All notable changes to this project will be documented in this file, in reverse chronological order by release.
3.3.1 - 2020-10-28
- Bump minimum requirement of
tuupola/http-factoryto1.0.2. This is to avoid Composer 2 installing the broken1.0.1version which will also causepsr/http-factoryto be removed. (#103)
3.3.0 - 2020-09-23
- Allow installing with PHP 8 (#99).
3.2.1 - 2018-10-15
- Support for tuupola/callable-handler:^1.0 and tuupola/http-factory:^1.0
psr/http-message:^1.0.1is now minimum requirement.
3.2.0 - 2018-08-07
- Support for the stable version of PSR-17
3.1.0 - 2018-05-06
- Option to trust
X-Forwarded-ProtoandX-Forwarded-Portwhen detecting https requests.
3.0.0 - 2018-03-01
- Namespace changed from
Slim\MiddlewaretoTuupola\Middleware - Middleware now uses only
Authorizationheader from the PSR-7 request. BothPHP_AUTH_USERandPHP_AUTH_PWglobals as well asHTTP_AUTHORIZATIONenvironment are now ignored. - The
callbacksetting was renamed tobefore. It is called before executing other middlewares in the stack. - The
passthroughsetting was renamed toignore. - Public setter methods
addRule()andwithRules()are now immutable. - PSR-7 double pass is now supported via tuupola/callable-handler library.
- PHP 7.1 is now minimal requirement.
- Error callback now receives only response and arguments, request was removed.
- Before callback now receives only request and arguments, response was removed.
- After callback now receives only response and arguments, request was removed.
- Support for the approved version of PSR-15.
- New
aftercallback. It is called after executing other middlewares in the stack.
- Most setters and getters for settings. Pass settings in an array only during initialization.
- Username is now passed to
errorcallback when authentication fails.
$app->add(new \Slim\Middleware\HttpBasicAuthentication([
"users" => [
"root" => "t00r",
"somebody" => "passw0rd"
],
"error" => function ($request, $response, $arguments) {
var_dump($arguments["user"]);
var_dump($arguments["message"]);
}
]));This is a security release.
RequestPathRule now removes multiple slashes from the URI before determining whether the path should be authenticated or not. For HTTP client /foo and //foo are different URIs and technically valid according to RFC3986. However on serverside it depends on implementation and often /foo, //foo and even /////foo are considered a same route.
Different PSR-7 implementations were behaving in different way. Diactoros removes multiple leading slashes. By default Slim does not alter any slashes. However when installed in subfolder Slim removes all slashes.
This means if you are authenticating a subfolder, for example /api and Slim is installed in document root it was possible to bypass authentication by doing a request to //api. Problem did not exist if Slim was installed in subfolder. Diactoros was not affected.
$app->add(new \Slim\Middleware\HttpBasicAuthentication([
"path" => "/api",
"users" => [
"root" => "t00r",
"somebody" => "passw0rd"
]
]));If you were using default setting of authenticating all routes you were not affected.
$app->add(new \Slim\Middleware\HttpBasicAuthentication([
"users" => [
"root" => "t00r",
"somebody" => "passw0rd"
]
]));- Ported fix for bug slim-jwt-auth/50 where in some cases it was possible to bypass authentication by adding multiple slashes to request URI.
I was lazy and did no keep a changelog before this.