Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[HttpKernel] Add temporary URI signed #51502

Merged
merged 1 commit into from Mar 17, 2024
Merged

[HttpKernel] Add temporary URI signed #51502

merged 1 commit into from Mar 17, 2024
+221 −11

Conversation

BaptisteContreras
Copy link
Contributor

@BaptisteContreras BaptisteContreras commented Aug 27, 2023
edited

Q A
Branch? 7.1
Bug fix? no
New feature? yes
Deprecations? no
Tickets Fix #51501
License MIT
Doc PR TODO

This feature add the possibilty to create a temporary URI signed as mentionned in #51501.

Few things about this implementation :

  • I added an optional parameter to the constructor of the UriSigner. I'm not sure if it can be considered as a BC ?
  • The query parameter for expiration (by default "_expiration") is considered as a reserved parameter for the signer and if you try to sign an URI with this parameter, the method will throw
    a LogicalException. In fact, the check method will test the presence of the expiration query parameter to determine if it must (or not) verify the expiration.
    A problem can arise in this case : Lets say you want to sign this URI : "/demo?_expiration=foo" and you don't want a temporary URL. The URI is signed without problem but when you try to call check, the method will notice the
    presence of "_expiration" and try to determine if it has expired, considering the value "foo" as a timestamp.

@carsonbot carsonbot added this to the 6.4 milestone Aug 27, 2023
@BaptisteContreras BaptisteContreras force-pushed the add-expiration-in-uri-signer branch 4 times, most recently from 95835c6 to 9f88d63 Compare August 27, 2023 15:59
@BaptisteContreras
Copy link
Contributor Author

PR updated :)

@OskarStark
Copy link
Contributor

Can you please rebase? Thanks

@OskarStark OskarStark requested review from stof and removed request for stof October 10, 2023 14:01
@BaptisteContreras BaptisteContreras changed the title [HttpKernel] Add temporary URI signed [HttpFoundation] Add temporary URI signed Oct 30, 2023
@BaptisteContreras BaptisteContreras force-pushed the add-expiration-in-uri-signer branch 2 times, most recently from 910ee02 to 4614ba2 Compare October 30, 2023 14:23
@nicolas-grekas nicolas-grekas modified the milestones: 6.4, 7.1 Nov 15, 2023
nicolas-grekas
nicolas-grekas reviewed Nov 20, 2023
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with some comments thanks

src/Symfony/Component/HttpFoundation/CHANGELOG.md Outdated Show resolved Hide resolved
src/Symfony/Component/HttpFoundation/UriSigner.php Outdated Show resolved Hide resolved
src/Symfony/Component/HttpFoundation/UriSigner.php Outdated Show resolved Hide resolved
src/Symfony/Component/HttpFoundation/UriSigner.php Outdated Show resolved Hide resolved
norkunas
norkunas reviewed Nov 21, 2023
View reviewed changes
src/Symfony/Component/HttpFoundation/UriSigner.php Outdated

private function isExpired(int $expiration): bool
{
return time() >= $expiration;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe using Clock component optionally would be better with fallback, to allow using mock clock in tests for devs?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will create a dependency between HttpFoundation and the Clock component. How would you do it ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Require-dev? :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mmmh I see, and in the check method I should get the current time like that ?

if (class_exists(\Symfony\Component\Clock\Clock::class)) {
            $time =  \Symfony\Component\Clock\Clock::get()->now()->format('U');
        } else {
            $time = time();
        }

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably. Or via DI, not sure what maintainers would prefer

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't use the Clock component in this PR. Let's use time() for now and discuss for Clock applied to HttpFoundation separately

@BaptisteContreras
Copy link
Contributor Author

@nicolas-grekas if this PR is OK for you, can we have this in 7.1 ?

fabpot
fabpot requested changes Feb 25, 2024
View reviewed changes
src/Symfony/Component/HttpFoundation/UriSigner.php Outdated Show resolved Hide resolved
src/Symfony/Component/HttpFoundation/UriSigner.php Outdated Show resolved Hide resolved
src/Symfony/Component/HttpKernel/UriSigner.php Outdated Show resolved Hide resolved
@carsonbot carsonbot changed the title [HttpFoundation] Add temporary URI signed [HttpKernel] Add temporary URI signed Feb 25, 2024
@fabpot
Copy link
Member

fabpot commented Mar 17, 2024

@BaptisteContreras Are you still interested in finishing this PR?

@BaptisteContreras
Copy link
Contributor Author

@fabpot , yes ! I'm on it :)

@fabpot
Copy link
Member

fabpot commented Mar 17, 2024

Thank you @BaptisteContreras.

@fabpot fabpot merged commit c490ef4 into symfony:7.1 Mar 17, 2024
6 of 10 checks passed
@fabpot fabpot mentioned this pull request Mar 17, 2024
Closed
nicolas-grekas
nicolas-grekas reviewed Mar 25, 2024
View reviewed changes
src/Symfony/Component/HttpFoundation/UriSigner.php
*/
public function sign(string $uri): string
public function sign(string $uri, \DateTimeInterface|\DateInterval|int|null $expiration = null): string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I missed that this is a BC break. Instead, we should comment the argument on the signature and read it with func_get_arg (see on 6.4 for similar new arguments).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it a BC even if the default value does not change the old behavior of the method ?
Do you want another PR linked to a new issue to fix this ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a BC break for classes that extend this class. Yes, it'd be great to fix it, PR welcome :)

@xabbuh xabbuh mentioned this pull request Apr 9, 2024
Merged
fabpot added a commit that referenced this pull request Apr 9, 2024
@fabpot
bug #54528 [HttpFoundation] defer addition of new method argument to …
6cd69fd 
…8.0 (xabbuh)

This PR was merged into the 7.1 branch.

Discussion
----------

[HttpFoundation] defer addition of new method argument to 8.0

| Q             | A
| ------------- | ---
| Branch?       | 7.1
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Issues        | Fix #51502 (comment)
| License       | MIT

Commits
-------

8fadaca defer addition of new method argument to 8.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas left review comments

@fabpot fabpot fabpot approved these changes

@stof stof Awaiting requested review from stof

@OskarStark OskarStark Awaiting requested review from OskarStark

@norkunas norkunas Awaiting requested review from norkunas

Assignees
No one assigned
Labels
Feature HttpKernel Status: Reviewed
Projects
None yet
Milestone
7.1
Development

Successfully merging this pull request may close these issues.

[HttpFoundation] Temporary URI signed
7 participants
@BaptisteContreras @OskarStark @fabpot @nicolas-grekas @stof @norkunas @carsonbot