clarification

phpunit.xml.dist

@@ -7,7 +7,7 @@
   stopOnIncomplete="false"
   stopOnSkipped="false"
   bootstrap="vendor/autoload.php"
-  xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/10.3/phpunit.xsd"
+  xsi:noNamespaceSchemaLocation="vendor/phpunit/phpunit/phpunit.xsd"
   cacheDirectory=".phpunit.cache">
   <coverage/>
   <testsuites>

psalm.xml

@@ -1,7 +1,6 @@
 <?xml version="1.0"?>
 <psalm
     errorLevel="1"
-    resolveFromConfigFile="true"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns="https://getpsalm.org/schema/config"
     xsi:schemaLocation="https://getpsalm.org/schema/config vendor/vimeo/psalm/config.xsd"

src/JwtAuthentication.php

@@ -64,19 +64,12 @@ public function __construct(
         $this->decodeToken = new DecodeToken($parser ?? new Parser(new JoseEncoder()), $logger);
     }
 
-    /**
-     * Process a request in PSR-15 style and return a response.
-     */
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
-        $scheme = $request->getUri()->getScheme();
-        $host   = $request->getUri()->getHost();
-
-        /* HTTP allowed only if secure is false or server is in relaxed array. */
-        if ($scheme !== 'https' && $this->options->secure === true && ! in_array($host, $this->options->relaxed)) {
+        if (! $this->isConfigurationSecure($request)) {
             throw new RuntimeException(sprintf(
                 'Insecure use of middleware over %s denied by configuration.',
-                strtoupper($scheme),
+                strtoupper($request->getUri()->getScheme()),
             ));
         }
 
@@ -92,16 +85,27 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
             return $handler->handle($request);
         }
 
-        /* Add decoded token to request as attribute when requested. */
-        $request = $request->withAttribute($this->options->attribute, $jwtDecodedToken);
+        $request = $this->options->before->__invoke(
+            $request->withAttribute($this->options->attribute, $jwtDecodedToken),
+            $jwtDecodedToken,
+        );
+
+        return $this->options->after->__invoke($handler->handle($request), $jwtDecodedToken);
+    }
 
-        /* Modify $request before calling next middleware. */
-        $request = $this->options->before->__invoke($request, $jwtDecodedToken);
+    /**
+     * HTTP allowed only if secure is false or server is in relaxed array.
+     */
+    private function isConfigurationSecure(ServerRequestInterface $request): bool
+    {
+        if ($request->getUri()->getScheme() === 'https') {
+            return true;
+        }
 
-        /* Everything ok, call next middleware. */
-        $response = $handler->handle($request);
+        if ($this->options->secure === false) {
+            return true;
+        }
 
-        /* Modify $response before returning. */
-        return $this->options->after->__invoke($response, $jwtDecodedToken);
+        return in_array($request->getUri()->getHost(), $this->options->relaxed);
     }
 }

src/JwtAuthentication/IgnoreHttpMethodRule.php

@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tuupola\Middleware\JwtAuthentication;
+
+use Psr\Http\Message\ServerRequestInterface;
+
+use function in_array;
+
+/**
+ * Rule to decide by HTTP verb whether the request should be authenticated or not.
+ */
+final class IgnoreHttpMethodRule implements RuleInterface
+{
+    /** @param string[] $ignoreHttpMethod */
+    public function __construct(private readonly array $ignoreHttpMethod = ['OPTIONS'])
+    {
+    }
+
+    public function __invoke(ServerRequestInterface $request): bool
+    {
+        return ! in_array($request->getMethod(), $this->ignoreHttpMethod);
+    }
+}

src/JwtAuthentication/NullError.php → src/JwtAuthentication/NullAclError.php

@@ -7,9 +7,9 @@
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Throwable;
-use Tuupola\Middleware\JwtAuthentificationError;
+use Tuupola\Middleware\JwtAuthentificationAclError;
 
-class NullError implements JwtAuthentificationError
+class NullAclError implements JwtAuthentificationAclError
 {
     public function __invoke(ServerRequestInterface $request, ResponseInterface $response, Throwable $exception): ResponseInterface
     {

src/JwtAuthentication/NullAfter.php → src/JwtAuthentication/NullAfterHandler.php

@@ -6,9 +6,9 @@
 
 use Lcobucci\JWT\Token\Plain;
 use Psr\Http\Message\ResponseInterface;
-use Tuupola\Middleware\JwtAuthentificationAfter;
+use Tuupola\Middleware\JwtAuthentificationAfterHandler;
 
-class NullAfter implements JwtAuthentificationAfter
+class NullAfterHandler implements JwtAuthentificationAfterHandler
 {
     public function __invoke(ResponseInterface $response, Plain $token): ResponseInterface
     {

src/JwtAuthentication/NullBefore.php → src/JwtAuthentication/NullBeforeHandler.php

