From 09e3464426d00c76f10d8eb0fd301a297a87b7e2 Mon Sep 17 00:00:00 2001 From: Alejandro Celaya Date: Sat, 11 Jan 2020 20:36:17 +0100 Subject: [PATCH 1/6] Ensured CrossDomainMiddleware always returns empty responses with success status on OPTIONS requests --- composer.json | 2 +- .../src/Middleware/CrossDomainMiddleware.php | 9 ++-- .../Middleware/CrossDomainMiddlewareTest.php | 46 +++++++++++++++++-- phpstan.neon | 2 + 4 files changed, 50 insertions(+), 9 deletions(-) diff --git a/composer.json b/composer.json index a21489ac..fb786eec 100644 --- a/composer.json +++ b/composer.json @@ -97,7 +97,7 @@ ], "cs": "phpcs", "cs:fix": "phpcbf", - "stan": "phpstan analyse module/*/src/ module/*/config config docker/config --level=5 -c phpstan.neon", + "stan": "phpstan analyse module/*/src/ module/*/config config docker/config --level=6", "test": [ "@test:unit", "@test:db", diff --git a/module/Rest/src/Middleware/CrossDomainMiddleware.php b/module/Rest/src/Middleware/CrossDomainMiddleware.php index 23cd9ebe..f60c0ad1 100644 --- a/module/Rest/src/Middleware/CrossDomainMiddleware.php +++ b/module/Rest/src/Middleware/CrossDomainMiddleware.php @@ -5,6 +5,7 @@ declare(strict_types=1); namespace Shlinkio\Shlink\Rest\Middleware; use Fig\Http\Message\RequestMethodInterface; +use Laminas\Diactoros\Response\EmptyResponse; use Mezzio\Router\RouteResult; use Psr\Http\Message\ResponseInterface; use Psr\Http\Message\ServerRequestInterface; @@ -12,6 +13,7 @@ use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\RequestHandlerInterface; use Shlinkio\Shlink\Rest\Authentication; +use function array_merge; use function implode; class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterface @@ -53,10 +55,7 @@ class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterfa 'Access-Control-Allow-Headers' => $request->getHeaderLine('Access-Control-Request-Headers'), ]; - foreach ($corsHeaders as $key => $value) { - $response = $response->withHeader($key, $value); - } - - return $response; + // Options requests should always be empty and have a 204 status code + return EmptyResponse::withHeaders(array_merge($response->getHeaders(), $corsHeaders)); } } diff --git a/module/Rest/test/Middleware/CrossDomainMiddlewareTest.php b/module/Rest/test/Middleware/CrossDomainMiddlewareTest.php index 5daa8c3d..5cc99fb3 100644 --- a/module/Rest/test/Middleware/CrossDomainMiddlewareTest.php +++ b/module/Rest/test/Middleware/CrossDomainMiddlewareTest.php @@ -31,14 +31,14 @@ class CrossDomainMiddlewareTest extends TestCase /** @test */ public function nonCrossDomainRequestsAreNotAffected(): void { - $originalResponse = new Response(); + $originalResponse = (new Response())->withStatus(404); $this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce(); $response = $this->middleware->process(new ServerRequest(), $this->handler->reveal()); - $this->assertSame($originalResponse, $response); - $headers = $response->getHeaders(); + $this->assertSame($originalResponse, $response); + $this->assertEquals(404, $response->getStatusCode()); $this->assertArrayNotHasKey('Access-Control-Allow-Origin', $headers); $this->assertArrayNotHasKey('Access-Control-Expose-Headers', $headers); $this->assertArrayNotHasKey('Access-Control-Allow-Methods', $headers); @@ -93,6 +93,7 @@ class CrossDomainMiddlewareTest extends TestCase $this->assertArrayHasKey('Access-Control-Allow-Methods', $headers); $this->assertEquals('1000', $response->getHeaderLine('Access-Control-Max-Age')); $this->assertEquals('foo, bar, baz', $response->getHeaderLine('Access-Control-Allow-Headers')); + $this->assertEquals(204, $response->getStatusCode()); } /** @@ -112,6 +113,7 @@ class CrossDomainMiddlewareTest extends TestCase $response = $this->middleware->process($request, $this->handler->reveal()); $this->assertEquals($response->getHeaderLine('Access-Control-Allow-Methods'), $expectedAllowedMethods); + $this->assertEquals(204, $response->getStatusCode()); } public