Merge branch 'master' of github.com:mevdschee/php-crud-api

Author: mevdschee

README.md

@@ -80,9 +80,21 @@ These are all the configuration options and their default value between brackets
 - "cacheType": `TempFile`, `Redis`, `Memcache`, `Memcached` or `NoCache` (`TempFile`)
 - "cachePath": Path/address of the cache (defaults to system's temp directory)
 - "cacheTime": Number of seconds the cache is valid (`10`)
-- "debug": Show errors in the "X-Debug-Info" header (`false`)
+- "debug": Show errors in the "X-Exception" headers (`false`)
 - "basePath": URI base path of the API (determined using PATH_INFO by default)
 
+All configuration options are also available as environment variables. Write the config option with capitals, a "PHP_CRUD_API_" prefix and underscores for word breakes, so for instance:
+
+- PHP_CRUD_API_DRIVER=mysql
+- PHP_CRUD_API_ADDRESS=localhost
+- PHP_CRUD_API_PORT=3306
+- PHP_CRUD_API_DATABASE=php-crud-api
+- PHP_CRUD_API_USERNAME=php-crud-api
+- PHP_CRUD_API_PASSWORD=php-crud-api
+- PHP_CRUD_API_DEBUG=1
+
+The environment variables take precedence over the PHP configuration.
+
 ## Limitations
 
 These limitation and constrains apply:
@@ -614,10 +626,10 @@ You can tune the middleware behavior using middleware specific configuration par
 - "firewall.reverseProxy": Set to "true" when a reverse proxy is used ("")
 - "firewall.allowedIpAddresses": List of IP addresses that are allowed to connect ("")
 - "cors.allowedOrigins": The origins allowed in the CORS headers ("*")
-- "cors.allowHeaders": The headers allowed in the CORS request ("Content-Type, X-XSRF-TOKEN, X-Authorization, X-Debug-Info, X-Exception-Name, X-Exception-Message, X-Exception-File")
+- "cors.allowHeaders": The headers allowed in the CORS request ("Content-Type, X-XSRF-TOKEN, X-Authorization")
 - "cors.allowMethods": The methods allowed in the CORS request ("OPTIONS, GET, PUT, POST, DELETE, PATCH")
 - "cors.allowCredentials": To allow credentials in the CORS request ("true")
-- "cors.exposeHeaders": Whitelist headers that browsers are allowed to access ("X-Debug-Info, X-Exception-Name, X-Exception-Message, X-Exception-File")
+- "cors.exposeHeaders": Whitelist headers that browsers are allowed to access ("")
 - "cors.maxAge": The time that the CORS grant is valid in seconds ("1728000")
 - "xsrf.excludeMethods": The methods that do not require XSRF protection ("OPTIONS,GET")
 - "xsrf.cookieName": The name of the XSRF protection cookie ("XSRF-TOKEN")
@@ -653,6 +665,7 @@ You can tune the middleware behavior using middleware specific configuration par
 - "reconnect.passwordHandler": Handler to implement retrieval of the database password ("")
 - "authorization.tableHandler": Handler to implement table authorization rules ("")
 - "authorization.columnHandler": Handler to implement column authorization rules ("")
+- "authorization.pathHandler": Handler to implement path authorization rules ("")
 - "authorization.recordHandler": Handler to implement record authorization filter rules ("")
 - "validation.handler": Handler to implement validation rules for input values ("")
 - "validation.types": Types to enable type validation for, empty means 'none' ("all")
@@ -840,7 +853,7 @@ Add the "columns" controller in the configuration to enable this functionality.
 
 ### Authorizing tables, columns and records
 
-By default all tables and columns are accessible. If you want to restrict access to some tables you may add the 'authorization' middleware 
+By default all tables, columns and paths are accessible. If you want to restrict access to some tables you may add the 'authorization' middleware 
 and define a 'authorization.tableHandler' function that returns 'false' for these tables.
 
     'authorization.tableHandler' => function ($operation, $tableName) {
@@ -862,6 +875,12 @@ The above example will restrict access to the 'password' field of the 'users' ta
 The above example will disallow access to user records where the username is 'admin'. 
 This construct adds a filter to every executed query. 
 
+    'authorization.pathHandler' => function ($path) {
+        return $path === 'openapi' ? false : true;
+    },
+
+The above example will disabled the `/openapi` route.
+
 NB: You need to handle the creation of invalid records with a validation (or sanitation) handler.
 
