SignUrl: Allowed more methods

jakubboucek · jakubboucek · commit 12053429904b · 2021-09-17T21:23:22.000+02:00
diff --git a/src/Plugin/SignedUrl.php b/src/Plugin/SignedUrl.php
@@ -13,7 +13,7 @@
 
 /**
  * @phpstan-type ParsedUrl array{'scheme'?: string, 'host'?: string, 'port'?: int, 'user'?: string, 'pass'?: string, 'path'?: string, 'query'?: string, 'fragment'?: string}
- * @phpstan-type ClaimsSet array{'iss': string, 'aud': string|null, 'iat': int, 'exp': int, 'sub': string, 'meth': string, 'mod': int, 'val': int}
+ * @phpstan-type ClaimsSet array{'iss': string, 'aud': string|null, 'iat': int, 'exp': int, 'sub': string, 'meth': array<int, string>, 'mod': int, 'val': int}
  */
 class SignedUrl implements Plugin
 {
@@ -65,6 +65,7 @@ public function signUrl(
         int $mode = self::MODE_REQUEST,
         int $value = self::VALUE_ENABLE
     ): string {
+        /** @var ParsedUrl|false $parsedUrl */
         $parsedUrl = parse_url($url);
 
         if ($parsedUrl === false) {
@@ -100,7 +101,7 @@ public function getToken(
             'iat' => $this->timestamp ?? time(),
             'exp' => $expire,
             'sub' => $url,
-            'meth' => self::HTTP_METHOD_GET,
+            'meth' => [self::HTTP_METHOD_GET],
             'mod' => $mode,
             'val' => $value,
         ];
@@ -143,30 +144,30 @@ public function verifyRequest(bool $allowRedirect = false, ?string $url = null,
         $url = $url ?? $this->urlFromGlobal();
         $method = $method ?? $_SERVER['REQUEST_METHOD'];
 
-        [$allowedMethod, $mode, $value, $expires] = $this->verifyUrl($url);
+        [$allowedMethods, $mode, $value, $expires] = $this->verifyUrl($url);
 
-        if (strcasecmp($method, $allowedMethod) !== 0) {
+        if (in_array(strtolower($method), $allowedMethods, true) === false) {
             throw new SignedUrlVerificationException('HTTP method doesn\'t match signed HTTP method');
         }
 
         return [$mode, $value, $expires];
     }
 
     /**
-     * @return array{string, int, int, int}
+     * @return array{array<int, string>, int, int, int}
      */
     public function verifyUrl(string $url, bool $allowRedirect = false): array
     {
-        /** @noinspection CallableParameterUseCaseInTypeContextInspection */
-        $url = parse_url($url);
+        /** @var ParsedUrl|false $parsedUrl */
+        $parsedUrl = parse_url($url);
 
-        if ($url === false) {
+        if ($parsedUrl === false) {
             throw new SignedUrlVerificationException('Url is invalid');
         }
 
         // Parse token from Query string
         // Note: Not parsed by parse_str() to prevent broke URL (repeated arguments like `?same_arg=1&same_arg=2`)
-        $query = $url['query'] ?? '';
+        $query = $parsedUrl['query'] ?? '';
         if (preg_match(
                 '/(?<token_key>[?&]' . self::URL_QUERY_TOKEN_KEY . '=)(?<token>[^&]+)(?:$|(?<remaining>&.*$))/D',
                 $query,
@@ -181,34 +182,34 @@ public function verifyUrl(string $url, bool $allowRedirect = false): array
         $remainingOffset = $matches['remaining'][1] ?? null;
 
         // Parse token – when token invalid, no URL canonicalization proceed
-        [$allowedUrl, $allowedMethod, $mode, $value, $expires] = $this->verifyToken($token);
+        [$allowedUrl, $allowedMethods, $mode, $value, $expires] = $this->verifyToken($token);
 
         // Some apps modifing URL
         if ($remainingOffset !== null) {
             if ($allowRedirect === false) {
                 throw new SignedUrlVerificationException('URL contains unallowed queries after Signing Token');
             }
 
-            $canonicalUrl = $this->buildUrl(['query' => substr($query, 0, $remainingOffset)] + $url);
+            $canonicalUrl = $this->buildUrl(['query' => substr($query, 0, $remainingOffset)] + $parsedUrl);
             $this->sendRedirectResponse($canonicalUrl);
         }
 
-        $signedUrl = $this->buildUrl(['query' => substr($query, 0, $tokenOffset)] + $url);
+        $signedUrl = $this->buildUrl(['query' => substr($query, 0, $tokenOffset)] + $parsedUrl);
 
         if ($signedUrl !== $allowedUrl) {
             throw new SignedUrlVerificationException('URL doesn\'t match signed URL');
         }
 
-        return [$allowedMethod, $mode, $value, $expires];
+        return [$allowedMethods, $mode, $value, $expires];
     }
 