function provideRouteResults(): iterable @@ -126,4 +128,42 @@ class CrossDomainMiddlewareTest extends TestCase 'DELETE,PATCH,PUT', ]; } + + /** + * @test + * @dataProvider provideMethods + */ + public function expectedStatusCodeIsReturnDependingOnRequestMethod( + string $method, + int $status, + int $expectedStatus + ): void { + $originalResponse = (new Response())->withStatus($status); + $request = (new ServerRequest())->withMethod($method) + ->withHeader('Origin', 'local'); + $this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce(); + + $response = $this->middleware->process($request, $this->handler->reveal()); + + $this->assertEquals($expectedStatus, $response->getStatusCode()); + } + + public function provideMethods(): iterable + { + yield 'POST 200' => ['POST', 200, 200]; + yield 'POST 400' => ['POST', 400, 400]; + yield 'POST 500' => ['POST', 500, 500]; + yield 'GET 200' => ['GET', 200, 200]; + yield 'GET 400' => ['GET', 400, 400]; + yield 'GET 500' => ['GET', 500, 500]; + yield 'PATCH 200' => ['PATCH', 200, 200]; + yield 'PATCH 400' => ['PATCH', 400, 400]; + yield 'PATCH 500' => ['PATCH', 500, 500]; + yield 'DELETE 200' => ['DELETE', 200, 200]; + yield 'DELETE 400' => ['DELETE', 400, 400]; + yield 'DELETE 500' => ['DELETE', 500, 500]; + yield 'OPTIONS 200' => ['OPTIONS', 200, 204]; + yield 'OPTIONS 400' => ['OPTIONS', 400, 204]; + yield 'OPTIONS 500' => ['OPTIONS', 500, 204]; + } } diff --git a/phpstan.neon b/phpstan.neon index 2d9d960d..b6c65f7f 100644 --- a/phpstan.neon +++ b/phpstan.neon @@ -1,4 +1,6 @@ parameters: + checkMissingIterableValueType: false + checkGenericClassInNonGenericObjectType: false ignoreErrors: - '#Undefined variable: \$metadata#' - '#AbstractQuery::setParameters()#' From 0a4f3bc0f519ff0ed814f43c07c56eb1ca39267c Mon Sep 17 00:00:00 2001 From: Alejandro Celaya Date: Sat, 11 Jan 2020 20:38:10 +0100 Subject: [PATCH 2/6] Updated changelog --- CHANGELOG.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d28ef51f..c4ccd70e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,29 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com), and this project adheres to [Semantic Versioning](https://semver.org). +## [Unreleased] + +#### Added + +* *Nothing* + +#### Changed + +* *Nothing* + +#### Deprecated + +* *Nothing* + +#### Removed + +* *Nothing* + +#### Fixed + +* [#614](https://github.com/shlinkio/shlink/issues/614) Fixed `OPTIONS` requests including the `Origin` header not always returning an empty body with status 2xx. + + ## 2.0.1 - 2020-01-10 #### Added From 15a72e2a88b000ac4f1edd5cedc7c12d9bfe45cc Mon Sep 17 00:00:00 2001 From: Alejandro Celaya Date: Sun, 12 Jan 2020 10:06:45 +0100 Subject: [PATCH 3/6] Updated local config files which were not fulfilling the project's coding standards --- config/autoload/common.local.php.dist | 1 + config/autoload/router.local.php.dist | 4 ++++ config/autoload/swoole.local.php.dist | 5 +++-- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/config/autoload/common.local.php.dist b/config/autoload/common.local.php.dist index 9d1276c4..f29c74b0 100644 --- a/config/autoload/common.local.php.dist +++ b/config/autoload/common.local.php.dist @@ -1,4 +1,5 @@ [ +// 'base_path' => '', 'fastroute' => [ FastRouteRouter::CONFIG_CACHE_ENABLED => false, ], diff --git a/config/autoload/swoole.local.php.dist b/config/autoload/swoole.local.php.dist index 5e12a5a3..2dda6f24 100644 --- a/config/autoload/swoole.local.php.dist +++ b/config/autoload/swoole.local.php.dist @@ -1,12 +1,13 @@ [ + 'expressive-swoole' => [ 'hot-code-reload' => [ 'enable' => true, ], From c52794aed6b5677a03a55fd85978b00f57d9cde4 Mon Sep 17 00:00:00 2001 From: Alejandro Celaya Date: Sun, 12 Jan 2020 10:26:59 +0100 Subject: [PATCH 4/6] Replaced standard http_build_query by