 ### SQL GRANT authorization

api.php

@@ -7056,6 +7056,7 @@ public function route(ServerRequestInterface $request): ResponseInterface
                 $data = gzcompress(json_encode($this->routes, JSON_UNESCAPED_UNICODE));
                 $this->cache->set('PathTree', $data, $this->ttl);
             }
+
             return $this->handle($request);
         }
 
@@ -7164,6 +7165,7 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
     use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
     use Tqdev\PhpCrudApi\Middleware\Communication\VariableStore;
     use Tqdev\PhpCrudApi\Middleware\Router\Router;
+    use Tqdev\PhpCrudApi\Record\ErrorCode;
     use Tqdev\PhpCrudApi\Record\FilterInfo;
     use Tqdev\PhpCrudApi\RequestUtils;
 
@@ -7225,9 +7227,20 @@ private function handleRecords(string $operation, string $tableName) /*: void*/
             }
         }
 
+        private function pathHandler(string $path) /*: bool*/
+        {
+            $pathHandler = $this->getProperty('pathHandler', '');
+            return $pathHandler ? call_user_func($pathHandler, $path) : true;
+        }
+
         public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
         {
             $path = RequestUtils::getPathSegment($request, 1);
+
+            if (!$this->pathHandler($path)) {
+                return $this->responder->error(ErrorCode::ROUTE_NOT_FOUND, $request->getUri()->getPath());
+            }
+
             $operation = RequestUtils::getOperation($request);
             $tableNames = RequestUtils::getTableNames($request, $this->reflection);
             foreach ($tableNames as $tableName) {
@@ -7370,12 +7383,23 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
     use Psr\Http\Message\ResponseInterface;
     use Psr\Http\Message\ServerRequestInterface;
     use Psr\Http\Server\RequestHandlerInterface;
+    use Tqdev\PhpCrudApi\Controller\Responder;
     use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
+    use Tqdev\PhpCrudApi\Middleware\Router\Router;
     use Tqdev\PhpCrudApi\Record\ErrorCode;
     use Tqdev\PhpCrudApi\ResponseFactory;
+    use Tqdev\PhpCrudApi\ResponseUtils;
 
     class CorsMiddleware extends Middleware
     {
+        private $debug;
+
+        public function __construct(Router $router, Responder $responder, array $properties, bool $debug)
+        {
+            parent::__construct($router, $responder, $properties);
+            $this->debug = $debug;
+        }
+
         private function isOriginAllowed(string $origin, string $allowedOrigins): bool
         {
             $found = false;
@@ -7399,7 +7423,10 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
                 $response = $this->responder->error(ErrorCode::ORIGIN_FORBIDDEN, $origin);
             } elseif ($method == 'OPTIONS') {
                 $response = ResponseFactory::fromStatus(ResponseFactory::OK);
-                $allowHeaders = $this->getProperty('allowHeaders', 'Content-Type, X-XSRF-TOKEN, X-Authorization, X-Debug-Info, X-Exception-Name, X-Exception-Message, X-Exception-File');
+                $allowHeaders = $this->getProperty('allowHeaders', 'Content-Type, X-XSRF-TOKEN, X-Authorization');
+                if ($this->debug) {
+                    $allowHeaders = implode(', ', array_filter([$allowHeaders, 'X-Exception-Name, X-Exception-Message, X-Exception-File']));
+                }
                 if ($allowHeaders) {
                     $response = $response->withHeader('Access-Control-Allow-Headers', $allowHeaders);
                 }
@@ -7415,12 +7442,23 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
                 if ($maxAge) {
                     $response = $response->withHeader('Access-Control-Max-Age', $maxAge);
                 }
-                $exposeHeaders = $this->getProperty('exposeHeaders', 'X-Debug-Info, X-Exception-Name, X-Exception-Message, X-Exception-File');
+                $exposeHeaders = $this->getProperty('exposeHeaders', '');
+                if ($this->debug) {
+                    $exposeHeaders = implode(', ', array_filter([$exposeHeaders, 'X-Exception-Name, X-Exception-Message, X-Exception-File']));
+                }
                 if ($exposeHeaders) {
                     $response = $response->withHeader('Access-Control-Expose-Headers', $exposeHeaders);
                 }
             } else {
-                $response = $next->handle($request);
+                $response = null;
+                try {
+                    $response = $next->handle($request);
+                } catch (\Throwable $e) {
+                    $response = $this->responder->error(ErrorCode::ERROR_NOT_FOUND, $e->getMessage());
+                    if ($this->debug) {
+                        $response = ResponseUtils::addExceptionHeaders($response, $e);
+                    }
+                }
             }
             if ($origin) {
                 $allowCredentials = $this->getProperty('allowCredentials', 'true');
@@ -9937,27 +9975,19 @@ public function getStatus(): int
 
