Merge pull request #1692 from jdeniau/jd-feat-queryParameterValidation

throw an exception if required filter is not set

Author: soyuka

features/filter/filter_validation.feature

@@ -0,0 +1,39 @@
+Feature: Validate filters based upon filter description
+
+  @createSchema
+  Scenario: Required filter should not throw an error if set
+    When I am on "/filter_validators?required=foo"
+    Then the response status code should be 200
+
+    When I am on "/filter_validators?required="
+    Then the response status code should be 200
+
+  Scenario: Required filter should throw an error if not set
+    When I am on "/filter_validators"
+    Then the response status code should be 400
+    And the JSON node "detail" should be equal to 'Query parameter "required" is required'
+
+  Scenario: Required filter should not throw an error if set
+    When I am on "/array_filter_validators?arrayRequired[]=foo&indexedArrayRequired[foo]=foo"
+    Then the response status code should be 200
+
+  Scenario: Required filter should throw an error if not set
+    When I am on "/array_filter_validators"
+    Then the response status code should be 400
+    And the JSON node "detail" should match '/^Query parameter "arrayRequired\[\]" is required\nQuery parameter "indexedArrayRequired\[foo\]" is required$/'
+
+    When I am on "/array_filter_validators?arrayRequired=foo&indexedArrayRequired[foo]=foo"
+    Then the response status code should be 400
+    And the JSON node "detail" should be equal to 'Query parameter "arrayRequired[]" is required'
+
+    When I am on "/array_filter_validators?arrayRequired[foo]=foo"
+    Then the response status code should be 400
+    And the JSON node "detail" should match '/^Query parameter "arrayRequired\[\]" is required\nQuery parameter "indexedArrayRequired\[foo\]" is required$/'
+
+    When I am on "/array_filter_validators?arrayRequired[]=foo"
+    Then the response status code should be 400
+    And the JSON node "detail" should be equal to 'Query parameter "indexedArrayRequired[foo]" is required'
+
+    When I am on "/array_filter_validators?arrayRequired[]=foo&indexedArrayRequired[bar]=bar"
+    Then the response status code should be 400
+    And the JSON node "detail" should be equal to 'Query parameter "indexedArrayRequired[foo]" is required'

src/Bridge/Symfony/Bundle/DependencyInjection/Configuration.php

@@ -13,6 +13,7 @@
 
 namespace ApiPlatform\Core\Bridge\Symfony\Bundle\DependencyInjection;
 
+use ApiPlatform\Core\Exception\FilterValidationException;
 use ApiPlatform\Core\Exception\InvalidArgumentException;
 use FOS\UserBundle\FOSUserBundle;
 use GraphQL\GraphQL;
@@ -248,6 +249,7 @@ private function addExceptionToStatusSection(ArrayNodeDefinition $rootNode)
                     ->defaultValue([
                         ExceptionInterface::class => Response::HTTP_BAD_REQUEST,
                         InvalidArgumentException::class => Response::HTTP_BAD_REQUEST,
+                        FilterValidationException::class => Response::HTTP_BAD_REQUEST,
                     ])
                     ->info('The list of exceptions mapped to their HTTP status code.')
                     ->normalizeKeys(false)

src/Bridge/Symfony/Bundle/Resources/config/validator.xml

@@ -22,6 +22,13 @@
 
             <tag name="kernel.event_listener" event="kernel.view" method="onKernelView" priority="64" />
         </service>
+
+        <service id="api_platform.listener.view.validate_query_parameters" class="ApiPlatform\Core\Filter\QueryParameterValidateListener" public="false">
+            <argument type="service" id="api_platform.metadata.resource.metadata_factory" />
+            <argument type="service" id="api_platform.filter_locator" />
+
+            <tag name="kernel.event_listener" event="kernel.request" method="onKernelRequest" priority="16" />
+        </service>
     </services>
 
 </container>

src/Exception/FilterValidationException.php

@@ -0,0 +1,36 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Core\Exception;
+
+/**
+ * Filter validation exception.
+ *
+ * @author Julien DENIAU <[email protected]>
+ */
+final class FilterValidationException extends \Exception implements ExceptionInterface
+{
+    private $constraintViolationList;
+
+    public function __construct(array $constraintViolationList, string $message = '', int $code = 0, \Exception $previous = null)
+    {
+        $this->constraintViolationList = $constraintViolationList;
+
+        parent::__construct($message ?: $this->__toString(), $code, $previous);
+    }
+
+    public function __toString(): string
+    {
+        return implode("\n", $this->constraintViolationList);
+    }
+}