@@ -6,9 +6,9 @@
 
 use Lcobucci\JWT\Token\Plain;
 use Psr\Http\Message\ServerRequestInterface;
-use Tuupola\Middleware\JwtAuthentificationBefore;
+use Tuupola\Middleware\JwtAuthentificationBeforeHandler;
 
-class NullBefore implements JwtAuthentificationBefore
+class NullBeforeHandler implements JwtAuthentificationBeforeHandler
 {
     public function __invoke(ServerRequestInterface $request, Plain $token): ServerRequestInterface
     {

src/JwtAuthentication/RequestPathRule.php

@@ -2,40 +2,12 @@
 
 declare(strict_types=1);
 
-/*
-
-Copyright (c) 2015-2022 Mika Tuupola
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-
-*/
-
-/**
- * @see       https://github.com/tuupola/slim-jwt-auth
- * @see       https://appelsiini.net/projects/slim-jwt-auth
- */
-
 namespace Tuupola\Middleware\JwtAuthentication;
 
 use Psr\Http\Message\ServerRequestInterface;
 
 use function array_filter;
+use function array_map;
 use function explode;
 use function implode;
 use function preg_match;
@@ -44,40 +16,69 @@
 /**
  * Rule to decide by request path whether the request should be authenticated or not.
  */
-
 final class RequestPathRule implements RuleInterface
 {
+    /** @var string[] */
+    private readonly array $mustBeAuthOnUri;
+    /** @var string[] */
+    private readonly array $ignoreAuthOnUri;
+
     /**
-     * @param string[] $path
-     * @param string[] $ignore
+     * @param string[] $mustBeAuthOnUri
+     * @param string[] $ignoreAuthOnUri
      */
     public function __construct(
-        private readonly array $path = ['/'],
-        private readonly array $ignore = []
+        array $mustBeAuthOnUri = ['/'],
+        array $ignoreAuthOnUri = []
     ) {
+        $this->mustBeAuthOnUri = array_map(static fn (string $mustBeAuthOnUri): string => rtrim($mustBeAuthOnUri, '/'), $mustBeAuthOnUri);
+        $this->ignoreAuthOnUri = array_map(static fn (string $ignoreAuthOnUri): string => rtrim($ignoreAuthOnUri, '/'), $ignoreAuthOnUri);
     }
 
     public function __invoke(ServerRequestInterface $request): bool
     {
-        $uri = '/' . $request->getUri()->getPath();
-        $uri = '/' . implode('/', array_filter(explode('//', $uri)));
+        $uri = '/' . implode(
+            '/',
+            array_filter(explode('//', '/' . $request->getUri()->getPath())),
+        );
+
+        if ($this->shouldIgnoreAuthOnUri($uri)) {
+            return false;
+        }
+
+        return $this->shouldBeAuthenticate($uri);
+    }
 
-        /* If request path is matches ignore should not authenticate. */
-        foreach ($this->ignore as $ignore) {
-            $ignore = rtrim($ignore, '/');
-            if (! ! preg_match('@^' . $ignore . '(/.*)?$@', $uri)) {
-                return false;
+    /**
+     * If request path is matches ignore should not authenticate.
+     */
+    private function shouldIgnoreAuthOnUri(string $uri): bool
+    {
+        foreach ($this->ignoreAuthOnUri as $ignoreAuthOnUri) {
+            if ($this->match($ignoreAuthOnUri, $uri)) {
+                return true;
             }
         }
 
-        /* Otherwise check if path matches and we should authenticate. */
-        foreach ($this->path as $path) {
-            $path = rtrim($path, '/');
-            if (! ! preg_match('@^' . $path . '(/.*)?$@', $uri)) {
+        return false;
+    }
+
+    /**
+     * Otherwise check if path matches and we should authenticate.
+     */
+    private function shouldBeAuthenticate(string $uri): bool
+    {
+        foreach ($this->mustBeAuthOnUri as $mustBeAuthOnUri) {
+            if ($this->match($mustBeAuthOnUri, $uri)) {
                 return true;
             }
         }
 
         return false;
     }
+
+    private function match(string $value, string $uri): bool
+    {
+        return ! ! preg_match('@^' . $value . '(/.*)?$@', $uri);
+    }
 }

src/JwtAuthentication/RuleInterface.php

@@ -2,35 +2,6 @@
 
 declare(strict_types=1);
 
-/*
-
-Copyright (c) 2015-2022 Mika Tuupola
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-
-*/
-
-/**
- * @see       https://github.com/tuupola/slim-jwt-auth
- * @see       https://appelsiini.net/projects/slim-jwt-auth
- */
-
 namespace Tuupola\Middleware\JwtAuthentication;
 
 use Psr\Http\Message\ServerRequestInterface;