     class FilterInfo
     {
-        private function addConditionFromFilterPath(PathTree $conditions, array $path, ReflectedTable $table, array $params)
-        {
-            $key = 'filter' . implode('', $path);
-            if (isset($params[$key])) {
-                foreach ($params[$key] as $filter) {
-                    $condition = Condition::fromString($table, $filter);
-                    if (($condition instanceof NoCondition) == false) {
-                        $conditions->put($path, $condition);
-                    }
-                }
-            }
-        }
-
         private function getConditionsAsPathTree(ReflectedTable $table, array $params): PathTree
         {
             $conditions = new PathTree();
-            $this->addConditionFromFilterPath($conditions, [], $table, $params);
-            for ($n = ord('0'); $n <= ord('9'); $n++) {
-                $this->addConditionFromFilterPath($conditions, [chr($n)], $table, $params);
-                for ($l = ord('a'); $l <= ord('f'); $l++) {
-                    $this->addConditionFromFilterPath($conditions, [chr($n), chr($l)], $table, $params);
+            foreach ($params as $key => $filters) {
+                if (substr($key, 0, 6) == 'filter') {
+                    preg_match_all('/\d+|\D+/', substr($key, 6), $matches);
+                    $path = $matches[0];
+                    foreach ($filters as $filter) {
+                        $condition = Condition::fromString($table, $filter);
+                        if (($condition instanceof NoCondition) == false) {
+                            $conditions->put($path, $condition);
+                        }
+                    }
                 }
             }
             return $conditions;
@@ -10686,7 +10716,7 @@ public function __construct(Config $config)
                         new SslRedirectMiddleware($router, $responder, $properties);
                         break;
                     case 'cors':
-                        new CorsMiddleware($router, $responder, $properties);
+                        new CorsMiddleware($router, $responder, $properties, $config->getDebug());
                         break;
                     case 'firewall':
                         new FirewallMiddleware($router, $responder, $properties);
@@ -10829,16 +10859,7 @@ private function applyParsedBodyHack(ServerRequestInterface $request): ServerReq
 
         public function handle(ServerRequestInterface $request): ResponseInterface
         {
-            $response = null;
-            try {
-                $response = $this->router->route($this->addParsedBody($request));
-            } catch (\Throwable $e) {
-                $response = $this->responder->error(ErrorCode::ERROR_NOT_FOUND, $e->getMessage());
-                if ($this->debug) {
-                    $response = ResponseUtils::addExceptionHeaders($response, $e);
-                }
-            }
-            return $response;
+            return $this->router->route($this->addParsedBody($request));
         }
     }
 }
@@ -10856,7 +10877,7 @@ class Config
             'password' => null,
             'database' => null,
             'tables' => '',
-            'middlewares' => 'cors',
+            'middlewares' => 'cors,errors',
             'controllers' => 'records,geojson,openapi',
             'customControllers' => '',
             'customOpenApiBuilders' => '',

src/Tqdev/PhpCrudApi/Api.php

@@ -67,7 +67,7 @@ public function __construct(Config $config)
                     new SslRedirectMiddleware($router, $responder, $properties);
                     break;
                 case 'cors':
-                    new CorsMiddleware($router, $responder, $properties);
+                    new CorsMiddleware($router, $responder, $properties, $config->getDebug());
                     break;
                 case 'firewall':
                     new FirewallMiddleware($router, $responder, $properties);
@@ -210,15 +210,6 @@ private function applyParsedBodyHack(ServerRequestInterface $request): ServerReq
 
     public function handle(ServerRequestInterface $request): ResponseInterface
     {
-        $response = null;
-        try {
-            $response = $this->router->route($this->addParsedBody($request));
-        } catch (\Throwable $e) {
-            $response = $this->responder->error(ErrorCode::ERROR_NOT_FOUND, $e->getMessage());
-            if ($this->debug) {
-                $response = ResponseUtils::addExceptionHeaders($response, $e);
-            }
-        }
-        return $response;
+        return $this->router->route($this->addParsedBody($request));
     }
 }

src/Tqdev/PhpCrudApi/Config.php

@@ -12,7 +12,7 @@ class Config
         'password' => null,
         'database' => null,
         'tables' => '',
-        'middlewares' => 'cors',
+        'middlewares' => 'cors,errors',
         'controllers' => 'records,geojson,openapi',
         'customControllers' => '',
         'customOpenApiBuilders' => '',

src/Tqdev/PhpCrudApi/Middleware/AuthorizationMiddleware.php

@@ -10,6 +10,7 @@
 use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
 use Tqdev\PhpCrudApi\Middleware\Communication\VariableStore;
 use Tqdev\PhpCrudApi\Middleware\Router\Router;
+use Tqdev\PhpCrudApi\Record\ErrorCode;
 use Tqdev\PhpCrudApi\Record\FilterInfo;
 use Tqdev\PhpCrudApi\RequestUtils;
 
