From b3d28e943211922c61b80914bd3ade315cf9cbd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20Sessing=C3=B8?= Date: Tue, 30 Mar 2021 18:49:37 +0200 Subject: [PATCH 1/7] =?UTF-8?q?[FEATURE]=20Added=20include=20=C3=A5propert?= =?UTF-8?q?y=20to=20BaseCsrfVerifier=20+=20unit=20tests.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Http/Middleware/BaseCsrfVerifier.php | 34 ++++++++-- tests/Pecee/SimpleRouter/CsrfVerifierTest.php | 66 +++++++++++++++++++ .../Dummy/CsrfVerifier/DummyCsrfVerifier.php | 18 +++++ 3 files changed, 113 insertions(+), 5 deletions(-) create mode 100644 tests/Pecee/SimpleRouter/CsrfVerifierTest.php create mode 100644 tests/Pecee/SimpleRouter/Dummy/CsrfVerifier/DummyCsrfVerifier.php diff --git a/src/Pecee/Http/Middleware/BaseCsrfVerifier.php b/src/Pecee/Http/Middleware/BaseCsrfVerifier.php index 44540ca..f42c94e 100644 --- a/src/Pecee/Http/Middleware/BaseCsrfVerifier.php +++ b/src/Pecee/Http/Middleware/BaseCsrfVerifier.php @@ -12,7 +12,17 @@ class BaseCsrfVerifier implements IMiddleware public const POST_KEY = 'csrf_token'; public const HEADER_KEY = 'X-CSRF-TOKEN'; + /** + * Urls to ignore. You can use * to exclude all sub-urls on a given path. + * For example: /admin/* + * @var array|null + */ protected $except; + /** + * Urls to include. Can be used to include urls from a certain path. + * @var array|null + */ + protected $include; protected $tokenProvider; /** @@ -34,11 +44,7 @@ class BaseCsrfVerifier implements IMiddleware return false; } - $max = count($this->except) - 1; - - for ($i = $max; $i >= 0; $i--) { - $url = $this->except[$i]; - + foreach($this->except as $url) { $url = rtrim($url, '/'); if ($url[strlen($url) - 1] === '*') { $url = rtrim($url, '*'); @@ -48,6 +54,24 @@ class BaseCsrfVerifier implements IMiddleware } if ($skip === true) { + + if($this->include !== null && count($this->include) > 0) { + foreach($this->include as $includeUrl) { + $includeUrl = rtrim($includeUrl, '/'); + if ($includeUrl[strlen($includeUrl) - 1] === '*') { + $includeUrl = rtrim($includeUrl, '*'); + $skip = !$request->getUrl()->contains($includeUrl); + break; + } + + $skip = !($includeUrl === $request->getUrl()->getOriginalUrl()); + } + } + + if($skip === false) { + continue; + } + return true; } } diff --git a/tests/Pecee/SimpleRouter/CsrfVerifierTest.php b/tests/Pecee/SimpleRouter/CsrfVerifierTest.php new file mode 100644 index 0000000..4cf1398 --- /dev/null +++ b/tests/Pecee/SimpleRouter/CsrfVerifierTest.php @@ -0,0 +1,66 @@ +getToken(); + + $router = TestRouter::router(); + $router->getRequest()->setMethod(\Pecee\Http\Request::REQUEST_TYPE_POST); + $router->getRequest()->setUrl(new \Pecee\Http\Url('/page')); + $csrf = new DummyCsrfVerifier(); + $csrf->setTokenProvider($tokenProvider); + + $csrf->handle($router->getRequest()); + + // If handle doesn't throw exception, the test has passed + $this->assertTrue(true); + } + + public function testTokenFail() + { + $this->expectException(\Pecee\Http\Middleware\Exceptions\TokenMismatchException::class); + + global $_POST; + global $_SERVER; + + $tokenProvider = new SilentTokenProvider(); + + $router = TestRouter::router(); + $router->getRequest()->setMethod(\Pecee\Http\Request::REQUEST_TYPE_POST); + $router->getRequest()->setUrl(new \Pecee\Http\Url('/page')); + $csrf = new DummyCsrfVerifier(); + $csrf->setTokenProvider($tokenProvider); + + $csrf->handle($router->getRequest()); + } + + public function testExcludeInclude() + { + $router = TestRouter::router(); + $csrf = new DummyCsrfVerifier(); + $request = $router->getRequest(); + + $request->setUrl(new \Pecee\Http\Url('/exclude-page')); + $this->assertTrue($csrf->testSkip($router->getRequest())); + + $request->setUrl(new \Pecee\Http\Url('/exclude-all/page')); + $this->assertTrue($csrf->testSkip($router->getRequest())); + + $request->setUrl(new \Pecee\Http\Url('/exclude-all/include-page')); + $this->assertFalse($csrf->testSkip($router->getRequest())); + + $request->setUrl(new \Pecee\Http\Url('/include-page')); + $this->assertFalse($csrf->testSkip($router->getRequest())); + } + +} \ No newline at end of file diff --git a/tests/Pecee/SimpleRouter/Dummy/CsrfVerifier/DummyCsrfVerifier.php b/tests/Pecee/SimpleRouter/Dummy/CsrfVerifier/DummyCsrfVerifier.php new file mode 100644 index 0000000..a695452 --- /dev/null +++ b/tests/Pecee/SimpleRouter/Dummy/CsrfVerifier/DummyCsrfVerifier.php @@ -0,0 +1,18 @@ +skip($request); + } + +} \ No newline at end of file From a98b5ba84226afc14e0b25edabfbb68cee880d51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20Sessing=C3=B8?