magdev/php-qml
1
Fork 0
Code Issues Pull Requests Actions Releases 4 Activity
Files
c673ec22e203d78dc7595d9ec9cf9c34da0ecb9a
php-qml/framework/php/src/SessionAuthenticator.php
magdev 0cceefc890 v0.1.3: audit-driven non-breaking fixes 
Three bugs surfaced by the post-v0.1.2 architecture audit:

- bridge.qml_path is now actually configurable. BridgeBundle::configure
  defines the qml_path scalar node (default ../qml/); loadExtension
  exposes it as the bridge.qml_path container parameter; services.yaml
  binds it into BridgeResourceMaker + BridgeWindowMaker. Apps override
  with `config/packages/bridge.yaml`. The existing maker docstrings
  claimed this worked already — they lied; now they don't.

- SessionAuthenticator implements AuthenticationEntryPointInterface and
  routes the no-token entry-point path through the same problem+json
  helper as onAuthenticationFailure, so QML's RestClient sees one error
  shape regardless of which firewall path was taken. Test added.

- CorrelationKeyListener::onTerminate guards on isMainRequest() now,
  matching onRequest's existing guard. No user-visible impact in
  worker mode (no sub-requests emitted), but the asymmetry was a
  defensive bug that would corrupt optimistic-update reconciliation.

PLAN.md §13 gains a v0.1.3 section + folds the audit's API-surface
items (PublisherInterface / ModelPublisherInterface / BridgeOp enum /
maker DRY / DTO-shaped scaffold) into v0.2.0. CHANGELOG.md mirrors.

PHPStan + cs-fixer + PHPUnit (17/17) + maker snapshot tests all green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 16:31:54 +02:00

91 lines
3.4 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace PhpQml\Bridge;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
/**
* Validates the per-session bearer token shared between the Qt host
* and the Symfony backend.
*
* In dev mode the token is read from `.env.local`; in bundled mode the
* Qt host generates it per session and passes it to FrankenPHP via env.
* See PLAN.md §3 (*Run modes*, *Edge cases — Per-session secret rotation*).
*/
final class SessionAuthenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterface
{
public function __construct(
#[\SensitiveParameter]
private readonly string $expectedToken,
) {
}
public function supports(Request $request): bool
{
return $request->headers->has('Authorization');
}
public function authenticate(Request $request): Passport
{
$header = (string) $request->headers->get('Authorization', '');
if (!str_starts_with($header, 'Bearer ')) {
throw new AuthenticationException('Bearer token missing.');
}
$token = substr($header, 7);
if ('' === $this->expectedToken || !hash_equals($this->expectedToken, $token)) {
throw new AuthenticationException('Bearer token invalid.');
}
// Single-session model — there is one bridge "user", not per-end-user auth.
return new SelfValidatingPassport(new UserBadge('bridge'));
}
public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
{
return null;
}
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
{
return $this->problemJson($exception->getMessage());
}
/**
* Entry point invoked when access is denied without a triggered authenticator
* (e.g. an anonymous request to a protected route). Without this, Symfony
* returns its default `WWW-Authenticate: Form` 302/401, which clients
* speaking JSON would never expect — same shape as onAuthenticationFailure
* keeps QML's RestClient error mapping consistent across both paths.
*/
public function start(Request $request, ?AuthenticationException $authException = null): Response
{
return $this->problemJson($authException?->getMessage() ?? 'Bearer token required.');
}
private function problemJson(string $detail): JsonResponse
{
return new JsonResponse(
[
'type' => 'about:blank',
'title' => 'Unauthorized',
'status' => Response::HTTP_UNAUTHORIZED,
'detail' => $detail,
],
Response::HTTP_UNAUTHORIZED,
['Content-Type' => 'application/problem+json'],
);
}
}
Reference in New Issue View Git Blame Copy Permalink