Merge pull request #947 from cakephp/fix-943-v2

Read cspScriptNonce from latest request

Author: markstory

src/Middleware/DebugKitMiddleware.php

@@ -69,6 +69,6 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
             return $response;
         }
 
-        return $this->service->injectScripts($row, $request, $response);
+        return $this->service->injectScripts($row, $response);
     }
 }

src/ToolbarService.php

@@ -25,7 +25,6 @@
 use DebugKit\Panel\PanelRegistry;
 use PDOException;
 use Psr\Http\Message\ResponseInterface;
-use Psr\Http\Message\ServerRequestInterface;
 
 /**
  * Used to create the panels and inject a toolbar into
@@ -338,11 +337,10 @@ public function getToolbarUrl()
      * contains HTML and there is a </body> tag.
      *
      * @param \DebugKit\Model\Entity\Request $row The request data to inject.
-     * @param \Psr\Http\Message\ServerRequestInterface $request The request to augment.
      * @param \Psr\Http\Message\ResponseInterface $response The response to augment.
      * @return \Psr\Http\Message\ResponseInterface The modified response
      */
-    public function injectScripts($row, ServerRequestInterface $request, ResponseInterface $response)
+    public function injectScripts($row, ResponseInterface $response)
     {
         $response = $response->withHeader('X-DEBUGKIT-ID', (string)$row->id);
         if (strpos($response->getHeaderLine('Content-Type'), 'html') === false) {
@@ -359,9 +357,12 @@ public function injectScripts($row, ServerRequestInterface $request, ResponseInt
         if ($pos === false) {
             return $response;
         }
-        $nonce = $request->getAttribute('cspScriptNonce');
-        if ($nonce) {
-            $nonce = sprintf(' nonce="%s"', $nonce);
+        // Use Router to get the request so that we can see the
+        // state after other middleware have been applied.
+        $request = Router::getRequest();
+        $nonce = '';
+        if ($request && $request->getAttribute('cspScriptNonce')) {
+            $nonce = sprintf(' nonce="%s"', $request->getAttribute('cspScriptNonce'));
         }
 
         $url = Router::url('/', true);

tests/TestCase/Middleware/DebugKitMiddlewareTest.php

@@ -21,6 +21,7 @@
 use Cake\Http\CallbackStream;
 use Cake\Http\Response;
 use Cake\Http\ServerRequest;
+use Cake\Routing\Router;
 use Cake\TestSuite\TestCase;
 use DebugKit\Middleware\DebugKitMiddleware;
 use Psr\Http\Server\RequestHandlerInterface;
@@ -122,7 +123,7 @@ public function testInvokeSaveData()
         $this->assertNotNull($result->panels[11]->summary);
         $this->assertSame('Sql Log', $result->panels[11]->title);
 
-        $timeStamp = filemtime(Plugin::path('DebugKit') . 'webroot' . DS . 'js' . DS . 'main.js');
+        $timeStamp = filemtime(Plugin::path('DebugKit') . 'webroot' . DS . 'js' . DS . 'inject-iframe.js');
 
         $expected = '<html><title>test</title><body><p>some text</p>' .
             '<script id="__debug_kit_script" data-id="' . $result->id . '" ' .
@@ -144,6 +145,7 @@ public function testInvokeInjectCspNonce()
             'environment' => ['REQUEST_METHOD' => 'GET'],
         ]);
         $request = $request->withAttribute('cspScriptNonce', 'csp-nonce');
+        Router::setRequest($request);
 
         $response = new Response([
             'statusCode' => 200,

tests/TestCase/ToolbarServiceTest.php

@@ -22,6 +22,7 @@
 use Cake\Http\Response;
 use Cake\Http\ServerRequest as Request;
 use Cake\Log\Log;
+use Cake\Routing\Router;
 use Cake\TestSuite\TestCase;
 use DebugKit\Model\Entity\Request as RequestEntity;
 use DebugKit\ToolbarService;
@@ -294,6 +295,7 @@ public function testInjectScriptsLastBodyTag()
             'url' => '/articles',
             'environment' => ['REQUEST_METHOD' => 'GET'],
         ]);
+        Router::setRequest($request);
         $response = new Response([
             'statusCode' => 200,
             'type' => 'text/html',
@@ -303,9 +305,9 @@ public function testInjectScriptsLastBodyTag()
         $bar = new ToolbarService($this->events, []);
         $bar->loadPanels();
         $row = $bar->saveData($request, $response);
-        $response = $bar->injectScripts($row, $request, $response);
+        $response = $bar->injectScripts($row, $response);
 
-        $timeStamp = filemtime(Plugin::path('DebugKit') . 'webroot' . DS . 'js' . DS . 'main.js');
+        $timeStamp = filemtime(Plugin::path('DebugKit') . 'webroot' . DS . 'js' . DS . 'inject-iframe.js');
 
         $expected = '<html><title>test</title><body><p>some text</p>' .
             '<script id="__debug_kit_script" data-id="' . $row->id . '" ' .
@@ -322,10 +324,6 @@ public function testInjectScriptsLastBodyTag()
      */
     public function testInjectScriptsFileBodies()
     {
-        $request = new Request([
-            'url' => '/articles',
-            'params' => ['plugin' => null],
-        ]);
         $response = new Response([
             'statusCode' => 200,
             'type' => 'text/html',
@@ -335,7 +333,7 @@ public function testInjectScriptsFileBodies()
         $bar = new ToolbarService($this->events, []);
         $row = new RequestEntity(['id' => 'abc123']);
 
-        $result = $bar->injectScripts($row, $request, $response);
+        $result = $bar->injectScripts($row, $response);
         $this->assertInstanceOf('Cake\Http\Response', $result);
         $this->assertSame(file_get_contents(__FILE__), '' . $result->getBody());
         $this->assertTrue($result->hasHeader('X-DEBUGKIT-ID'), 'Should have a tracking id');
@@ -348,10 +346,6 @@ public function testInjectScriptsFileBodies()
      */
     public function testInjectScriptsStreamBodies()
     {
-        $request = new Request([
-            'url' => '/articles',
-            'params' => ['plugin' => null],
-        ]);
         $response = new Response([
             'statusCode' => 200,
             'type' => 'text/html',
@@ -361,7 +355,7 @@ public function testInjectScriptsStreamBodies()
         $bar = new ToolbarService($this->events, []);
         $row = new RequestEntity(['id' => 'abc123']);
 
-        $result = $bar->injectScripts($row, $request, $response);
+        $result = $bar->injectScripts($row, $response);
         $this->assertInstanceOf('Cake\Http\Response', $result);
         $this->assertSame('I am a teapot!', (string)$response->getBody());
     }
@@ -373,8 +367,10 @@ public function testInjectScriptsStreamBodies()
      */
     public function testInjectScriptsNoModifyResponse()
     {
-        $request = new Request(['url' => '/articles']);
-
+        $request = new Request([
+            'url' => '/articles/view/123',
+            'params' => [],
+        ]);
         $response = new Response([
             'statusCode' => 200,
             'type' => 'application/json',
@@ -385,7 +381,7 @@ public function testInjectScriptsNoModifyResponse()
         $bar->loadPanels();
 
         $row = $bar->saveData($request, $response);
-        $response = $bar->injectScripts($row, $request, $response);
+        $response = $bar->injectScripts($row, $response);
         $this->assertTextEquals('{"some":"json"}', (string)$response->getBody());
         $this->assertTrue($response->hasHeader('X-DEBUGKIT-ID'), 'Should have a tracking id');
     }