= Date: Tue, 30 Mar 2021 18:54:45 +0200 Subject: [PATCH 2/7] Fixed unit-tests for CsrfVerifierTest --- tests/Pecee/SimpleRouter/CsrfVerifierTest.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/Pecee/SimpleRouter/CsrfVerifierTest.php b/tests/Pecee/SimpleRouter/CsrfVerifierTest.php index 4cf1398..4d05b16 100644 --- a/tests/Pecee/SimpleRouter/CsrfVerifierTest.php +++ b/tests/Pecee/SimpleRouter/CsrfVerifierTest.php @@ -8,12 +8,13 @@ class CsrfVerifierTest extends \PHPUnit\Framework\TestCase public function testTokenPass() { global $_POST; - global $_SERVER; $tokenProvider = new SilentTokenProvider(); $_POST[DummyCsrfVerifier::POST_KEY] = $tokenProvider->getToken(); + TestRouter::router()->reset(); + $router = TestRouter::router(); $router->getRequest()->setMethod(\Pecee\Http\Request::REQUEST_TYPE_POST); $router->getRequest()->setUrl(new \Pecee\Http\Url('/page')); @@ -31,7 +32,6 @@ class CsrfVerifierTest extends \PHPUnit\Framework\TestCase $this->expectException(\Pecee\Http\Middleware\Exceptions\TokenMismatchException::class); global $_POST; - global $_SERVER; $tokenProvider = new SilentTokenProvider(); From 40f9b7296315b6ad2e34db5fb1f5176c563fc3c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20Sessing=C3=B8?= Date: Tue, 30 Mar 2021 20:52:39 +0200 Subject: [PATCH 3/7] Updated documentation --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4ef8f16..629898d 100644 --- a/README.md +++ b/README.md @@ -466,7 +466,8 @@ SimpleRouter::get('/posts/{post}/comments/{comment}', function ($postId, $commen }); ``` -**Note:** Route parameters are always encased within {} braces and should consist of alphabetic characters. Route parameters may not contain a - character. Use an underscore (_) instead. +**Note:** Route parameters are always encased within `{` `}` braces and should consist of alphabetic characters. Route parameters can only contain certain characters like `A-Z`, `a-z`, `0-9`, `-` and `_`. +If your route contain other characters, please see [Custom regex for matching parameters](#custom-regex-for-matching-parameters). ### Optional parameters From f91f280975773ea7ad975ec9e9907746f73e7c9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20Sessing=C3=B8?= Date: Tue, 30 Mar 2021 21:13:06 +0200 Subject: [PATCH 4/7] Added https scheme to Request::setUri (used when calling getAbsoluteUrl). --- src/Pecee/Http/Request.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/Pecee/Http/Request.php b/src/Pecee/Http/Request.php index 84f6d04..4a82c1b 100644 --- a/src/Pecee/Http/Request.php +++ b/src/Pecee/Http/Request.php @@ -391,6 +391,10 @@ class Request if ($this->url->getHost() === null) { $this->url->setHost((string)$this->getHost()); } + + if($this->isSecure() === true) { + $this->url->setScheme('https'); + } } /** From 0e393fdc5f922cdffcd7ceeeddf1a94f9c7d9fba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20Sessing=C3=B8?