add allow_404 option to allow 404 pages to be redirected from http to https

Author: samsonasik

README.md

@@ -26,6 +26,7 @@ Features
 - [x] Enable/disable HTTP Strict Transport Security Header and set its value.
 - [x] Allow add `www.` prefix during redirection from http or already https.
 - [x] Allow remove `www.` prefix during redirection from http or already https.
+- [x] Force Https for 404 pages
 
 Installation
 ------------
@@ -87,6 +88,8 @@ return [
         // remove existing "www." prefix during redirection from http or already https
         // only works if previous's config 'add_www_prefix' => false
         'remove_www_prefix'     => false,
+        // Force Https for 404 pages
+        'allow_404'             => true,
     ],
     // ...
 ];

config/expressive-force-https-module.local.php.dist

@@ -17,6 +17,7 @@ return [
         ],
         'add_www_prefix'        => false,
         'remove_www_prefix'     => false,
+        'allow_404'             => true,
     ],
 
     'dependencies' => [

config/force-https-module.local.php.dist

@@ -15,5 +15,6 @@ return [
         ],
         'add_www_prefix'        => false,
         'remove_www_prefix'     => false,
+        'allow_404'             => true,
     ],
 ];

config/module.config.php

@@ -5,7 +5,8 @@
 return [
     'service_manager' => [
         'factories' => [
-            Listener\ForceHttps::class => Listener\ForceHttpsFactory::class,
+            Listener\ForceHttps::class                                  => Listener\ForceHttpsFactory::class,
+            Listener\NotFoundLoggingListenerOnSharedEventManager::class => Listener\NotFoundLoggingListenerOnSharedEventManagerFactory::class,
         ],
     ],
     'listeners' => [

spec/Listener/ForceHttpsSpec.php

@@ -10,7 +10,6 @@
 use Zend\EventManager\EventManagerInterface;
 use Zend\Http\PhpEnvironment\Request;
 use Zend\Http\PhpEnvironment\Response;
-use Zend\Mvc\Application;
 use Zend\Mvc\MvcEvent;
 use Zend\Router\RouteMatch;
 use Zend\Uri\Uri;
@@ -50,6 +49,7 @@
             $listener->attach($this->eventManager);
 
             expect($this->eventManager)->not->toReceive('attach')->with(MvcEvent::EVENT_ROUTE, [$listener, 'forceHttpsScheme']);
+            expect($this->eventManager)->not->toReceive('attach')->with(MvcEvent::EVENT_DISPATCH_ERROR, [$listener, 'forceHttpsScheme'], 1000);
 
         });
 
@@ -106,6 +106,27 @@
 
             });
 
+            it('not redirect if router not match', function () {
+
+                $listener = new ForceHttps([
+                    'enable'                => true,
+                    'force_all_routes'      => true,
+                    'force_specific_routes' => [],
+                ]);
+
+                allow($this->mvcEvent)->toReceive('getRouteMatch')->andReturn(null);
+                allow($this->routeMatch)->toReceive('getMatchedRouteName')->andReturn('about');
+
+                allow($this->mvcEvent)->toReceive('getRequest', 'getUri', 'getScheme')->andReturn('https');
+                allow($this->mvcEvent)->toReceive('getRequest', 'getUri', 'toString')->andReturn('https://www.example.com/about');
+                allow($this->mvcEvent)->toReceive('getResponse')->andReturn($this->response);
+                expect($this->mvcEvent)->toReceive('getResponse');
+
+                $listener->forceHttpsScheme($this->mvcEvent);
+                expect($this->response)->not->toReceive('getHeaders');
+
+            });
+
         });
 
         context('on current scheme is http', function () {
@@ -129,6 +150,24 @@
                 $listener->forceHttpsScheme($this->mvcEvent);
 
                 expect($this->mvcEvent)->toReceive('getResponse');
+                expect($this->response)->not->toReceive('send');
+
+            });
+
+            it('not redirect on router not match', function () {
+
+                $listener = new ForceHttps([
+                    'enable'                => true,
+                ]);
+
+                allow($this->mvcEvent)->toReceive('getRequest', 'getUri', 'getScheme')->andReturn('http');
+                allow($this->mvcEvent)->toReceive('getRouteMatch')->andReturn(null);
+                allow($this->mvcEvent)->toReceive('getResponse')->andReturn($this->response);
+
+                $listener->forceHttpsScheme($this->mvcEvent);
+
+                expect($this->mvcEvent)->toReceive('getResponse');
+                expect($this->response)->not->toReceive('send');
 
             });
 
@@ -232,6 +271,35 @@
 
             });
 
