Signed queries don't break the request for other middlewares

PowerKiKi · PowerKiKi · commit e75200b1ab10 · 2023-11-11T21:28:24.000+09:00
`$request-&gt;getBody()-&gt;getContents()` consumes the body without rewinding.
Repeated calls, by other middlewares, will return empty string. So
other middlewares will think the whole request is empty, and GraphQL
will throw.

To avoid this, we should rewind the stream. However, not all streams are
rewindable and would throw exceptions. To avoid that, we return a new
request identical to original with a brand-new stream for body.
diff --git a/src/Middleware/SignedQueryMiddleware.php b/src/Middleware/SignedQueryMiddleware.php
@@ -7,6 +7,7 @@
 use Cake\Chronos\Chronos;
 use Ecodev\Felix\Validator\IPRange;
 use Exception;
+use Laminas\Diactoros\CallbackStream;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
@@ -44,18 +45,18 @@ public function __construct(
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
         if ($this->required) {
-            $this->verify($request);
+            $request = $this->verify($request);
         }
 
         return $handler->handle($request);
     }
 
-    private function verify(ServerRequestInterface $request): void
+    private function verify(ServerRequestInterface $request): ServerRequestInterface
     {
         $signature = $request->getHeader('X-Signature')[0] ?? '';
         if (!$signature) {
             if ($this->isAllowedIp($request)) {
-                return;
+                return $request;
             }
 
             throw new Exception('Missing `X-Signature` HTTP header in signed query', 403);
@@ -66,10 +67,11 @@ private function verify(ServerRequestInterface $request): void
             $hash = $m['hash'];
 
             $this->verifyTimestamp($timestamp);
-            $this->verifyHash($request, $timestamp, $hash);
-        } else {
-            throw new Exception('Invalid `X-Signature` HTTP header in signed query', 403);
+
+            return $this->verifyHash($request, $timestamp, $hash);
         }
+
+        throw new Exception('Invalid `X-Signature` HTTP header in signed query', 403);
     }
 
     private function verifyTimestamp(string $timestamp): void
@@ -83,33 +85,45 @@ private function verifyTimestamp(string $timestamp): void
         }
     }
 
-    private function verifyHash(ServerRequestInterface $request, string $timestamp, string $hash): void
+    private function verifyHash(ServerRequestInterface $request, string $timestamp, string $hash): ServerRequestInterface
     {
-        $operations = $this->getOperations($request);
+        ['request' => $request, 'operations' => $operations] = $this->getOperations($request);
         $payload = $timestamp . $operations;
 
         foreach ($this->keys as $key) {
             $computedHash = hash_hmac('sha256', $payload, $key);
             if ($hash === $computedHash) {
-                return;
+                return $request;
             }
         }
 
         throw new Exception('Invalid signed query', 403);
     }
 
-    private function getOperations(ServerRequestInterface $request): mixed
+    /**
+     * @return array{request: ServerRequestInterface, operations: string}
+     */
+    private function getOperations(ServerRequestInterface $request): array
     {
         $contents = $request->getBody()->getContents();
+
         if ($contents) {
-            return $contents;
+            return [
+                // Pseudo-rewind the request, even if non-rewindable, so the next
+                // middleware still accesses the stream from the beginning
+                'request' => $request->withBody(new CallbackStream(fn () => $contents)),
+                'operations' => $contents,
+            ];
         }
 
         $parsedBody = $request->getParsedBody();
         if (is_array($parsedBody)) {
             $operations = $parsedBody['operations'] ?? null;
             if ($operations) {
-                return $operations;
+                return [
+                    'request' => $request,
+                    'operations' => $operations,
+                ];
             }
         }
 
diff --git a/tests/Middleware/SignedQueryMiddlewareTest.php b/tests/Middleware/SignedQueryMiddlewareTest.php
@@ -10,6 +10,7 @@
 use Laminas\Diactoros\Response;
 use Laminas\Diactoros\ServerRequest;
 use PHPUnit\Framework\TestCase;
+use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\RequestHandlerInterface;
 
 class SignedQueryMiddlewareTest extends TestCase
@@ -59,7 +60,11 @@ private function process(array $keys, bool $required, string $ip, string $body,
         $handler = $this->createMock(RequestHandlerInterface::class);
         $handler->expects($expectExceptionMessage ? self::never() : self::once())
             ->method('handle')
-            ->willReturn(new Response());
+            ->willReturnCallback(function (ServerRequestInterface $incomingRequest) use ($body) {
+                self::assertSame($body, $incomingRequest->getBody()->getContents(), 'the original body content is still available for next middlewares');
+
+                return new Response();
+            });
 
         $middleware = new SignedQueryMiddleware($keys, ['1.2.3.4', '2a01:198:603:0::/65'], $required);
 

