Skip to content

feat(router): add signature validation middleware and route attribute #1946

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Tresor-Kasenda wants to merge 6 commits into from
Closed

feat(router): add signature validation middleware and route attribute #1946

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
450b2e7
fix(core): fix class guards not using the autoloader (#1808)
brendt Dec 12, 2025
7afcdb3
chore: release v2.14.0
brendt Dec 12, 2025
16655b4
chore: post-release clean up
brendt Dec 12, 2025
852f619
feat(router): add #[ValidSignature] attribute for automatic signed UR…
Tresor-Kasenda Feb 6, 2026
97bc7df
Merge branch '3.x' into feature/valid-signature-middleware
Tresor-Kasenda Feb 6, 2026
1c8d0ed
refactor(router): update ValidSignatureMiddleware to use #[SkipDiscov…
Tresor-Kasenda Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions packages/router/src/ValidSignature.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
<?php

declare(strict_types=1);

namespace Tempest\Router;

use Attribute;

/**
* Validates that the request has a valid signature.
*
* This attribute should be used on routes that require a signed URL.
* If the signature is invalid or missing, a 403 Forbidden response is returned.
* If the signature has expired (for temporary signed URLs), a 403 Forbidden response is also returned.
*
* Usage:
* ```php
* #[Get('/verify-email')]
* #[ValidSignature]
* public function verifyEmail(string $token): Response
* {
* // This code only executes if the signature is valid
* }
* ```
*
* @see UriGenerator::createSignedUri()
* @see UriGenerator::createTemporarySignedUri()
*/
#[Attribute(Attribute::TARGET_METHOD | Attribute::TARGET_CLASS)]
final class ValidSignature implements RouteDecorator
{
public function decorate(Route $route): Route
{
// ValidSignatureMiddleware intentionally doesn't implement HttpMiddleware to prevent
// auto-discovery as a global middleware. It follows the same callable signature
// and is invoked via HandleRouteSpecificMiddleware.
$route->middleware = [
...$route->middleware,
ValidSignatureMiddleware::class,
];

return $route;
}
}
40 changes: 40 additions & 0 deletions packages/router/src/ValidSignatureMiddleware.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
<?php

declare(strict_types=1);

namespace Tempest\Router;

use Tempest\Container\Container;
use Tempest\Http\Request;
use Tempest\Http\Response;
use Tempest\Http\Responses\Forbidden;

/**
* Middleware that validates the signature of a signed URL.
*
* Returns 403 Forbidden if:
* - The signature is missing
* - The signature is invalid (tampered URL)
* - The signature has expired (for temporary signed URLs)
*
* Note: This class intentionally does NOT implement HttpMiddleware to prevent
Comment thread
Tresor-Kasenda marked this conversation as resolved.
Outdated
* it from being auto-discovered as a global middleware. It should only run
* on routes that have the #[ValidSignature] attribute, via HandleRouteSpecificMiddleware.
*/
final readonly class ValidSignatureMiddleware
{
public function __construct(
private Container $container,
Comment thread
Tresor-Kasenda marked this conversation as resolved.
Outdated
) {}

public function __invoke(Request $request, HttpMiddlewareCallable $next): Response
{
$uriGenerator = $this->container->get(UriGenerator::class);

if (! $uriGenerator->hasValidSignature($request)) {
return new Forbidden();
}

return $next($request);
}
}
26 changes: 26 additions & 0 deletions tests/Integration/Route/Fixtures/SignedUrlController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<?php

declare(strict_types=1);

namespace Tests\Tempest\Integration\Route\Fixtures;

use Tempest\Http\Response;
use Tempest\Http\Responses\Ok;
use Tempest\Router\Get;
use Tempest\Router\ValidSignature;

final readonly class SignedUrlController
{
#[Get('/signed-action/{token}')]
#[ValidSignature]
public function signedAction(string $token): Response
{
return new Ok(['token' => $token, 'message' => 'Signature valid']);
}

#[Get('/unsigned-action/{token}')]
public function unsignedAction(string $token): Response
{
return new Ok(['token' => $token]);
}
}
154 changes: 154 additions & 0 deletions tests/Integration/Route/ValidSignatureMiddlewareTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
<?php

declare(strict_types=1);

namespace Tests\Tempest\Integration\Route;

use PHPUnit\Framework\Attributes\Test;
use Tempest\DateTime\Duration;
use Tempest\Http\Status;
use Tempest\Router\UriGenerator;
use Tests\Tempest\Integration\FrameworkIntegrationTestCase;
use Tests\Tempest\Integration\Route\Fixtures\SignedUrlController;

final class ValidSignatureMiddlewareTest extends FrameworkIntegrationTestCase
{
private UriGenerator $generator {
get => $this->container->get(UriGenerator::class);
}

protected function setUp(): void
{
parent::setUp();