= Date: Wed, 31 Mar 2021 02:31:56 +0200 Subject: [PATCH 5/7] Minor changes - Added better description of partialGroups in the documentation. - Added custom base path example in documentation. - Added isSubRoute event parameter for EVENT_ADD_ROUTE. - Removed deprecation phpDoc from partialGroup. - Added unit-test for adding custom base path. --- README.md | 66 ++++++++++++++++++- .../SimpleRouter/Route/RoutePartialGroup.php | 4 -- src/Pecee/SimpleRouter/Router.php | 2 +- tests/Pecee/SimpleRouter/EventHandlerTest.php | 48 ++++++++++++++ 4 files changed, 114 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 629898d..3a753bb 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,7 @@ You can donate any amount of your choice by [clicking here](https://www.paypal.c - [Custom EventHandlers](#custom-eventhandlers) - [Advanced](#advanced) - [Disable multiple route rendering](#disable-multiple-route-rendering) + - [Setting custom base path](#setting-custom-base-path) - [Url rewriting](#url-rewriting) - [Changing current route](#changing-current-route) - [Bootmanager: loading routes dynamically](#bootmanager-loading-routes-dynamically) @@ -682,6 +683,27 @@ SimpleRouter::group(['prefix' => '/lang/{language}'], function ($language) { }); ``` +## Partial groups + +Partial router groups has the same benefits as a normal group, but **are only rendered once the url has matched** +in contrast to a normal group which are always rendered in order to retrieve it's child routes. +Partial groups are therefore more like a hybrid of a traditional route with the benefits of a group. + +This can be extremely useful in situations where you only want special routes to be added, but only when a certain criteria or logic has been met. + +**NOTE:** Use partial groups with caution as routes added within are only rendered and available once the url of the partial-group has matched. +This can cause `url()` not to find urls for the routes added within before the partial-group has been matched and is rendered. + +**Example:** + +```php +SimpleRouter::partialGroup('/plugin/{name}', function ($plugin) { + + // Add routes from plugin + +}); +``` + ## Form Method Spoofing HTML forms do not support `PUT`, `PATCH` or `DELETE` actions. So, when defining `PUT`, `PATCH` or `DELETE` routes that are called from an HTML form, you will need to add a hidden `_method` field to the form. The value sent with the `_method` field will be used as the HTTP request method: @@ -1243,7 +1265,7 @@ All event callbacks will retrieve a `EventArgument` object as parameter. This ob | `EVENT_ALL` | - | Fires when a event is triggered. | | `EVENT_INIT` | - | Fires when router is initializing and before routes are loaded. | | `EVENT_LOAD` | `loadedRoutes` | Fires when all routes has been loaded and rendered, just before the output is returned. | -| `EVENT_ADD_ROUTE` | `route` | Fires when route is added to the router. | +| `EVENT_ADD_ROUTE` | `route`
`isSubRoute` | Fires when route is added to the router. `isSubRoute` is true when sub-route is rendered. | | `EVENT_REWRITE` | `rewriteUrl`
`rewriteRoute` | Fires when a url-rewrite is and just before the routes are re-initialized. | | `EVENT_BOOT` | `bootmanagers` | Fires when the router is booting. This happens just before boot-managers are rendered and before any routes has been loaded. | | `EVENT_RENDER_BOOTMANAGER` | `bootmanagers`
`bootmanager` | Fires before a boot-manager is rendered. | @@ -1371,6 +1393,48 @@ By default the router will try to execute all routes that matches a given url. T This behavior can be easily disabled by setting `SimpleRouter::enableMultiRouteRendering(false)` in your `routes.php` file. This is the same behavior as version 3 and below. +## Setting custom base path + +Sometimes it can be useful to add a custom base path to all of the routes added. + +This can easily be done by taking advantage of the [Event Handlers](#events) support of the project. + +```php +$basePath = '/basepath/'; + +$eventHandler = new EventHandler(); +$eventHandler->register(EventHandler::EVENT_ADD_ROUTE, function(EventArgument $event) use($basePath) { + + // Make sure url is alway correct + $basePath = rtrim($basePath, '/'); + $route = $event->route; + + // Skip routes added by group as these will inherit the url + if(!