Request: Move Basic Auth credential from Url to Request due to prevent leak it (#211)

Author: jakubboucek

src/Http/Request.php

@@ -44,6 +44,8 @@ class Request implements IRequest
 
 	/** @var ?callable */
 	private $rawBodyCallback;
+	private ?string $user;
+	private ?string $password;
 
 
 	public function __construct(
@@ -56,6 +58,8 @@ public function __construct(
 		?string $remoteAddress = null,
 		?string $remoteHost = null,
 		?callable $rawBodyCallback = null,
+		?string $user = null,
+		?string $password = null,
 	) {
 		$this->url = $url;
 		$this->post = (array) $post;
@@ -66,6 +70,8 @@ public function __construct(
 		$this->remoteAddress = $remoteAddress;
 		$this->remoteHost = $remoteHost;
 		$this->rawBodyCallback = $rawBodyCallback;
+		$this->user = $user;
+		$this->password = $password;
 	}
 
 
@@ -284,6 +290,18 @@ public function getRawBody(): ?string
 	}
 
 
+	public function getUser(): ?string
+	{
+		return $this->user;
+	}
+
+
+	public function getPassword(): ?string
+	{
+		return $this->password;
+	}
+
+
 	/**
 	 * Returns the most preferred language by browser. Uses the `Accept-Language` header. If no match is reached, it returns `null`.
 	 * @param  string[]  $langs  supported languages

src/Http/RequestFactory.php

@@ -59,9 +59,9 @@ public function fromGlobals(): Request
 		$url = new Url;
 		$this->getServer($url);
 		$this->getPathAndQuery($url);
-		$this->getUserAndPassword($url);
 		[$post, $cookies] = $this->getGetPostCookie($url);
 		[$remoteAddr, $remoteHost] = $this->getClient($url);
+		[$user, $password] = $this->getUserAndPassword();
 
 		return new Request(
 			new UrlScript($url, $this->getScriptPath($url)),
@@ -73,6 +73,8 @@ public function fromGlobals(): Request
 			$remoteAddr,
 			$remoteHost,
 			fn(): string => file_get_contents('php://input'),
+			$user,
+			$password,
 		);
 	}
 
@@ -109,13 +111,6 @@ private function getPathAndQuery(Url $url): void
 	}
 
 
-	private function getUserAndPassword(Url $url): void
-	{
-		$url->setUser($_SERVER['PHP_AUTH_USER'] ?? '');
-		$url->setPassword($_SERVER['PHP_AUTH_PW'] ?? '');
-	}
-
-
 	private function getScriptPath(Url $url): string
 	{
 		if (PHP_SAPI === 'cli-server') {
@@ -290,6 +285,15 @@ private function getClient(Url $url): array
 	}
 
 
+	private function getUserAndPassword(): array
+	{
+		$user = $_SERVER['PHP_AUTH_USER'] ?? null;
+		$password = $_SERVER['PHP_AUTH_PW'] ?? null;
+
+		return [$user, $password];
+	}
+
+
 	private function useForwardedProxy(Url $url, &$remoteAddr, &$remoteHost): void
 	{
 		$forwardParams = preg_split('/[,;]/', $_SERVER['HTTP_FORWARDED']);

tests/Http/RequestFactory.userAndPassword.phpt

@@ -17,11 +17,11 @@ $_SERVER = [
 	'PHP_AUTH_PW' => 'password',
 ];
 $factory = new RequestFactory;
-Assert::same('user', $factory->fromGlobals()->getUrl()->getUser());
-Assert::same('password', $factory->fromGlobals()->getUrl()->getPassword());
+Assert::same('user', $factory->fromGlobals()->getUser());
+Assert::same('password', $factory->fromGlobals()->getPassword());
 
 
 $_SERVER = [];
 $factory = new RequestFactory;
-Assert::same('', $factory->fromGlobals()->getUrl()->getUser());
-Assert::same('', $factory->fromGlobals()->getUrl()->getPassword());
+Assert::same(null, $factory->fromGlobals()->getUser());
+Assert::same(null, $factory->fromGlobals()->getPassword());