SignUrl: Allow more methods, normalize signed URL (remove #hash)

Author: jakubboucek

.phpstorm.meta.php

@@ -34,4 +34,47 @@
         \Redbitcz\DebugMode\Detector::MODE_ENV,
         \Redbitcz\DebugMode\Detector::MODE_IP
     );
+
+    expectedArguments(
+        \Redbitcz\DebugMode\Plugin\SignedUrl::__construct(),
+        1,
+        'ES384',
+        'ES256',
+        'HS256',
+        'HS384',
+        'HS512',
+        'RS256',
+        'RS384',
+        'RS512'
+    );
+
+    expectedArguments(
+        \Redbitcz\DebugMode\Plugin\SignedUrl::signUrl(),
+        2,
+        \Redbitcz\DebugMode\Plugin\SignedUrl::MODE_REQUEST,
+        \Redbitcz\DebugMode\Plugin\SignedUrl::MODE_ENABLER,
+        \Redbitcz\DebugMode\Plugin\SignedUrl::MODE_DEACTIVATE_ENABLER
+    );
+
+    expectedArguments(
+        \Redbitcz\DebugMode\Plugin\SignedUrl::signUrl(),
+        3,
+        \Redbitcz\DebugMode\Plugin\SignedUrl::VALUE_DISABLE,
+        \Redbitcz\DebugMode\Plugin\SignedUrl::VALUE_ENABLE
+    );
+
+    expectedArguments(
+        \Redbitcz\DebugMode\Plugin\SignedUrl::getToken(),
+        3,
+        \Redbitcz\DebugMode\Plugin\SignedUrl::MODE_REQUEST,
+        \Redbitcz\DebugMode\Plugin\SignedUrl::MODE_ENABLER,
+        \Redbitcz\DebugMode\Plugin\SignedUrl::MODE_DEACTIVATE_ENABLER
+    );
+
+    expectedArguments(
+        \Redbitcz\DebugMode\Plugin\SignedUrl::getToken(),
+        4,
+        \Redbitcz\DebugMode\Plugin\SignedUrl::VALUE_DISABLE,
+        \Redbitcz\DebugMode\Plugin\SignedUrl::VALUE_ENABLE
+    );
 }

src/Plugin/SignedUrl.php

@@ -32,7 +32,6 @@ class SignedUrl implements Plugin
 
     private const URL_QUERY_TOKEN_KEY = '_debug';
     private const ISSUER_ID = 'cz.redbit.debug.url';
-    private const HTTP_METHOD_GET = 'get';
 
     /** @var resource|string */
     private $key;
@@ -58,12 +57,14 @@ public function __construct($key, string $algorithm = 'HS256', ?string $audience
 
     /**
      * @param string|int|DateTimeInterface $expire
+     * @param array<int, string> $allowedHttpMethods
      */
     public function signUrl(
         string $url,
         $expire,
         int $mode = self::MODE_REQUEST,
-        int $value = self::VALUE_ENABLE
+        int $value = self::VALUE_ENABLE,
+        array $allowedHttpMethods = ['get']
     ): string {
         /** @var ParsedUrl|false $parsedUrl */
         $parsedUrl = parse_url($url);
@@ -76,7 +77,9 @@ public function signUrl(
             throw new LogicException('Only absolute URL is allowed to sign');
         }
 
-        $token = $this->getToken($url, $expire, $mode, $value);
+        $signUrl = $this->normalizeUrl($parsedUrl);
+
+        $token = $this->getToken($this->buildUrl($signUrl), $allowedHttpMethods, $expire, $mode, $value);
 
         $parsedUrl['query'] = ($parsedUrl['query'] ?? '') . ((($parsedUrl['query'] ?? '') === '') ? '?' : '&')
             . self::URL_QUERY_TOKEN_KEY . '=' . urlencode($token);
@@ -85,13 +88,15 @@ public function signUrl(
     }
 
     /**
+     * @param array<int, string> $allowedMethods
      * @param string|int|DateTimeInterface $expire
      */
     public function getToken(
         string $url,
+        array $allowedMethods,
         $expire,
-        int $mode = self::MODE_REQUEST,
-        int $value = self::VALUE_ENABLE
+        int $mode,
+        int $value
     ): string {
         $expire = (int)DateTime::from($expire)->format('U');
 
