You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to add the possibility to create a temporary URI signed.
To achieve this, we can add an expiration parameter to the UriSigner's sign method.
By default at null, if a value is passed, a query parameter with the timestamp of the expiration date + time will be added before the computation of the URI hash.
Thus when checking the URI, if this query parameter is present, the timestamp will be used by the check method to determine if the URI has expired.
This PR was merged into the 7.1 branch.
Discussion
----------
[HttpKernel] Add temporary URI signed
| Q | A
| ------------- | ---
| Branch? | 7.1
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fix#51501
| License | MIT
| Doc PR | TODO
This feature add the possibilty to create a temporary URI signed as mentionned in #51501.
Few things about this implementation :
- I added an optional parameter to the constructor of the `UriSigner`. I'm not sure if it can be considered as a **BC** ?
- The query parameter for expiration (by default "_expiration") is considered as a **reserved parameter** for the signer and if you try to sign an URI with this parameter, the method will throw
a LogicalException. In fact, the `check `method will test the presence of the expiration query parameter to determine if it must (or not) verify the expiration.
A problem can arise in this case : Lets say you want to sign this URI : "/demo?_expiration=foo" and you don't want a temporary URL. The URI is signed without problem but when you try to call `check`, the method will notice the
presence of "_expiration" and try to determine if it has expired, considering the value "foo" as a timestamp.
Commits
-------
f0c2cfb [HttpFoundation] Add temporary URI signed
Description
I would like to add the possibility to create a temporary URI signed.
To achieve this, we can add an expiration parameter to the
UriSigner
'ssign
method.By default at null, if a value is passed, a query parameter with the timestamp of the expiration date + time will be added before the computation of the URI hash.
Thus when checking the URI, if this query parameter is present, the timestamp will be used by the
check
method to determine if the URI has expired.I propose a signature like this :
\DatetimeInterface
, it's converted to a timestamp.\DateInterval
, it's added to "now" then converted to a timestamp.int
, it's expected to be a timestamp in seconds.If null, nothing is added.
Example
The text was updated successfully, but these errors were encountered: