You've already forked Php-Template
fix: make Scope attribute repeatable and improve scope handling in middleware (#21)
All checks were successful
🧪✨ Tests Workflow / 🛡️ 🔒 Library Audit (push) Successful in 2m55s
🧪✨ Tests Workflow / 🛡️ 🔒 License Check (push) Successful in 2m55s
🧪✨ Tests Workflow / 📝 ✨ Code Lint (push) Successful in 2m58s
🧪✨ Tests Workflow / 🐙 🔍 Code Sniffer (push) Successful in 3m1s
🧪✨ Tests Workflow / 🧪 ✅ Unit Tests (push) Successful in 2m40s
🧪✨ Tests Workflow / 🧪 ✨ Database Migrations (push) Successful in 3m0s
All checks were successful
🧪✨ Tests Workflow / 🛡️ 🔒 Library Audit (push) Successful in 2m55s
🧪✨ Tests Workflow / 🛡️ 🔒 License Check (push) Successful in 2m55s
🧪✨ Tests Workflow / 📝 ✨ Code Lint (push) Successful in 2m58s
🧪✨ Tests Workflow / 🐙 🔍 Code Sniffer (push) Successful in 3m1s
🧪✨ Tests Workflow / 🧪 ✅ Unit Tests (push) Successful in 2m40s
🧪✨ Tests Workflow / 🧪 ✨ Database Migrations (push) Successful in 3m0s
Reviewed-on: #21 Co-authored-by: Ron Rise <ron@siteworxpro.com> Co-committed-by: Ron Rise <ron@siteworxpro.com>
This commit was merged in pull request #21.
This commit is contained in:
Siteworx Pro Gitea
@@ -8,6 +8,7 @@ use League\Route\Dispatcher;
|
||||
use Psr\Http\Message\ResponseInterface;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
use Psr\Http\Server\RequestHandlerInterface;
|
||||
use Siteworxpro\App\Attributes\Guards\RequireAllScopes;
|
||||
use Siteworxpro\App\Attributes\Guards\Scope;
|
||||
use Siteworxpro\App\Controllers\Controller;
|
||||
use Siteworxpro\App\Http\JsonResponseFactory;
|
||||
@@ -32,7 +33,7 @@ class ScopeMiddleware extends Middleware
|
||||
* Expected user scopes are provided on the request under the attribute name \`scopes\`
|
||||
* as an array of strings.
|
||||
*
|
||||
* @param ServerRequestInterface $request Incoming PSR-7 request (expects \`scopes\` attribute).
|
||||
* @param ServerRequestInterface $request Incoming PSR-7 request (expects \`scopes\` attribute).
|
||||
* @param RequestHandlerInterface|Dispatcher $handler Next handler or League\Route dispatcher.
|
||||
*
|
||||
* @return ResponseInterface A 403 JSON response when scopes are insufficient; otherwise the handler response.
|
||||
@@ -42,7 +43,7 @@ class ScopeMiddleware extends Middleware
|
||||
*/
|
||||
public function process(
|
||||
ServerRequestInterface $request,
|
||||
RequestHandlerInterface | Dispatcher $handler
|
||||
RequestHandlerInterface|Dispatcher $handler
|
||||
): ResponseInterface {
|
||||
// Attempt to resolve the route's callable [Controller instance, method name].
|
||||
$callable = $this->extractRouteCallable($handler);
|
||||
@@ -57,38 +58,55 @@ class ScopeMiddleware extends Middleware
|
||||
// Ensure the controller exists and the method is defined before reflecting.
|
||||
if (class_exists($class::class)) {
|
||||
$reflectionClass = new \ReflectionClass($class);
|
||||
|
||||
if ($reflectionClass->hasMethod($method)) {
|
||||
$reflectionMethod = $reflectionClass->getMethod($method);
|
||||
|
||||
// Fetch all Scope attributes declared on the method.
|
||||
$attributes = $reflectionMethod->getAttributes(Scope::class);
|
||||
$requireAllAttributes = $reflectionMethod->getAttributes(RequireAllScopes::class);
|
||||
|
||||
if (empty($attributes)) {
|
||||
// No scope attributes; delegate to the next handler.
|
||||
return $handler->handle($request);
|
||||
}
|
||||
|
||||
$requiredScopes = [];
|
||||
$userScopes = [];
|
||||
$requireAll = false;
|
||||
|
||||
foreach ($attributes as $attribute) {
|
||||
/** @var Scope $scopeInstance Concrete Scope attribute instance. */
|
||||
$scopeInstance = $attribute->newInstance();
|
||||
$requiredScopes = $scopeInstance->getScopes();
|
||||
$requiredScopes = array_merge($requiredScopes, $scopeInstance->getScopes());
|
||||
|
||||
// Retrieve user scopes from the request (defaults to an empty array).
|
||||
$userScopes = $request->getAttribute($scopeInstance->getClaim(), []);
|
||||
// If any attribute requires all scopes, set the flag.
|
||||
$requireAll = $requireAll || !empty($requireAllAttributes);
|
||||
|
||||
if (!is_array($userScopes)) {
|
||||
$scopes = $request->getAttribute($scopeInstance->getClaim());
|
||||
if (!is_array($scopes)) {
|
||||
// If user scopes are not an array, treat as no scopes provided.
|
||||
$userScopes = explode($scopeInstance->getSeparator(), (string) $userScopes);
|
||||
$scopes = explode($scopeInstance->getSeparator(), (string) $scopes);
|
||||
}
|
||||
|
||||
// Deny if any required scope is missing from the user's scopes.
|
||||
if (
|
||||
array_any(
|
||||
$requiredScopes,
|
||||
fn($requiredScope) => !in_array($requiredScope, $userScopes, true)
|
||||
)
|
||||
) {
|
||||
return JsonResponseFactory::createJsonResponse([
|
||||
'error' => 'insufficient_scope',
|
||||
'error_description' =>
|
||||
'The request requires higher privileges than provided by the access token.'
|
||||
], CodesEnum::FORBIDDEN);
|
||||
}
|
||||
$userScopes = array_merge(
|
||||
$userScopes,
|
||||
$scopes
|
||||
);
|
||||
}
|
||||
|
||||
$userScopes = array_unique($userScopes);
|
||||
|
||||
// Deny if any required scope is missing from the user's scopes.
|
||||
if (
|
||||
(!$requireAll && array_intersect($userScopes, $requiredScopes) === []) ||
|
||||
($requireAll && array_diff($requiredScopes, $userScopes) !== [])
|
||||
) {
|
||||
return JsonResponseFactory::createJsonResponse([
|
||||
'error' => 'insufficient_scope',
|
||||
'error_description' =>
|
||||
'The request requires higher privileges than provided by the access token.'
|
||||
], CodesEnum::FORBIDDEN);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user