feat(#117): #[RequiresAuth] checks SecurityContext::isAuthenticated() directly

WebFiori/Http/WebService.php

@@ -328,8 +328,8 @@ public function checkMethodAuthorization(): bool {
 
         // Check RequiresAuth
         if ($hasRequiresAuth) {
-            // First call isAuthorized()
-            if (!$this->isAuthorized()) {
+            // Check SecurityContext directly instead of isAuthorized()
+            if (!SecurityContext::isAuthenticated()) {
                 return false;
             }
 
@@ -355,6 +355,11 @@ public function checkMethodAuthorization(): bool {
             return SecurityContext::evaluateExpression($preAuth->expression);
         }
 
+        // If class has #[RequiresAuth], check SecurityContext
+        if ($this->hasClassLevelRequiresAuth()) {
+            return SecurityContext::isAuthenticated();
+        }
+
         return $this->isAuthorized();
     }
 
@@ -689,6 +694,16 @@ public function isAuthorized() : string|bool {
     public function isAuthRequired() : bool {
         return $this->requireAuth;
     }
+    /**
+     * Checks if the class has a #[RequiresAuth] attribute.
+     * 
+     * @return bool True if the class-level RequiresAuth annotation is present.
+     */
+    public function hasClassLevelRequiresAuth() : bool {
+        $reflection = new \ReflectionClass($this);
+
+        return !empty($reflection->getAttributes(Annotations\RequiresAuth::class));
+    }
 
     /**
      * Validates the name of a web service or request parameter.

WebFiori/Http/WebServicesManager.php

@@ -1123,13 +1123,18 @@
 
         return $retVal;
     }
     private function isAuth(WebService $service) {
         if ($service->isAuthRequired()) {
             // Check if method has authorization annotations
             if ($service->hasMethodAuthorizationAnnotations()) {
                 return $service->checkMethodAuthorization();
             }
 
+            // If class-level #[RequiresAuth] is present, check SecurityContext
+            if ($service->hasClassLevelRequiresAuth()) {
+                return SecurityContext::isAuthenticated();
+            }
+
             // Fall back to legacy HTTP-method-specific authorization
             $isAuthCheck = 'isAuthorized'.$this->getRequest()->getMethod();
 

tests/WebFiori/Tests/Http/RequiresAuthSecurityContextTest.php

@@ -0,0 +1,161 @@
+<?php
+namespace WebFiori\Tests\Http;
+
+use WebFiori\Http\APITestCase;
+use WebFiori\Http\SecurityContext;
+use WebFiori\Tests\Http\TestUser;
+use WebFiori\Http\WebServicesManager;
+use WebFiori\Tests\Http\TestServices\ClassRequiresAuthService;
+use WebFiori\Tests\Http\TestServices\MethodRequiresAuthService;
+
+/**
+ * Tests for #[RequiresAuth] checking SecurityContext::isAuthenticated() directly.
+ * 
+ * @see https://github.com/WebFiori/http/issues/117
+ */
+class RequiresAuthSecurityContextTest extends APITestCase {
+
+    // =========================================================================
+    // Method-level #[RequiresAuth]
+    // =========================================================================
+
+    public function testMethodRequiresAuthWithUser() {
+        $user = new TestUser(1, ['USER'], [], true);
+
+        $manager = new WebServicesManager();
+        $manager->addService(new MethodRequiresAuthService());
+
+        $output = $this->getRequest($manager, 'method-requires-auth', [], [], $user);
+        $response = json_decode($output, true);
+
+        $this->assertIsArray($response);
+        $this->assertEquals('method-level-protected', $response['secret']);
+    }
+
+    public function testMethodRequiresAuthWithoutUser() {
+        SecurityContext::setCurrentUser(null);
+
+        $manager = new WebServicesManager();
+        $manager->addService(new MethodRequiresAuthService());
+
+        $output = $this->getRequest($manager, 'method-requires-auth');
+        $response = json_decode($output, true);
+
+        $this->assertIsArray($response);
+        $this->assertEquals('error', $response['type']);
+        $this->assertEquals(401, $response['http-code']);
+    }
+
+    public function testMethodRequiresAuthIgnoresIsAuthorized() {
+        $user = new TestUser(2, ['ADMIN'], [], true);
+
+        $manager = new WebServicesManager();
+        $manager->addService(new MethodRequiresAuthService());
+
+        $output = $this->getRequest($manager, 'method-requires-auth', [], [], $user);
+        $response = json_decode($output, true);
+
+        $this->assertIsArray($response);
+        $this->assertEquals('method-level-protected', $response['secret']);
+    }
+
+    // =========================================================================
+    // Class-level #[RequiresAuth]
+    // =========================================================================
+
+    public function testClassRequiresAuthWithUser() {
+        $user = new TestUser(3, ['USER'], [], true);
+
+        $manager = new WebServicesManager();
+        $manager->addService(new ClassRequiresAuthService());
+
+        $output = $this->getRequest($manager, 'class-requires-auth', [], [], $user);
+        $response = json_decode($output, true);
+
+        $this->assertIsArray($response);
+        $this->assertEquals('class-level-protected', $response['secret']);
+    }
+
+    public function testClassRequiresAuthWithoutUser() {
+        SecurityContext::setCurrentUser(null);
+
+        $manager = new WebServicesManager();
+        $manager->addService(new ClassRequiresAuthService());
+
+        $output = $this->getRequest($manager, 'class-requires-auth');
+        $response = json_decode($output, true);
+
+        $this->assertIsArray($response);
+        $this->assertEquals('error', $response['type']);
+        $this->assertEquals(401, $response['http-code']);
+    }
+
+    public function testClassRequiresAuthMethodAllowAnonymous() {
+        // Class has #[RequiresAuth] but method has #[AllowAnonymous]
+        SecurityContext::setCurrentUser(null);
+
+        $manager = new WebServicesManager();
+        $manager->addService(new ClassRequiresAuthService());
+
+        $output = $this->postRequest($manager, 'class-requires-auth');
+        $response = json_decode($output, true);
+
+        $this->assertIsArray($response);
+        $this->assertEquals(true, $response['public']);
+    }
+
+    // =========================================================================
+    // No attributes — traditional fallback
+    // =========================================================================
+
+    public function testNoAttributesFallsBackToIsAuthorized() {
+        $service = new class extends \WebFiori\Http\WebService {
+            public function __construct() {
+                parent::__construct('no-attr-deny');
+                $this->addRequestMethod('GET');
+                $this->setIsAuthRequired(true);
+            }
+            public function isAuthorized(): bool {
+                return false;
+            }
+            public function processRequest() {
+                $this->sendResponse('should not reach', 200, 'success');
+            }
+        };
+
+        $manager = new WebServicesManager();
+        $manager->addService($service);
+
+        $output = $this->getRequest($manager, 'no-attr-deny');
+        $response = json_decode($output, true);
+
+        $this->assertIsArray($response);
+        $this->assertEquals('error', $response['type']);
+        $this->assertEquals(401, $response['http-code']);
+    }
+
+    public function testNoAttributesIsAuthorizedTrue() {
+        $service = new class extends \WebFiori\Http\WebService {
+            public function __construct() {
+                parent::__construct('no-attr-allow');
+                $this->addRequestMethod('GET');
+                $this->setIsAuthRequired(true);
+            }
+            public function isAuthorized(): bool {
+                return true;
+            }
+            public function processRequest() {
+                $this->sendResponse('allowed', 200, 'success');
+            }
+        };
+
+        $manager = new WebServicesManager();
+        $manager->addService($service);
+
+        $output = $this->getRequest($manager, 'no-attr-allow');
+        $response = json_decode($output, true);
+
+        $this->assertIsArray($response);
+        $this->assertEquals('success', $response['type']);
+    }
+}

