;
use Attribute; use Attribute;
#[Attribute(Attribute::TARGET_CLASS | Attribute::TARGET_METHOD)] #[Attribute(Attribute::TARGET_CLASS | Attribute::TARGET_METHOD | Attribute::IS_REPEATABLE)]
readonly class Scope readonly class Scope
{ {
public function __construct( public function __construct(

51
src/Http/Middleware/ScopeMiddleware.php
View File

@@ -32,7 +32,7 @@ class ScopeMiddleware extends Middleware
* Expected user scopes are provided on the request under the attribute name \`scopes\` * Expected user scopes are provided on the request under the attribute name \`scopes\`
* as an array of strings. * as an array of strings.
* *
* @param ServerRequestInterface $request Incoming PSR-7 request (expects \`scopes\` attribute). * @param ServerRequestInterface $request Incoming PSR-7 request (expects \`scopes\` attribute).
* @param RequestHandlerInterface|Dispatcher $handler Next handler or League\Route dispatcher. * @param RequestHandlerInterface|Dispatcher $handler Next handler or League\Route dispatcher.
* *
* @return ResponseInterface A 403 JSON response when scopes are insufficient; otherwise the handler response. * @return ResponseInterface A 403 JSON response when scopes are insufficient; otherwise the handler response.
@@ -42,7 +42,7 @@ class ScopeMiddleware extends Middleware
*/ */
public function process( public function process(
ServerRequestInterface $request, ServerRequestInterface $request,
RequestHandlerInterface | Dispatcher $handler RequestHandlerInterface|Dispatcher $handler
): ResponseInterface { ): ResponseInterface {
// Attempt to resolve the route's callable [Controller instance, method name]. // Attempt to resolve the route's callable [Controller instance, method name].
$callable = $this->extractRouteCallable($handler); $callable = $this->extractRouteCallable($handler);
@@ -57,38 +57,47 @@ class ScopeMiddleware extends Middleware
// Ensure the controller exists and the method is defined before reflecting. // Ensure the controller exists and the method is defined before reflecting.
if (class_exists($class::class)) { if (class_exists($class::class)) {
$reflectionClass = new \ReflectionClass($class); $reflectionClass = new \ReflectionClass($class);
if ($reflectionClass->hasMethod($method)) { if ($reflectionClass->hasMethod($method)) {
$reflectionMethod = $reflectionClass->getMethod($method); $reflectionMethod = $reflectionClass->getMethod($method);
// Fetch all Scope attributes declared on the method. // Fetch all Scope attributes declared on the method.
$attributes = $reflectionMethod->getAttributes(Scope::class); $attributes = $reflectionMethod->getAttributes(Scope::class);
if (empty($attributes)) {
// No scope attributes; delegate to the next handler.
return $handler->handle($request);
}
$requiredScopes = [];
$userScopes = [];
foreach ($attributes as $attribute) { foreach ($attributes as $attribute) {
/** @var Scope $scopeInstance Concrete Scope attribute instance. */ /** @var Scope $scopeInstance Concrete Scope attribute instance. */
$scopeInstance = $attribute->newInstance(); $scopeInstance = $attribute->newInstance();
$requiredScopes = $scopeInstance->getScopes(); $requiredScopes = array_merge($requiredScopes, $scopeInstance->getScopes());
// Retrieve user scopes from the request (defaults to an empty array). $scopes = $request->getAttribute($scopeInstance->getClaim());
$userScopes = $request->getAttribute($scopeInstance->getClaim(), []); if (!is_array($scopes)) {
if (!is_array($userScopes)) {
// If user scopes are not an array, treat as no scopes provided. // If user scopes are not an array, treat as no scopes provided.
$userScopes = explode($scopeInstance->getSeparator(), (string) $userScopes); $scopes = explode($scopeInstance->getSeparator(), (string) $scopes);
} }
// Deny if any required scope is missing from the user's scopes. $userScopes = array_merge(
if ( $userScopes,
array_any( $scopes
$requiredScopes, );
fn($requiredScope) => !in_array($requiredScope, $userScopes, true) }
)
) { $userScopes = array_unique($userScopes);
return JsonResponseFactory::createJsonResponse([
'error' => 'insufficient_scope', // Deny if any required scope is missing from the user's scopes.
'error_description' => if (array_intersect($userScopes, $requiredScopes) === []) {
'The request requires higher privileges than provided by the access token.' return JsonResponseFactory::createJsonResponse([
], CodesEnum::FORBIDDEN); 'error' => 'insufficient_scope',
} 'error_description' =>
'The request requires higher privileges than provided by the access token.'
], CodesEnum::FORBIDDEN);
} }
} }
} }