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@`
`7`	`7`	`use Cake\Chronos\Chronos;`
`8`	`8`	`use Ecodev\Felix\Validator\IPRange;`
`9`	`9`	`use Exception;`
	`10`	`+use Laminas\Diactoros\CallbackStream;`
`10`	`11`	`use Psr\Http\Message\ResponseInterface;`
`11`	`12`	`use Psr\Http\Message\ServerRequestInterface;`
`12`	`13`	`use Psr\Http\Server\MiddlewareInterface;`
`@@ -44,18 +45,18 @@ public function __construct(`
`44`	`45`	`public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface`
`45`	`46`	`{`
`46`	`47`	`if ($this->required) {`
`47`		`- $this->verify($request);`
	`48`	`+ $request = $this->verify($request);`
`48`	`49`	`}`
`49`	`50`
`50`	`51`	`return $handler->handle($request);`
`51`	`52`	`}`
`52`	`53`
`53`		`- private function verify(ServerRequestInterface $request): void`
	`54`	`+ private function verify(ServerRequestInterface $request): ServerRequestInterface`
`54`	`55`	`{`
`55`	`56`	`$signature = $request->getHeader('X-Signature')[0] ?? '';`
`56`	`57`	`if (!$signature) {`
`57`	`58`	`if ($this->isAllowedIp($request)) {`
`58`		`- return;`
	`59`	`+ return $request;`
`59`	`60`	`}`
`60`	`61`
`61`	`62`	throw new Exception('Missing `X-Signature` HTTP header in signed query', 403);
`@@ -66,10 +67,11 @@ private function verify(ServerRequestInterface $request): void`
`66`	`67`	`$hash = $m['hash'];`
`67`	`68`
`68`	`69`	`$this->verifyTimestamp($timestamp);`
`69`		`- $this->verifyHash($request, $timestamp, $hash);`
`70`		`- } else {`
`71`		- throw new Exception('Invalid `X-Signature` HTTP header in signed query', 403);
	`70`	`+`
	`71`	`+ return $this->verifyHash($request, $timestamp, $hash);`
`72`	`72`	`}`
	`73`	`+`
	`74`	+ throw new Exception('Invalid `X-Signature` HTTP header in signed query', 403);
`73`	`75`	`}`
`74`	`76`
`75`	`77`	`private function verifyTimestamp(string $timestamp): void`
`@@ -83,33 +85,45 @@ private function verifyTimestamp(string $timestamp): void`
`83`	`85`	`}`
`84`	`86`	`}`
`85`	`87`
`86`		`- private function verifyHash(ServerRequestInterface $request, string $timestamp, string $hash): void`
	`88`	`+ private function verifyHash(ServerRequestInterface $request, string $timestamp, string $hash): ServerRequestInterface`
`87`	`89`	`{`
`88`		`- $operations = $this->getOperations($request);`
	`90`	`+ ['request' => $request, 'operations' => $operations] = $this->getOperations($request);`
`89`	`91`	`$payload = $timestamp . $operations;`
`90`	`92`
`91`	`93`	`foreach ($this->keys as $key) {`
`92`	`94`	`$computedHash = hash_hmac('sha256', $payload, $key);`
`93`	`95`	`if ($hash === $computedHash) {`
`94`		`- return;`
	`96`	`+ return $request;`
`95`	`97`	`}`
`96`	`98`	`}`
`97`	`99`
`98`	`100`	`throw new Exception('Invalid signed query', 403);`
`99`	`101`	`}`
`100`	`102`
`101`		`- private function getOperations(ServerRequestInterface $request): mixed`
	`103`	`+ /**`
	`104`	`+ * @return array{request: ServerRequestInterface, operations: string}`
	`105`	`+ */`
	`106`	`+ private function getOperations(ServerRequestInterface $request): array`
`102`	`107`	`{`
`103`	`108`	`$contents = $request->getBody()->getContents();`
	`109`	`+`
`104`	`110`	`if ($contents) {`
`105`		`- return $contents;`
	`111`	`+ return [`
	`112`	`+ // Pseudo-rewind the request, even if non-rewindable, so the next`
	`113`	`+ // middleware still accesses the stream from the beginning`
	`114`	`+ 'request' => $request->withBody(new CallbackStream(fn () => $contents)),`
	`115`	`+ 'operations' => $contents,`
	`116`	`+ ];`
`106`	`117`	`}`
`107`	`118`
`108`	`119`	`$parsedBody = $request->getParsedBody();`
`109`	`120`	`if (is_array($parsedBody)) {`
`110`	`121`	`$operations = $parsedBody['operations'] ?? null;`
`111`	`122`	`if ($operations) {`
`112`		`- return $operations;`
	`123`	`+ return [`
	`124`	`+ 'request' => $request,`
	`125`	`+ 'operations' => $operations,`
	`126`	`+ ];`
`113`	`127`	`}`
`114`	`128`	`}`
`115`	`129`