refactor: move forceSecureAccess() to ForceHTTPS filter

codeigniter4 · Nov 5, 2023 · debc476 · debc476
1 parent e193afe
commit debc476
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 18 deletions.
diff --git a/app/Config/App.php b/app/Config/App.php
@@ -130,7 +130,7 @@ class App extends BaseConfig
      * If true, this will force every request made to this application to be
      * made via a secure connection (HTTPS). If the incoming request is not
      * secure, the user will be redirected to a secure version of the page
-     * and the HTTP Strict Transport Security header will be set.
+     * and the HTTP Strict Transport Security (HSTS) header will be set.
      */
     public bool $forceGlobalSecureRequests = false;
 

diff --git a/app/Config/Filters.php b/app/Config/Filters.php
@@ -5,6 +5,7 @@
 use CodeIgniter\Config\BaseConfig;
 use CodeIgniter\Filters\CSRF;
 use CodeIgniter\Filters\DebugToolbar;
+use CodeIgniter\Filters\ForceHTTPS;
 use CodeIgniter\Filters\Honeypot;
 use CodeIgniter\Filters\InvalidChars;
 use CodeIgniter\Filters\PageCache;
@@ -26,6 +27,7 @@ class Filters extends BaseConfig
         'honeypot'      => Honeypot::class,
         'invalidchars'  => InvalidChars::class,
         'secureheaders' => SecureHeaders::class,
+        'forcehttps'    => ForceHTTPS::class,
         'pagecache'     => PageCache::class,
         'performance'   => PerformanceMetrics::class,
     ];
@@ -40,6 +42,7 @@ class Filters extends BaseConfig
      */
     public array $required = [
         'before' => [
+            'forcehttps',
             'pagecache',
         ],
         'after' => [

diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php
@@ -339,20 +339,6 @@ public function run(?RouteCollectionInterface $routes = null, bool $returnRespon
         $this->getRequestObject();
         $this->getResponseObject();
 
-        try {
-            $this->forceSecureAccess();
-        } catch (RedirectException $e) {
-            $this->response = $e->getResponse();
-
-            if ($returnResponse) {
-                return $this->response;
-            }
-
-            $this->sendResponse();
-
-            return;
-        }
-
         Events::trigger('pre_system');
 
         $this->benchmark->stop('bootstrap');
@@ -699,6 +685,8 @@ protected function getResponseObject()
      *                      should be enforced for this URL.
      *
      * @return void
+     *
+     * @deprecated 4.5.0 No longer used. Moved to ForceHTTPS filter.
      */
     protected function forceSecureAccess($duration = 31_536_000)
     {

diff --git a/system/Filters/ForceHTTPS.php b/system/Filters/ForceHTTPS.php
@@ -0,0 +1,63 @@
+<?php
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) CodeIgniter Foundation <admin@codeigniter.com>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace CodeIgniter\Filters;
+
+use CodeIgniter\HTTP\Exceptions\RedirectException;
+use CodeIgniter\HTTP\RequestInterface;
+use CodeIgniter\HTTP\ResponseInterface;
+use Config\App;
+use Config\Services;
+
+/**
+ * Force HTTPS filter
+ */
+class ForceHTTPS implements FilterInterface
+{
+    /**
+     * Force Secure Site Access? If the config value 'forceGlobalSecureRequests'
+     * is true, will enforce that all requests to this site are made through
+     * HTTPS. Will redirect the user to the current page with HTTPS, as well
+     * as set the HTTP Strict Transport Security (HSTS) header for those browsers
+     * that support it.
+     *
+     * @param array|null $arguments
+     *
+     * @return ResponseInterface|void
+     */
+    public function before(RequestInterface $request, $arguments = null)
+    {
+        $config = config(App::class);
+
+        if ($config->forceGlobalSecureRequests !== true) {
+            return;
+        }
+
+        $response = Services::response();
+
+        try {
+            force_https(YEAR, $request, $response);
+        } catch (RedirectException $e) {
+            return $e->getResponse();
+        }
+    }
+
+    /**
+     * We don't have anything to do here.
+     *
+     * @param array|null $arguments
+     *
+     * @return void
+     */
+    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
+    {
+    }
+}
diff --git a/tests/system/CodeIgniterTest.php b/tests/system/CodeIgniterTest.php
@@ -439,10 +439,10 @@ public function testRunForceSecure(): void
         $_SERVER['argv'] = ['index.php', '/'];
         $_SERVER['argc'] = 2;
 
-        $config = new App();
-
-        $config->forceGlobalSecureRequests = true;
+        $filterConfig                       = config(FiltersConfig::class);
+        $filterConfig->required['before'][] = 'forcehttps';
 
+        $config      = new App();
         $codeigniter = new MockCodeIgniter($config);
         $codeigniter->setContext('web');