Expand AnonymousRequestMatcher by user_identifier_headers option

Author: blankse

CHANGELOG.md

@@ -1,6 +1,19 @@
 Changelog
 =========
 
+1.4.5
+-----
+
+* Symfony user context: You can now also specify which headers are used for
+  authentication to detect anonymous requests. By default, the headers are the
+  previously hardcoded `Authorization`, `HTTP_AUTHORIZATION` and
+  `PHP_AUTH_USER`.
+
+1.4.4
+-----
+
+* Avoid problem with [http_method_override](http://symfony.com/doc/current/reference/configuration/framework.html#configuration-framework-http-method-override).
+
 1.4.3
 -----
 

doc/symfony-cache-configuration.rst

@@ -147,6 +147,10 @@ options through the constructor:
 
   **default**: ``GET``
 
+* **user_identifier_headers**: List of request headers that authenticate a non-anonymous request.
+
+  **default**: ``['Authorization', 'HTTP_AUTHORIZATION', 'PHP_AUTH_USER']``
+
 * **session_name_prefix**: Prefix for session cookies. Must match your PHP session configuration.
 
   **default**: ``PHPSESSID``

src/SymfonyCache/UserContextSubscriber.php

@@ -16,6 +16,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\HttpKernel\Kernel;
 use Symfony\Component\OptionsResolver\OptionsResolver;
 
 /**
@@ -51,6 +52,7 @@ class UserContextSubscriber implements EventSubscriberInterface
      *                            match the setup for the Vary header in the backend application.
      * - user_hash_uri:           Target URI used in the request for user context hash generation.
      * - user_hash_method:        HTTP Method used with the hash lookup request for user context hash generation.
+     * - user_identifier_headers: List of request headers that authenticate a non-anonymous request.
      * - session_name_prefix:     Prefix for session cookies. Must match your PHP session configuration.
      *
      * @param array $options Options to overwrite the default options
@@ -66,8 +68,21 @@ public function __construct(array $options = array())
             'user_hash_header' => 'X-User-Context-Hash',
             'user_hash_uri' => '/_fos_user_context_hash',
             'user_hash_method' => 'GET',
+            'user_identifier_headers' => array('Authorization', 'HTTP_AUTHORIZATION', 'PHP_AUTH_USER'),
             'session_name_prefix' => 'PHPSESSID',
         ));
+        if (class_exists('Symfony\Component\HttpKernel\Kernel')
+            && (Kernel::MAJOR_VERSION > 2 || Kernel::MINOR_VERSION > 5)
+        ) {
+            $resolver->setAllowedTypes('anonymous_hash', array('string'));
+            $resolver->setAllowedTypes('user_hash_accept_header', array('string'));
+            $resolver->setAllowedTypes('user_hash_header', array('string'));
+            $resolver->setAllowedTypes('user_hash_uri', array('string'));
+            $resolver->setAllowedTypes('user_hash_method', array('string'));
+            // actually string[] but that is not supported by symfony < 3.4
+            $resolver->setAllowedTypes('user_identifier_headers', array('array'));
+            $resolver->setAllowedTypes('session_name_prefix', array('string'));
+        }
 
         $this->options = $resolver->resolve($options);
     }
@@ -186,7 +201,10 @@ private function getUserHash(HttpKernelInterface $kernel, Request $request)
      */
     private function isAnonymous(Request $request)
     {
-        $anonymousRequestMatcher = new AnonymousRequestMatcher($this->options['session_name_prefix']);
+        $anonymousRequestMatcher = new AnonymousRequestMatcher(array(
+            'user_identifier_headers' => $this->options['user_identifier_headers'],
+            'session_name_prefix' => $this->options['session_name_prefix'],
+        ));
 
         return $anonymousRequestMatcher->matches($request);
     }

src/UserContext/AnonymousRequestMatcher.php

@@ -13,36 +13,53 @@
 
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestMatcherInterface;
+use Symfony\Component\HttpKernel\Kernel;
+use Symfony\Component\OptionsResolver\OptionsResolver;
 
 /**
  * Matches anonymous requests using a list of identification headers.
  */
 class AnonymousRequestMatcher implements RequestMatcherInterface
 {
-    private $sessionNamePrefix;
+    /**
+     * @var array
+     */
+    private $options;
 
     /**
-     * @param string $sessionNamePrefix Prefix for session cookies. Must match your PHP session configuration
+     * @param array $options Configuration for the matcher. All options are required because this matcher is usually
+     *                       created by the UserContextSubscriber which provides the default values.
+     *
+     * @throws \InvalidArgumentException if unknown keys are found in $options
      */
-    public function __construct($sessionNamePrefix)
+    public function __construct(array $options = array())
     {
-        $this->sessionNamePrefix = $sessionNamePrefix;
+        $resolver = new OptionsResolver();
+        $resolver->setRequired(array('user_identifier_headers', 'session_name_prefix'));
+        if (class_exists('Symfony\Component\HttpKernel\Kernel')
+            && (Kernel::MAJOR_VERSION > 2 || Kernel::MINOR_VERSION > 5)
+        ) {
+            // actually string[] but that is not supported by symfony < 3.4
+            $resolver->setAllowedTypes('user_identifier_headers', array('array'));
+            $resolver->setAllowedTypes('session_name_prefix', array('string'));
+        }
+
+        $this->options = $resolver->resolve($options);
     }
 
     public function matches(Request $request)
     {
         // You might have to enable rewriting of the Authorization header in your server config or .htaccess:
         // RewriteEngine On
         // RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
-        if ($request->server->has('AUTHORIZATION') ||
-            $request->server->has('HTTP_AUTHORIZATION') ||
-            $request->server->has('PHP_AUTH_USER')
-        ) {
-            return false;
+        foreach ($this->options['user_identifier_headers'] as $header) {
+            if ($request->headers->has($header)) {
+                return false;
+            }
         }
 
         foreach ($request->cookies as $name => $value) {
-            if (0 === strpos($name, $this->sessionNamePrefix)) {
+            if (0 === strpos($name, $this->options['session_name_prefix'])) {
                 return false;
             }
         }