@@ -71,9 +72,20 @@ private function handleRecords(string $operation, string $tableName) /*: void*/
         }
     }
 
+    private function pathHandler(string $path) /*: bool*/
+    {
+        $pathHandler = $this->getProperty('pathHandler', '');
+        return $pathHandler ? call_user_func($pathHandler, $path) : true;
+    }
+
     public function process(ServerRequestInterface $request, RequestHandlerInterface $next): ResponseInterface
     {
         $path = RequestUtils::getPathSegment($request, 1);
+
+        if (!$this->pathHandler($path)) {
+            return $this->responder->error(ErrorCode::ROUTE_NOT_FOUND, $request->getUri()->getPath());
+        }
+
         $operation = RequestUtils::getOperation($request);
         $tableNames = RequestUtils::getTableNames($request, $this->reflection);
         foreach ($tableNames as $tableName) {

src/Tqdev/PhpCrudApi/Middleware/CorsMiddleware.php

@@ -5,12 +5,23 @@
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\RequestHandlerInterface;
+use Tqdev\PhpCrudApi\Controller\Responder;
 use Tqdev\PhpCrudApi\Middleware\Base\Middleware;
+use Tqdev\PhpCrudApi\Middleware\Router\Router;
 use Tqdev\PhpCrudApi\Record\ErrorCode;
 use Tqdev\PhpCrudApi\ResponseFactory;
+use Tqdev\PhpCrudApi\ResponseUtils;
 
 class CorsMiddleware extends Middleware
 {
+    private $debug;
+
+    public function __construct(Router $router, Responder $responder, array $properties, bool $debug)
+    {
+        parent::__construct($router, $responder, $properties);
+        $this->debug = $debug;
+    }
+
     private function isOriginAllowed(string $origin, string $allowedOrigins): bool
     {
         $found = false;
@@ -34,7 +45,10 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
             $response = $this->responder->error(ErrorCode::ORIGIN_FORBIDDEN, $origin);
         } elseif ($method == 'OPTIONS') {
             $response = ResponseFactory::fromStatus(ResponseFactory::OK);
-            $allowHeaders = $this->getProperty('allowHeaders', 'Content-Type, X-XSRF-TOKEN, X-Authorization, X-Debug-Info, X-Exception-Name, X-Exception-Message, X-Exception-File');
+            $allowHeaders = $this->getProperty('allowHeaders', 'Content-Type, X-XSRF-TOKEN, X-Authorization');
+            if ($this->debug) {
+                $allowHeaders = implode(', ', array_filter([$allowHeaders, 'X-Exception-Name, X-Exception-Message, X-Exception-File']));
+            }
             if ($allowHeaders) {
                 $response = $response->withHeader('Access-Control-Allow-Headers', $allowHeaders);
             }
@@ -50,12 +64,23 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
             if ($maxAge) {
                 $response = $response->withHeader('Access-Control-Max-Age', $maxAge);
             }
-            $exposeHeaders = $this->getProperty('exposeHeaders', 'X-Debug-Info, X-Exception-Name, X-Exception-Message, X-Exception-File');
+            $exposeHeaders = $this->getProperty('exposeHeaders', '');
+            if ($this->debug) {
+                $exposeHeaders = implode(', ', array_filter([$exposeHeaders, 'X-Exception-Name, X-Exception-Message, X-Exception-File']));
+            }
             if ($exposeHeaders) {
                 $response = $response->withHeader('Access-Control-Expose-Headers', $exposeHeaders);
             }
         } else {
-            $response = $next->handle($request);
+            $response = null;
+            try {
+                $response = $next->handle($request);
+            } catch (\Throwable $e) {
+                $response = $this->responder->error(ErrorCode::ERROR_NOT_FOUND, $e->getMessage());
+                if ($this->debug) {
+                    $response = ResponseUtils::addExceptionHeaders($response, $e);
+                }
+            }
         }
         if ($origin) {
             $allowCredentials = $this->getProperty('allowCredentials', 'true');

src/Tqdev/PhpCrudApi/Middleware/Router/SimpleRouter.php

@@ -95,6 +95,7 @@ public function route(ServerRequestInterface $request): ResponseInterface
             $data = gzcompress(json_encode($this->routes, JSON_UNESCAPED_UNICODE));
             $this->cache->set('PathTree', $data, $this->ttl);
         }
+
         return $this->handle($request);
     }