guzzle's build_query, which keeps params with no value --- module/Core/src/Action/AbstractTrackingAction.php | 10 ++-------- module/Core/test/Action/RedirectActionTest.php | 1 + 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/module/Core/src/Action/AbstractTrackingAction.php b/module/Core/src/Action/AbstractTrackingAction.php index 384b7a3e..8cac42fc 100644 --- a/module/Core/src/Action/AbstractTrackingAction.php +++ b/module/Core/src/Action/AbstractTrackingAction.php @@ -20,8 +20,8 @@ use Shlinkio\Shlink\Core\Service\VisitsTrackerInterface; use function array_key_exists; use function array_merge; +use function GuzzleHttp\Psr7\build_query; use function GuzzleHttp\Psr7\parse_query; -use function http_build_query; abstract class AbstractTrackingAction implements MiddlewareInterface { @@ -42,12 +42,6 @@ abstract class AbstractTrackingAction implements MiddlewareInterface $this->logger = $logger ?: new NullLogger(); } - /** - * Process an incoming server request and return a response, optionally delegating - * to the next middleware component to create the response. - * - * - */ public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { $shortCode = $request->getAttribute('shortCode', ''); @@ -79,7 +73,7 @@ abstract class AbstractTrackingAction implements MiddlewareInterface } $mergedQuery = array_merge($hardcodedQuery, $currentQuery); - return (string) $uri->withQuery(http_build_query($mergedQuery)); + return (string) $uri->withQuery(build_query($mergedQuery)); } abstract protected function createSuccessResp(string $longUrl): ResponseInterface; diff --git a/module/Core/test/Action/RedirectActionTest.php b/module/Core/test/Action/RedirectActionTest.php index 04705251..b7060a8e 100644 --- a/module/Core/test/Action/RedirectActionTest.php +++ b/module/Core/test/Action/RedirectActionTest.php @@ -64,6 +64,7 @@ class RedirectActionTest extends TestCase { yield ['http://domain.com/foo/bar?some=thing', []]; yield ['http://domain.com/foo/bar?some=thing', ['foobar' => 'notrack']]; + yield ['http://domain.com/foo/bar?some=thing&else', ['else' => null]]; yield ['http://domain.com/foo/bar?some=thing&foo=bar', ['foo' => 'bar']]; yield ['http://domain.com/foo/bar?some=overwritten&foo=bar', ['foo' => 'bar', 'some' => 'overwritten']]; yield ['http://domain.com/foo/bar?some=overwritten', ['foobar' => 'notrack', 'some' => 'overwritten']]; From fc95986f0ee5c8e5871adda730a079af064e9738 Mon Sep 17 00:00:00 2001 From: Alejandro Celaya Date: Sun, 12 Jan 2020 10:30:14 +0100 Subject: [PATCH 5/6] Updated changelog for v2.0.2 --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c4ccd70e..e9a1c86a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com), and this project adheres to [Semantic Versioning](https://semver.org). -## [Unreleased] +## 2.0.2 - 2020-01-12 #### Added @@ -25,6 +25,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com), and this #### Fixed * [#614](https://github.com/shlinkio/shlink/issues/614) Fixed `OPTIONS` requests including the `Origin` header not always returning an empty body with status 2xx. +* [#615](https://github.com/shlinkio/shlink/issues/615) Fixed query args with no value being lost from the long URL when users are redirected. ## 2.0.1 - 2020-01-10 From af1dd78b2c47eb76c2b9d6e73190ffd1c161b47d Mon Sep 17 00:00:00 2001 From: Alejandro Celaya Date: Sun, 12 Jan 2020 10:32:03 +0100 Subject: [PATCH 6/6] Fixed typo --- config/autoload/swoole.local.php.dist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/autoload/swoole.local.php.dist b/config/autoload/swoole.local.php.dist index 2dda6f24..0c485690 100644 --- a/config/autoload/swoole.local.php.dist +++ b/config/autoload/swoole.local.php.dist @@ -7,7 +7,7 @@ use Mezzio\Swoole\HotCodeReload\FileWatcher\InotifyFileWatcher; return [ - 'expressive-swoole' => [ + 'mezzio-swoole' => [ 'hot-code-reload' => [ 'enable' => true, ],