     /**
-     * @return array{string, string, int, int, int}
+     * @return array{string, array<int, string>, int, int, int}
      */
     public function verifyToken(string $token): array
     {
         try {
-            /** @var ClaimsSet */
+            /** @var ClaimsSet $payload */
             $payload = JWT::decode($token, $this->key, [$this->algorithm]);
         } catch (RuntimeException $e) {
             throw new SignedUrlVerificationException('JWT Token invalid', 0, $e);
@@ -247,11 +248,11 @@ public function verifyToken(string $token): array
         }
 
         return [
-            (string)$payload->sub,
-            (string)$payload->meth,
+            $payload->sub,
+            $payload->meth,
             $payload->mod,
             $payload->val,
-            (int)$payload->exp
+            $payload->exp
         ];
     }
 
diff --git a/tests/Plugin/SignUrlTest.php b/tests/Plugin/SignUrlTest.php
@@ -24,7 +24,7 @@ public function testSign(): void
         $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp(1600000000);
         $token = $plugin->signUrl('https://host.tld/path?query=value', 1600000600);
-        $expected = 'https://host.tld/path?query=value&_debug=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjei5yZWRiaXQuZGVidWcudXJsIiwiYXVkIjoidGVzdC50ZXN0U2lnbiIsImlhdCI6MTYwMDAwMDAwMCwiZXhwIjoxNjAwMDAwNjAwLCJzdWIiOiJodHRwczpcL1wvaG9zdC50bGRcL3BhdGg_cXVlcnk9dmFsdWUiLCJtZXRoIjoiZ2V0IiwibW9kIjowLCJ2YWwiOjF9.61Z0pPW3lJN2WDoUhOfsZ4m16Q3hjtVFJep_t_qoQ5c';
+        $expected = 'https://host.tld/path?query=value&_debug=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjei5yZWRiaXQuZGVidWcudXJsIiwiYXVkIjoidGVzdC50ZXN0U2lnbiIsImlhdCI6MTYwMDAwMDAwMCwiZXhwIjoxNjAwMDAwNjAwLCJzdWIiOiJodHRwczpcL1wvaG9zdC50bGRcL3BhdGg_cXVlcnk9dmFsdWUiLCJtZXRoIjpbImdldCJdLCJtb2QiOjAsInZhbCI6MX0.E2__15ZLCOvLRA1jG3tq47DctbZ44sLYYDLXGElMrDs';
         Assert::equal($expected, $token);
     }
 
@@ -35,7 +35,7 @@ public function testGetToken(): void
         $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp(1600000000);
         $token = $plugin->getToken('https://host.tld/path?query=value', 1600000600);
-        $expected = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjei5yZWRiaXQuZGVidWcudXJsIiwiYXVkIjoidGVzdC50ZXN0R2V0VG9rZW4iLCJpYXQiOjE2MDAwMDAwMDAsImV4cCI6MTYwMDAwMDYwMCwic3ViIjoiaHR0cHM6XC9cL2hvc3QudGxkXC9wYXRoP3F1ZXJ5PXZhbHVlIiwibWV0aCI6ImdldCIsIm1vZCI6MCwidmFsIjoxfQ.KO0DRN8hsn_MYZI3iRMpw5uRJ9hKh1taex-6k02BwMk';
+        $expected = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjei5yZWRiaXQuZGVidWcudXJsIiwiYXVkIjoidGVzdC50ZXN0R2V0VG9rZW4iLCJpYXQiOjE2MDAwMDAwMDAsImV4cCI6MTYwMDAwMDYwMCwic3ViIjoiaHR0cHM6XC9cL2hvc3QudGxkXC9wYXRoP3F1ZXJ5PXZhbHVlIiwibWV0aCI6WyJnZXQiXSwibW9kIjowLCJ2YWwiOjF9.I6tEfFneSxuY9qAjRf5esYFPonChbliZqGoijtv2iHw';
         Assert::equal($expected, $token);
     }
 
@@ -52,7 +52,7 @@ public function testVerifyToken(): void
         $plugin->setTimestamp($timestamp);
         JWT::$timestamp = $timestamp;
         $parsed = $plugin->verifyToken($token);
-        $expected = ['https://host.tld/path?query=value', 'get', 0, 1, 1600000600];
+        $expected = ['https://host.tld/path?query=value', ['get'], 0, 1, 1600000600];
         Assert::equal($expected, $parsed);
     }
 
@@ -70,7 +70,7 @@ public function testVerifyUrl(): void
         $plugin->setTimestamp($timestamp);
         JWT::$timestamp = $timestamp;
         $parsed = $plugin->verifyUrl($tokenUrl);
-        $expected = ['get', 0, 1, 1600000600];
+        $expected = [['get'], 0, 1, 1600000600];
         Assert::equal($expected, $parsed);
     }
 