src/Filter/QueryParameterValidateListener.php

@@ -0,0 +1,103 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Core\Filter;
+
+use ApiPlatform\Core\Api\FilterLocatorTrait;
+use ApiPlatform\Core\Exception\FilterValidationException;
+use ApiPlatform\Core\Metadata\Resource\Factory\ResourceMetadataFactoryInterface;
+use ApiPlatform\Core\Util\RequestAttributesExtractor;
+use Psr\Container\ContainerInterface;
+use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+
+/**
+ * Validates query parameters depending on filter description.
+ *
+ * @author Julien Deniau <[email protected]>
+ */
+final class QueryParameterValidateListener
+{
+    use FilterLocatorTrait;
+
+    private $resourceMetadataFactory;
+
+    public function __construct(ResourceMetadataFactoryInterface $resourceMetadataFactory, ContainerInterface $filterLocator)
+    {
+        $this->resourceMetadataFactory = $resourceMetadataFactory;
+        $this->setFilterLocator($filterLocator);
+    }
+
+    public function onKernelRequest(GetResponseEvent $event)
+    {
+        $request = $event->getRequest();
+        if (
+            !$request->isMethodSafe(false)
+            || !($attributes = RequestAttributesExtractor::extractAttributes($request))
+            || !isset($attributes['collection_operation_name'])
+            || 'get' !== ($operationName = $attributes['collection_operation_name'])
+        ) {
+            return;
+        }
+
+        $resourceMetadata = $this->resourceMetadataFactory->create($attributes['resource_class']);
+        $resourceFilters = $resourceMetadata->getCollectionOperationAttribute($operationName, 'filters', [], true);
+
+        $errorList = [];
+        foreach ($resourceFilters as $filterId) {
+            if (!$filter = $this->getFilter($filterId)) {
+                continue;
+            }
+
+            foreach ($filter->getDescription($attributes['resource_class']) as $name => $data) {
+                if (!($data['required'] ?? false)) { // property is not required
+                    continue;
+                }
+
+                if (!$this->isRequiredFilterValid($name, $request)) {
+                    $errorList[] = sprintf('Query parameter "%s" is required', $name);
+                }
+            }
+        }
+
+        if ($errorList) {
+            throw new FilterValidationException($errorList);
+        }
+    }
+
+    /**
+     * Test if required filter is valid. It validates array notation too like "required[bar]".
+     */
+    private function isRequiredFilterValid($name, $request): bool
+    {
+        $matches = [];
+        parse_str($name, $matches);
+        if (!$matches) {
+            return false;
+        }
+
+        $rootName = array_keys($matches)[0] ?? '';
+        if (!$rootName) {
+            return false;
+        }
+
+        if (\is_array($matches[$rootName])) {
+            $keyName = array_keys($matches[$rootName])[0];
+
+            $queryParameter = $request->query->get($rootName);
+
+            return \is_array($queryParameter) && isset($queryParameter[$keyName]);
+        }
+
+        return null !== $request->query->get($rootName);
+    }
+}

tests/Bridge/Symfony/Bundle/DependencyInjection/ApiPlatformExtensionTest.php

@@ -28,6 +28,7 @@
 use ApiPlatform\Core\DataProvider\CollectionDataProviderInterface;
 use ApiPlatform\Core\DataProvider\ItemDataProviderInterface;
 use ApiPlatform\Core\DataProvider\SubresourceDataProviderInterface;
+use ApiPlatform\Core\Exception\FilterValidationException;
 use ApiPlatform\Core\Exception\InvalidArgumentException;
 use ApiPlatform\Core\Metadata\Property\Factory\PropertyMetadataFactoryInterface;
 use ApiPlatform\Core\Metadata\Property\Factory\PropertyNameCollectionFactoryInterface;
@@ -451,7 +452,11 @@ private function getPartialContainerBuilderProphecy($test = false)
             'api_platform.description' => 'description',
             'api_platform.error_formats' => ['jsonproblem' => ['application/problem+json'], 'jsonld' => ['application/ld+json']],
             'api_platform.formats' => ['jsonld' => ['application/ld+json'], 'jsonhal' => ['application/hal+json']],
-            'api_platform.exception_to_status' => [ExceptionInterface::class => Response::HTTP_BAD_REQUEST, InvalidArgumentException::class => Response::HTTP_BAD_REQUEST],
+            'api_platform.exception_to_status' => [
+                ExceptionInterface::class => Response::HTTP_BAD_REQUEST,
+                InvalidArgumentException::class => Response::HTTP_BAD_REQUEST,
+                FilterValidationException::class => Response::HTTP_BAD_REQUEST,
+            ],
             'api_platform.title' => 'title',
             'api_platform.version' => 'version',
             'api_platform.allow_plain_identifiers' => false,
@@ -516,6 +521,7 @@ private function getPartialContainerBuilderProphecy($test = false)
             'api_platform.listener.view.respond',
             'api_platform.listener.view.serialize',
             'api_platform.listener.view.validate',
+            'api_platform.listener.view.validate_query_parameters',
             'api_platform.listener.view.write',
             'api_platform.metadata.extractor.xml',
             'api_platform.metadata.property.metadata_factory.cached',

tests/Bridge/Symfony/Bundle/DependencyInjection/ConfigurationTest.php

@@ -14,6 +14,7 @@
 namespace ApiPlatform\Core\Tests\Bridge\Symfony\Bundle\DependencyInjection;
 
 use ApiPlatform\Core\Bridge\Symfony\Bundle\DependencyInjection\Configuration;
+use ApiPlatform\Core\Exception\FilterValidationException;
 use ApiPlatform\Core\Exception\InvalidArgumentException;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Config\Definition\Builder\TreeBuilder;
@@ -67,6 +68,7 @@ public function testDefaultConfig()
             'exception_to_status' => [
                 ExceptionInterface::class => Response::HTTP_BAD_REQUEST,
                 InvalidArgumentException::class => Response::HTTP_BAD_REQUEST,
+                FilterValidationException::class => Response::HTTP_BAD_REQUEST,
             ],
             'default_operation_path_resolver' => 'api_platform.operation_path_resolver.underscore',
             'path_segment_name_generator' => 'api_platform.path_segment_name_generator.underscore',