[HttpKernel] Add temporary URI signed #51502
Conversation
95835c6 to
9f88d63
Compare
9f88d63 to
1084142
Compare
|
PR updated :) |
|
Can you please rebase? Thanks |
1084142 to
76e4625
Compare
910ee02 to
4614ba2
Compare
|
|
||
| private function isExpired(int $expiration): bool | ||
| { | ||
| return time() >= $expiration; |
There was a problem hiding this comment.
Maybe using Clock component optionally would be better with fallback, to allow using mock clock in tests for devs?
There was a problem hiding this comment.
It will create a dependency between HttpFoundation and the Clock component. How would you do it ?
There was a problem hiding this comment.
Mmmh I see, and in the check method I should get the current time like that ?
if (class_exists(\Symfony\Component\Clock\Clock::class)) {
$time = \Symfony\Component\Clock\Clock::get()->now()->format('U');
} else {
$time = time();
}There was a problem hiding this comment.
Probably. Or via DI, not sure what maintainers would prefer
There was a problem hiding this comment.
I wouldn't use the Clock component in this PR. Let's use time() for now and discuss for Clock applied to HttpFoundation separately
fb3fb80 to
b2bec43
Compare
b2bec43 to
391443c
Compare
|
@nicolas-grekas if this PR is OK for you, can we have this in 7.1 ? |
|
@BaptisteContreras Are you still interested in finishing this PR? |
|
@fabpot , yes ! I'm on it :) |
391443c to
c1156a2
Compare
c1156a2 to
59ca1eb
Compare
59ca1eb to
f0c2cfb
Compare
src/Symfony/Component/HttpFoundation/Exception/ExceptionInterface.php.orig
Outdated
Show resolved
Hide resolved
src/Symfony/Component/HttpFoundation/Exception/ExceptionInterface.php.rej
Outdated
Show resolved
Hide resolved
src/Symfony/Component/HttpFoundation/Exception/LogicException.php.orig
Outdated
Show resolved
Hide resolved
src/Symfony/Component/HttpFoundation/Exception/LogicException.php.rej
Outdated
Show resolved
Hide resolved
|
Thank you @BaptisteContreras. |
| */ | ||
| public function sign(string $uri): string | ||
| public function sign(string $uri, \DateTimeInterface|\DateInterval|int|null $expiration = null): string |
There was a problem hiding this comment.
I missed that this is a BC break. Instead, we should comment the argument on the signature and read it with func_get_arg (see on 6.4 for similar new arguments).
There was a problem hiding this comment.
Is it a BC even if the default value does not change the old behavior of the method ?
Do you want another PR linked to a new issue to fix this ?
There was a problem hiding this comment.
It's a BC break for classes that extend this class. Yes, it'd be great to fix it, PR welcome :)
…8.0 (xabbuh) This PR was merged into the 7.1 branch. Discussion ---------- [HttpFoundation] defer addition of new method argument to 8.0 | Q | A | ------------- | --- | Branch? | 7.1 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix #51502 (comment) | License | MIT Commits ------- 8fadaca defer addition of new method argument to 8.0
This feature add the possibilty to create a temporary URI signed as mentionned in #51501.
Few things about this implementation :
UriSigner. I'm not sure if it can be considered as a BC ?a LogicalException. In fact, the
checkmethod will test the presence of the expiration query parameter to determine if it must (or not) verify the expiration.A problem can arise in this case : Lets say you want to sign this URI : "/demo?_expiration=foo" and you don't want a temporary URL. The URI is signed without problem but when you try to call
check, the method will notice thepresence of "_expiration" and try to determine if it has expired, considering the value "foo" as a timestamp.