@@ -101,7 +106,7 @@ public function getToken(
             'iat' => $this->timestamp ?? time(),
             'exp' => $expire,
             'sub' => $url,
-            'meth' => [self::HTTP_METHOD_GET],
+            'meth' => $allowedMethods,
             'mod' => $mode,
             'val' => $value,
         ];
@@ -194,6 +199,7 @@ public function verifyUrl(string $url, bool $allowRedirect = false): array
             $this->sendRedirectResponse($canonicalUrl);
         }
 
+        $parsedUrl = $this->normalizeUrl($parsedUrl);
         $signedUrl = $this->buildUrl(['query' => substr($query, 0, $tokenOffset)] + $parsedUrl);
 
         if ($signedUrl !== $allowedUrl) {
@@ -308,4 +314,16 @@ protected function sendRedirectResponse(string $canonicalUrl): void
         echo "<h1>Redirect</h1>\n\n<p><a href=\"{$escapedUrl}\">Please click here to continue</a>.</p>";
         die();
     }
+
+    /**
+     * @param ParsedUrl $url
+     * @return ParsedUrl
+     */
+    protected function normalizeUrl(array $url): array
+    {
+        $url['path'] = ($url['path'] ?? '') === '' ? '/' : ($url['path']??'');
+        unset($url['fragment']);
+        /** @var ParsedUrl $url (bypass PhpStan bug) */
+        return $url;
+    }
 }

tests/Plugin/SignUrlTest.php

@@ -28,13 +28,30 @@ public function testSign(): void
         Assert::equal($expected, $token);
     }
 
+    public function testSignFragment(): void
+    {
+        $audience = 'test.' . __FUNCTION__;
+
+        $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
+        $plugin->setTimestamp(1600000000);
+        $token = $plugin->signUrl('https://host.tld/path?query=value#fragment', 1600000600);
+        $expected = 'https://host.tld/path?query=value&_debug=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjei5yZWRiaXQuZGVidWcudXJsIiwiYXVkIjoidGVzdC50ZXN0U2lnbkZyYWdtZW50IiwiaWF0IjoxNjAwMDAwMDAwLCJleHAiOjE2MDAwMDA2MDAsInN1YiI6Imh0dHBzOlwvXC9ob3N0LnRsZFwvcGF0aD9xdWVyeT12YWx1ZSIsIm1ldGgiOlsiZ2V0Il0sIm1vZCI6MCwidmFsIjoxfQ.9oIORBXW-hW8vTPdJglEdEMm19nwAvw2wLAxqWvFh3Y#fragment';
+        Assert::equal($expected, $token);
+    }
+
     public function testGetToken(): void
     {
         $audience = 'test.' . __FUNCTION__;
 
         $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp(1600000000);
-        $token = $plugin->getToken('https://host.tld/path?query=value', 1600000600);
+        $token = $plugin->getToken(
+            'https://host.tld/path?query=value',
+            ['get'],
+            1600000600,
+            SignedUrl::MODE_REQUEST,
+            SignedUrl::VALUE_ENABLE
+        );
         $expected = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjei5yZWRiaXQuZGVidWcudXJsIiwiYXVkIjoidGVzdC50ZXN0R2V0VG9rZW4iLCJpYXQiOjE2MDAwMDAwMDAsImV4cCI6MTYwMDAwMDYwMCwic3ViIjoiaHR0cHM6XC9cL2hvc3QudGxkXC9wYXRoP3F1ZXJ5PXZhbHVlIiwibWV0aCI6WyJnZXQiXSwibW9kIjowLCJ2YWwiOjF9.I6tEfFneSxuY9qAjRf5esYFPonChbliZqGoijtv2iHw';
         Assert::equal($expected, $token);
     }
@@ -46,7 +63,13 @@ public function testVerifyToken(): void
 
         $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp($timestamp);
-        $token = $plugin->getToken('https://host.tld/path?query=value', 1600000600);
+        $token = $plugin->getToken(
+            'https://host.tld/path?query=value',
+            ['get'],
+            1600000600,
+            SignedUrl::MODE_REQUEST,
+            SignedUrl::VALUE_ENABLE
+        );
 