$event->isSubRoute) { + return; + } + + switch (true) { + case $route instanceof ILoadableRoute: + $route->setUrl($basePath . $route->getUrl()); + break; + case $route instanceof IGroupRoute: + $route->setPrefix($basePath . $route->getPrefix()); + break; + + } + +}); + +$results = []; + +TestRouter::addEventHandler($eventHandler); +``` + +In the example shown above, we create a new `EVENT_ADD_ROUTE` event that triggers, when a new route is added. +We skip all subroutes as these will inherit the url from their parent. Then if the route is a group we change the prefix, +otherwise we change the url. + ## Url rewriting ### Changing current route diff --git a/src/Pecee/SimpleRouter/Route/RoutePartialGroup.php b/src/Pecee/SimpleRouter/Route/RoutePartialGroup.php index 901bd45..b59abaa 100644 --- a/src/Pecee/SimpleRouter/Route/RoutePartialGroup.php +++ b/src/Pecee/SimpleRouter/Route/RoutePartialGroup.php @@ -1,8 +1,4 @@ fireEvents(EventHandler::EVENT_ADD_ROUTE, [ 'route' => $route, + 'isSubRoute' => $this->isProcessingRoute, ]); /* @@ -184,7 +185,6 @@ class Router */ protected function renderAndProcess(IRoute $route): void { - $this->isProcessingRoute = true; $route->renderRoute($this->request, $this); $this->isProcessingRoute = false; diff --git a/tests/Pecee/SimpleRouter/EventHandlerTest.php b/tests/Pecee/SimpleRouter/EventHandlerTest.php index faaa5d9..4d73cc0 100644 --- a/tests/Pecee/SimpleRouter/EventHandlerTest.php +++ b/tests/Pecee/SimpleRouter/EventHandlerTest.php @@ -103,4 +103,52 @@ class EventHandlerTest extends \PHPUnit\Framework\TestCase } + public function testCustomBasePath() { + + $basePath = '/basepath/'; + + $eventHandler = new EventHandler(); + $eventHandler->register(EventHandler::EVENT_ADD_ROUTE, function(EventArgument $data) use($basePath) { + + // Add basepath + $basePath = rtrim($basePath, '/'); + + // Skip routes added by group + if($data->isSubRoute === false) { + + switch (true) { + case $data->route instanceof \Pecee\SimpleRouter\Route\ILoadableRoute: + $data->route->setUrl($basePath . $data->route->getUrl()); + break; + case $data->route instanceof \Pecee\SimpleRouter\Route\IGroupRoute: + $data->route->setPrefix($basePath . $data->route->getPrefix()); + break; + + } + } + + }); + + $results = []; + + TestRouter::addEventHandler($eventHandler); + + TestRouter::get('/about', function() use(&$results) { + $results[] = 'about'; + }); + + TestRouter::group(['prefix' => '/admin'], function() use(&$results) { + TestRouter::get('/', function() use(&$results) { + $results[] = 'admin'; + }); + }); + + TestRouter::router()->setRenderMultipleRoutes(false); + TestRouter::debugNoReset('/basepath/about'); + TestRouter::debugNoReset('/basepath/admin'); + + $this->assertEquals(['about', 'admin'], $results); + + } + } \ No newline at end of file From 3b8e92b4064e728943a3971c89d0603fe99a4e76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20Sessing=C3=B8?= Date: Wed, 31 Mar 2021 02:36:11 +0200 Subject: [PATCH 6/7] Updated documentation table of contents --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 3a753bb..a0f6169 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,7 @@ You can donate any amount of your choice by [clicking here](https://www.paypal.c - [Namespaces](#namespaces) - [Subdomain-routing](#subdomain-routing) - [Route prefixes](#route-prefixes) + - [Partial groups](#parial-groups) - [Form Method Spoofing](#form-method-spoofing) - [Accessing The Current Route](#accessing-the-current-route) - [Other examples](#other-examples) From 7adb4e859717b38a1952a9d917430b772f12b5ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20Sessing=C3=B8?= Date: Wed, 31 Mar 2021 02:40:24 +0200 Subject: [PATCH 7/7] Fixed wrong link for partial-groups --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a0f6169..293b84f 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ You can donate any amount of your choice by [clicking here](https://www.paypal.c - [Namespaces](#namespaces) - [Subdomain-routing](#subdomain-routing) - [Route prefixes](#route-prefixes) - - [Partial groups](#parial-groups) + - [Partial groups](#partial-groups) - [Form Method Spoofing](#form-method-spoofing) - [Accessing The Current Route](#accessing-the-current-route) - [Other examples](#other-examples)