2026-05-02 01:05:19 +02:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
declare(strict_types=1);
|
|
|
|
|
|
|
|
|
|
namespace PhpQml\Bridge;
|
|
|
|
|
|
|
|
|
|
use Symfony\Component\HttpFoundation\JsonResponse;
|
|
|
|
|
use Symfony\Component\HttpFoundation\Request;
|
|
|
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
|
|
|
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
|
|
|
|
|
use Symfony\Component\Security\Core\Exception\AuthenticationException;
|
|
|
|
|
use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
|
|
|
|
|
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
|
|
|
|
|
use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
|
|
|
|
|
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Validates the per-session bearer token shared between the Qt host
|
|
|
|
|
* and the Symfony backend.
|
|
|
|
|
*
|
|
|
|
|
* In dev mode the token is read from `.env.local`; in bundled mode the
|
|
|
|
|
* Qt host generates it per session and passes it to FrankenPHP via env.
|
|
|
|
|
* See PLAN.md §3 (*Run modes*, *Edge cases — Per-session secret rotation*).
|
|
|
|
|
*/
|
|
|
|
|
final class SessionAuthenticator extends AbstractAuthenticator
|
|
|
|
|
{
|
|
|
|
|
public function __construct(
|
|
|
|
|
#[\SensitiveParameter]
|
|
|
|
|
private readonly string $expectedToken,
|
|
|
|
|
) {
|
|
|
|
|
}
|
|
|
|
|
|
Phase 1 sub-commit 7: CI quality job
PHPStan (level 6 + symfony extension) and PHP CS Fixer (Symfony +
PHP83Migration ruleset) configs at framework/php/. composer.json
exposes phpstan / cs:check / cs:fix / phpunit / quality scripts.
PHPStan-clean across the bundle; cs:check is happy after auto-fix
applied @Symfony idioms (yoda, leading-backslash JSON_*, blank-line
before return). Test mocks consolidated into a HubSpy helper to keep
PHPStan happy about by-ref captures.
Skeleton's Makefile target `quality` chains `composer quality` (in
framework/php/) with cmake's all_qmllint target. Local run is green —
11 tests / 32 assertions, no PHPStan errors, cs-fixer clean, qmllint
emits advisory warnings only.
Layout fix in skeleton's Main.qml: status-dot Rectangles inside
RowLayout now use Layout.preferredWidth/Height instead of width/height
to satisfy Quick.layout-positioning checks.
.gitea/workflows/ci.yml replaces the placeholder with a real `quality`
job: setup-php, composer install (cached), the four PHP checks, Qt 6
via install-qt-action (cached), QML module build, qmllint via the
all_qmllint CMake target. Workflow exists from this commit onward
even if a runner isn't provisioned yet.
bridge:doctor lost the Publisher dependency since it was only used as
a "service is wired" marker — the command being injectable already
proves that.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 02:15:06 +02:00
|
|
|
public function supports(Request $request): bool
|
2026-05-02 01:05:19 +02:00
|
|
|
{
|
|
|
|
|
return $request->headers->has('Authorization');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function authenticate(Request $request): Passport
|
|
|
|
|
{
|
|
|
|
|
$header = (string) $request->headers->get('Authorization', '');
|
|
|
|
|
if (!str_starts_with($header, 'Bearer ')) {
|
|
|
|
|
throw new AuthenticationException('Bearer token missing.');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$token = substr($header, 7);
|
Phase 1 sub-commit 7: CI quality job
PHPStan (level 6 + symfony extension) and PHP CS Fixer (Symfony +
PHP83Migration ruleset) configs at framework/php/. composer.json
exposes phpstan / cs:check / cs:fix / phpunit / quality scripts.
PHPStan-clean across the bundle; cs:check is happy after auto-fix
applied @Symfony idioms (yoda, leading-backslash JSON_*, blank-line
before return). Test mocks consolidated into a HubSpy helper to keep
PHPStan happy about by-ref captures.
Skeleton's Makefile target `quality` chains `composer quality` (in
framework/php/) with cmake's all_qmllint target. Local run is green —
11 tests / 32 assertions, no PHPStan errors, cs-fixer clean, qmllint
emits advisory warnings only.
Layout fix in skeleton's Main.qml: status-dot Rectangles inside
RowLayout now use Layout.preferredWidth/Height instead of width/height
to satisfy Quick.layout-positioning checks.
.gitea/workflows/ci.yml replaces the placeholder with a real `quality`
job: setup-php, composer install (cached), the four PHP checks, Qt 6
via install-qt-action (cached), QML module build, qmllint via the
all_qmllint CMake target. Workflow exists from this commit onward
even if a runner isn't provisioned yet.
bridge:doctor lost the Publisher dependency since it was only used as
a "service is wired" marker — the command being injectable already
proves that.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 02:15:06 +02:00
|
|
|
if ('' === $this->expectedToken || !hash_equals($this->expectedToken, $token)) {
|
2026-05-02 01:05:19 +02:00
|
|
|
throw new AuthenticationException('Bearer token invalid.');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Single-session model — there is one bridge "user", not per-end-user auth.
|
|
|
|
|
return new SelfValidatingPassport(new UserBadge('bridge'));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
|
|
|
|
|
{
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
Phase 1 sub-commit 7: CI quality job
PHPStan (level 6 + symfony extension) and PHP CS Fixer (Symfony +
PHP83Migration ruleset) configs at framework/php/. composer.json
exposes phpstan / cs:check / cs:fix / phpunit / quality scripts.
PHPStan-clean across the bundle; cs:check is happy after auto-fix
applied @Symfony idioms (yoda, leading-backslash JSON_*, blank-line
before return). Test mocks consolidated into a HubSpy helper to keep
PHPStan happy about by-ref captures.
Skeleton's Makefile target `quality` chains `composer quality` (in
framework/php/) with cmake's all_qmllint target. Local run is green —
11 tests / 32 assertions, no PHPStan errors, cs-fixer clean, qmllint
emits advisory warnings only.
Layout fix in skeleton's Main.qml: status-dot Rectangles inside
RowLayout now use Layout.preferredWidth/Height instead of width/height
to satisfy Quick.layout-positioning checks.
.gitea/workflows/ci.yml replaces the placeholder with a real `quality`
job: setup-php, composer install (cached), the four PHP checks, Qt 6
via install-qt-action (cached), QML module build, qmllint via the
all_qmllint CMake target. Workflow exists from this commit onward
even if a runner isn't provisioned yet.
bridge:doctor lost the Publisher dependency since it was only used as
a "service is wired" marker — the command being injectable already
proves that.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 02:15:06 +02:00
|
|
|
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
|
2026-05-02 01:05:19 +02:00
|
|
|
{
|
|
|
|
|
return new JsonResponse(
|
|
|
|
|
[
|
|
|
|
|
'type' => 'about:blank',
|
|
|
|
|
'title' => 'Unauthorized',
|
|
|
|
|
'status' => Response::HTTP_UNAUTHORIZED,
|
|
|
|
|
'detail' => $exception->getMessage(),
|
|
|
|
|
],
|
|
|
|
|
Response::HTTP_UNAUTHORIZED,
|
|
|
|
|
['Content-Type' => 'application/problem+json'],
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|