$this->registerRoute([SignedUrlController::class, 'signedAction']);

Check failure on line 24 in tests/Integration/Route/ValidSignatureMiddlewareTest.php

View workflow job for this annotation

GitHub Actions / Run static analysis: PHPStan 

Call to an undefined method Tests\Tempest\Integration\Route\ValidSignatureMiddlewareTest::registerRoute().
$this->registerRoute([SignedUrlController::class, 'unsignedAction']);

Check failure on line 25 in tests/Integration/Route/ValidSignatureMiddlewareTest.php

View workflow job for this annotation

GitHub Actions / Run static analysis: PHPStan 

Call to an undefined method Tests\Tempest\Integration\Route\ValidSignatureMiddlewareTest::registerRoute().
}
Comment on lines +20 to +26
Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ValidSignature attribute supports both TARGET_METHOD and TARGET_CLASS (as indicated by line 29 in ValidSignature.php), but there are no tests verifying that the attribute works correctly when applied at the class level. Consider adding a test where ValidSignature is applied to the entire controller class to ensure all routes in that class require signed URLs. You can follow the pattern used in PrefixController (tests/Fixtures/Controllers/PrefixController.php) which tests class-level decorator application.

Copilot uses AI. Check for mistakes.

#[Test]
public function valid_signature_allows_request(): void
{
$uri = $this->generator->createSignedUri(
action: [SignedUrlController::class, 'signedAction'],
token: 'abc123',
);

$response = $this->http->get($uri);

$this->assertSame(Status::OK, $response->status);
$body = is_array($response->body) ? $response->body : json_decode($response->body, true);
$this->assertSame('abc123', $body['token']);
$this->assertSame('Signature valid', $body['message']);
}

#[Test]
public function missing_signature_returns_forbidden(): void
{
$response = $this->http->get('/signed-action/abc123');

$this->assertSame(Status::FORBIDDEN, $response->status);
}

#[Test]
public function invalid_signature_returns_forbidden(): void
{
$uri = $this->generator->createSignedUri(
action: [SignedUrlController::class, 'signedAction'],
token: 'abc123',
);

// Tamper with the signature
$tamperedUri = str_replace('signature=', 'signature=tampered', $uri);

$response = $this->http->get($tamperedUri);

$this->assertSame(Status::FORBIDDEN, $response->status);
}

#[Test]
public function tampered_parameter_returns_forbidden(): void
{
$uri = $this->generator->createSignedUri(
action: [SignedUrlController::class, 'signedAction'],
token: 'abc123',
);

// Tamper with the token parameter
$tamperedUri = str_replace('abc123', 'tampered', $uri);

$response = $this->http->get($tamperedUri);

$this->assertSame(Status::FORBIDDEN, $response->status);
}

#[Test]
public function expired_signature_returns_forbidden(): void
{
$clock = $this->clock();

$uri = $this->generator->createTemporarySignedUri(
action: [SignedUrlController::class, 'signedAction'],
duration: Duration::minutes(10),
token: 'abc123',
);

// Advance time past expiration
$clock->plus(Duration::minutes(15));

$response = $this->http->get($uri);

$this->assertSame(Status::FORBIDDEN, $response->status);
}

#[Test]
public function temporary_signature_valid_before_expiration(): void
{
$clock = $this->clock();

$uri = $this->generator->createTemporarySignedUri(
action: [SignedUrlController::class, 'signedAction'],
duration: Duration::minutes(10),
token: 'abc123',
);

// Advance time but stay within expiration
$clock->plus(Duration::minutes(5));

$response = $this->http->get($uri);

$this->assertSame(Status::OK, $response->status);
}

#[Test]
public function unsigned_route_works_without_signature(): void
{
// Routes without #[ValidSignature] should work normally
$response = $this->http->get('/unsigned-action/abc123');

$this->assertSame(Status::OK, $response->status);
}

#[Test]
public function tampered_expiration_returns_forbidden(): void
{
$clock = $this->clock();

$uri = $this->generator->createTemporarySignedUri(
action: [SignedUrlController::class, 'signedAction'],
duration: Duration::minutes(10),
token: 'abc123',
);

// Get the current timestamp and extend it in the URL
$timestamp = $clock->now()->plusMinutes(10)->getTimestamp()->getSeconds();
$tamperedUri = str_replace(
'expires_at=' . $timestamp,
'expires_at=' . ($timestamp + 3600),
$uri
);

$response = $this->http->get($tamperedUri);

$this->assertSame(Status::FORBIDDEN, $response->status);
}
}
Loading