Skip to content

Commit be1835d

Browse files
mevdscheemevdschee
committed
bugfix
1 parent 5c3008c commit be1835d

File tree

4 files changed

+32
-10
lines changed

4 files changed

+32
-10
lines changed

api.php

+28-6
Original file line numberDiff line numberDiff line change
@@ -2773,6 +2773,11 @@ public function setNext(Handler $handler) /*: void*/
27732773
$this->next = $handler;
27742774
}
27752775

2776+
protected function getArrayProperty(String $key, String $default): array
2777+
{
2778+
return array_filter(array_map('trim', explode(',', $this->getProperty($key, $default))));
2779+
}
2780+
27762781
protected function getProperty(String $key, $default)
27772782
{
27782783
return isset($this->properties[$key]) ? $this->properties[$key] : $default;
@@ -2899,6 +2904,25 @@ public function handle(Request $request): Response
28992904

29002905
}
29012906

2907+
// file: src/Tqdev/PhpCrudApi/Middleware/AjaxOnlyMiddleware.php
2908+
2909+
class AjaxOnlyMiddleware extends Middleware
2910+
{
2911+
public function handle(Request $request): Response
2912+
{
2913+
$method = $request->getMethod();
2914+
$excludeMethods = $this->getArrayProperty('excludeMethods', 'OPTIONS,GET');
2915+
if (!in_array($method, $excludeMethods)) {
2916+
$headerName = $this->getProperty('headerName', 'X-Requested-With');
2917+
$headerValue = $this->getProperty('headerValue', 'XMLHttpRequest');
2918+
if ($headerValue != $request->getHeader($headerName)) {
2919+
return $this->responder->error(ErrorCode::ONLY_AJAX_REQUESTS_ALLOWED, '');
2920+
}
2921+
}
2922+
return $this->next->handle($request);
2923+
}
2924+
}
2925+
29022926
// file: src/Tqdev/PhpCrudApi/Middleware/AuthorizationMiddleware.php
29032927

29042928
class AuthorizationMiddleware extends Middleware
@@ -3276,11 +3300,6 @@ private function getVerifiedClaims(String $token, int $time, int $leeway, int $t
32763300
return $claims;
32773301
}
32783302

3279-
private function getArrayProperty(String $property, String $default): array
3280-
{
3281-
return array_filter(array_map('trim', explode(',', $this->getProperty($property, $default))));
3282-
}
3283-
32843303
private function getClaims(String $token): array
32853304
{
32863305
$time = (int) $this->getProperty('time', time());
@@ -3563,7 +3582,8 @@ public function handle(Request $request): Response
35633582
{
35643583
$token = $this->getToken();
35653584
$method = $request->getMethod();
3566-
if (!in_array($method, ['OPTIONS', 'GET'])) {
3585+
$excludeMethods = $this->getArrayProperty('excludeMethods', 'OPTIONS,GET');
3586+
if (!in_array($method, $excludeMethods)) {
35673587
$headerName = $this->getProperty('headerName', 'X-XSRF-TOKEN');
35683588
if ($token != $request->getHeader($headerName)) {
35693589
return $this->responder->error(ErrorCode::BAD_OR_MISSING_XSRF_TOKEN, '');
@@ -4237,6 +4257,7 @@ class ErrorCode
42374257
const OPERATION_NOT_SUPPORTED = 1015;
42384258
const TEMPORARY_OR_PERMANENTLY_BLOCKED = 1016;
42394259
const BAD_OR_MISSING_XSRF_TOKEN = 1017;
4260+
const ONLY_AJAX_REQUESTS_ALLOWED = 1018;
42404261

42414262
private $values = [
42424263
9999 => ["%s", Response::INTERNAL_SERVER_ERROR],
@@ -4258,6 +4279,7 @@ class ErrorCode
42584279
1015 => ["Operation '%s' not supported", Response::METHOD_NOT_ALLOWED],
42594280
1016 => ["Temporary or permanently blocked", Response::FORBIDDEN],
42604281
1017 => ["Bad or missing XSRF token", Response::FORBIDDEN],
4282+
1018 => ["Only AJAX requests allowed", Response::FORBIDDEN],
42614283
];
42624284

42634285
public function __construct(int $code)

src/Tqdev/PhpCrudApi/Middleware/AjaxOnlyMiddleware.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ class AjaxOnlyMiddleware extends Middleware
1212
public function handle(Request $request): Response
1313
{
1414
$method = $request->getMethod();
15-
$excludeMethods = $this->getProperty('excludeMethods', 'OPTIONS,GET');
15+
$excludeMethods = $this->getArrayProperty('excludeMethods', 'OPTIONS,GET');
1616
if (!in_array($method, $excludeMethods)) {
1717
$headerName = $this->getProperty('headerName', 'X-Requested-With');
1818
$headerValue = $this->getProperty('headerValue', 'XMLHttpRequest');

src/Tqdev/PhpCrudApi/Middleware/Base/Middleware.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,9 @@ public function setNext(Handler $handler) /*: void*/
2222
$this->next = $handler;
2323
}
2424

25-
protected function getArrayProperty(String $key, $default)
25+
protected function getArrayProperty(String $key, String $default): array
2626
{
27-
return isset($this->properties[$key]) ? array_filter(array_map('trim', explode(',', $this->properties[$key]))) : $default;
27+
return array_filter(array_map('trim', explode(',', $this->getProperty($key, $default))));
2828
}
2929

3030
protected function getProperty(String $key, $default)

src/Tqdev/PhpCrudApi/Middleware/XsrfMiddleware.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ public function handle(Request $request): Response
2828
{
2929
$token = $this->getToken();
3030
$method = $request->getMethod();
31-
$excludeMethods = $this->getProperty('excludeMethods', 'OPTIONS,GET');
31+
$excludeMethods = $this->getArrayProperty('excludeMethods', 'OPTIONS,GET');
3232
if (!in_array($method, $excludeMethods)) {
3333
$headerName = $this->getProperty('headerName', 'X-XSRF-TOKEN');
3434
if ($token != $request->getHeader($headerName)) {

0 commit comments

Comments
 (0)