         $plugin = new SignedUrl(self::KEY_HS256, 'HS256', $audience);
         $plugin->setTimestamp($timestamp);
@@ -171,16 +194,39 @@ function () use ($timestamp, $tokenUrl) {
     public function testVerifyUrlWithSuffixRedirect(): void
     {
         $timestamp = 1600000000;
-        $expected = 'https://host.tld/path?query=value&_debug=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjei5yZWRiaXQuZGVidWcudXJsIiwiYXVkIjoidGVzdC50ZXN0U2lnbiIsImlhdCI6MTYwMDAwMDAwMCwiZXhwIjoxNjAwMDAwNjAwLCJzdWIiOiJodHRwczpcL1wvaG9zdC50bGRcL3BhdGg_cXVlcnk9dmFsdWUiLCJtZXRoIjoiZ2V0IiwibW9kIjowLCJ2YWwiOjF9.61Z0pPW3lJN2WDoUhOfsZ4m16Q3hjtVFJep_t_qoQ5c';
-
-        $tokenUrl = $expected . '&fbclid=123456789';
+        $tokenUrl = 'https://host.tld/path?query=value&_debug=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjei5yZWRiaXQuZGVidWcudXJsIiwiYXVkIjoidGVzdC50ZXN0U2lnbiIsImlhdCI6MTYwMDAwMDAwMCwiZXhwIjoxNjAwMDAwNjAwLCJzdWIiOiJodHRwczpcL1wvaG9zdC50bGRcL3BhdGg_cXVlcnk9dmFsdWUiLCJtZXRoIjoiZ2V0IiwibW9kIjowLCJ2YWwiOjF9.61Z0pPW3lJN2WDoUhOfsZ4m16Q3hjtVFJep_t_qoQ5c'
+            . '&fbclid=123456789';
 
         // Mock plugin without redirect
         $plugin = new class(self::KEY_HS256, 'HS256', 'test.testSign') extends SignedUrl {
             protected function sendRedirectResponse(string $canonicalUrl): void
             {
                 $expected = 'https://host.tld/path?query=value&_debug=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjei5yZWRiaXQuZGVidWcudXJsIiwiYXVkIjoidGVzdC50ZXN0U2lnbiIsImlhdCI6MTYwMDAwMDAwMCwiZXhwIjoxNjAwMDAwNjAwLCJzdWIiOiJodHRwczpcL1wvaG9zdC50bGRcL3BhdGg_cXVlcnk9dmFsdWUiLCJtZXRoIjoiZ2V0IiwibW9kIjowLCJ2YWwiOjF9.61Z0pPW3lJN2WDoUhOfsZ4m16Q3hjtVFJep_t_qoQ5c';
-                Assert::equal($canonicalUrl, $expected);
+                Assert::equal($expected, $canonicalUrl);
+            }
+        };
+
+        $plugin->setTimestamp($timestamp);
+        JWT::$timestamp = $timestamp;
+        $plugin->verifyUrl($tokenUrl, true);
+    }
+
+    public function testVerifyUrlWithSuffixRedirectFragment(): void
+    {
+        $timestamp = 1600000000;
+        $tokenUrl = 'https://host.tld/path?query=value'
+            . '&_debug=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjei5yZWRiaXQuZGVidWcudXJsIiwiYXVkIjoidGVzdC50ZXN0U2lnbiIsImlhdCI6MTYwMDAwMDAwMCwiZXhwIjoxNjAwMDAwNjAwLCJzdWIiOiJodHRwczpcL1wvaG9zdC50bGRcL3BhdGg_cXVlcnk9dmFsdWUiLCJtZXRoIjoiZ2V0IiwibW9kIjowLCJ2YWwiOjF9.61Z0pPW3lJN2WDoUhOfsZ4m16Q3hjtVFJep_t_qoQ5c'
+            . '&fbclid=123456789'
+            . '#hash';
+
+        // Mock plugin without redirect
+        $plugin = new class(self::KEY_HS256, 'HS256', 'test.testSign') extends SignedUrl {
+            protected function sendRedirectResponse(string $canonicalUrl): void
+            {
+                $expected = 'https://host.tld/path?query=value'
+                    . '&_debug=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJjei5yZWRiaXQuZGVidWcudXJsIiwiYXVkIjoidGVzdC50ZXN0U2lnbiIsImlhdCI6MTYwMDAwMDAwMCwiZXhwIjoxNjAwMDAwNjAwLCJzdWIiOiJodHRwczpcL1wvaG9zdC50bGRcL3BhdGg_cXVlcnk9dmFsdWUiLCJtZXRoIjoiZ2V0IiwibW9kIjowLCJ2YWwiOjF9.61Z0pPW3lJN2WDoUhOfsZ4m16Q3hjtVFJep_t_qoQ5c'
+                    . '#hash';
+                Assert::equal($expected, $canonicalUrl);
             }
         };