tests/WebFiori/Tests/Http/TestServices/ClassRequiresAuthService.php

@@ -0,0 +1,44 @@
+<?php
+namespace WebFiori\Tests\Http\TestServices;
+
+use WebFiori\Http\Annotations\AllowAnonymous;
+use WebFiori\Http\Annotations\GetMapping;
+use WebFiori\Http\Annotations\PostMapping;
+use WebFiori\Http\Annotations\RequiresAuth;
+use WebFiori\Http\Annotations\ResponseBody;
+use WebFiori\Http\Annotations\RestController;
+use WebFiori\Http\WebService;
+use WebFiori\Json\Json;
+
+/**
+ * Service with class-level #[RequiresAuth].
+ * isAuthorized() intentionally returns false to prove SecurityContext is used instead.
+ */
+#[RestController('class-requires-auth')]
+#[RequiresAuth]
+class ClassRequiresAuthService extends WebService {
+
+    #[GetMapping]
+    #[ResponseBody]
+    public function getProtectedData(): Json {
+        $json = new Json();
+        $json->add('secret', 'class-level-protected');
+        return $json;
+    }
+
+    #[PostMapping]
+    #[ResponseBody]
+    #[AllowAnonymous]
+    public function publicEndpoint(): Json {
+        $json = new Json();
+        $json->add('public', true);
+        return $json;
+    }
+
+    public function isAuthorized(): bool {
+        return false; // Should NOT matter when #[RequiresAuth] is on class
+    }
+
+    public function processRequest() {
+    }
+}

tests/WebFiori/Tests/Http/TestServices/MethodRequiresAuthService.php

@@ -0,0 +1,33 @@
+<?php
+namespace WebFiori\Tests\Http\TestServices;
+
+use WebFiori\Http\Annotations\GetMapping;
+use WebFiori\Http\Annotations\RequiresAuth;
+use WebFiori\Http\Annotations\ResponseBody;
+use WebFiori\Http\Annotations\RestController;
+use WebFiori\Http\WebService;
+use WebFiori\Json\Json;
+
+/**
+ * Service with method-level #[RequiresAuth] only.
+ * isAuthorized() returns false to prove it's not called.
+ */
+#[RestController('method-requires-auth')]
+class MethodRequiresAuthService extends WebService {
+
+    #[GetMapping]
+    #[ResponseBody]
+    #[RequiresAuth]
+    public function getSecretData(): Json {
+        $json = new Json();
+        $json->add('secret', 'method-level-protected');
+        return $json;
+    }
+
+    public function isAuthorized(): bool {
+        return false; // Should NOT matter when #[RequiresAuth] is on method
+    }
+
+    public function processRequest() {
+    }
+}