+
+            it('redirect no router not match, but allow_404 is true', function () {
+
+                $listener = new ForceHttps([
+                    'enable'    => true,
+                    'allow_404' => true,
+                ]);
+
+                allow($this->mvcEvent)->toReceive('getRequest')->andReturn($this->request);
+                allow($this->request)->toReceive('getUri')->andReturn($this->uri);
+                allow($this->uri)->toReceive('getScheme')->andReturn('http');
+                allow($this->mvcEvent)->toReceive('getRouteMatch')->andReturn(null);
+                allow($this->uri)->toReceive('setScheme')->with('https')->andReturn($this->uri);
+                allow($this->uri)->toReceive('toString')->andReturn('https://example.com/404');
+                allow($this->mvcEvent)->toReceive('getResponse')->andReturn($this->response);
+                allow($this->response)->toReceive('setStatusCode')->with(308)->andReturn($this->response);
+                allow($this->response)->toReceive('getHeaders', 'addHeaderLine')->with('Location', 'https://example.com/404');
+                allow($this->response)->toReceive('send');
+
+                $closure = function () use ($listener) {
+                    $listener->forceHttpsScheme($this->mvcEvent);
+                };
+                expect($closure)->toThrow(new QuitException('Exit statement occurred', 0));
+
+                expect($this->mvcEvent)->toReceive('getResponse');
+                expect($this->response)->toReceive('getHeaders', 'addHeaderLine')->with('Location', 'https://example.com/404');
+
+            });
+
             it('redirect with www prefix with configurable "add_www_prefix" on force_all_routes', function () {
 
                 $listener = new ForceHttps([

spec/Middleware/ForceHttpsSpec.php

@@ -49,6 +49,7 @@
 
             $match = RouteResult::fromRouteFailure(null);
             allow($this->router)->toReceive('match')->andReturn($match);
+            allow($this->request)->toReceive('getUri', 'getScheme')->andReturn('http');
 
             $listener = new ForceHttps(['enable' => true], $this->router);
 
@@ -61,6 +62,29 @@
 
         });
 
+        it('not redirect on router not match and config allow_404 is false', function () {
+
+            $match = RouteResult::fromRouteFailure(null);
+            allow($this->router)->toReceive('match')->andReturn($match);
+            allow($this->request)->toReceive('getUri', 'getScheme')->andReturn('http');
+
+            $listener = new ForceHttps(
+                [
+                    'enable'    => true,
+                    'allow_404' => false,
+                ],
+                $this->router
+            );
+
+            $handler = Double::instance(['implements' => RequestHandlerInterface::class]);
+            allow($handler)->toReceive('handle')->with($this->request)->andReturn($this->response);
+
+            $listener->process($this->request, $handler);
+
+            expect($this->response)->not->toReceive('withStatus');
+
+        });
+
         it('not redirect on https and match but no strict_transport_security config', function () {
 
             $match = RouteResult::fromRoute(new Route('/about', Double::instance(['implements' => MiddlewareInterface::class])));
@@ -199,6 +223,33 @@
 
         });
 
+        it('return Response with 308 status on http and not match, but allow_404 is true', function () {
+
+            $match = RouteResult::fromRouteFailure(null);
+
+            allow($this->router)->toReceive('match')->andReturn($match);
+            allow($this->request)->toReceive('getUri', 'getScheme')->andReturn('http');
+            allow($this->request)->toReceive('getUri', 'withScheme', '__toString')->andReturn('https://example.com/404');
+
+            $handler = Double::instance(['implements' => RequestHandlerInterface::class]);
+            allow($handler)->toReceive('handle')->with($this->request)->andReturn($this->response);
+            allow($this->response)->toReceive('withStatus')->with(308)->andReturn($this->response);
+            allow($this->response)->toReceive('withHeader')->with('Location', 'https://example.com/404')->andReturn($this->response);
+
+            $listener = new ForceHttps(
+                [
+                    'enable'    => true,
+                    'allow_404' => true,
+                ],
+                $this->router
+            );
+            $listener->process($this->request, $handler);
+
+            expect($this->response)->toReceive('withStatus')->with(308);
+            expect($this->response)->toReceive('withHeader')->with('Location', 'https://example.com/404');
+
+        });
+
         it('return Response with 308 status with include www prefix on http and match with configurable "add_www_prefix"', function () {
 
             $match = RouteResult::fromRoute(new Route('/about', Double::instance(['implements' => MiddlewareInterface::class])));

src/HttpsTrait.php

@@ -25,10 +25,22 @@ private function isSchemeHttps(string $uriScheme) : bool
     /**
      * Check Config if is going to be forced to https.
      *
-     * @param  RouteMatch|RouteResult $match
+     * @param  RouteMatch|RouteResult|null $match
      */
-    private function isGoingToBeForcedToHttps($match) : bool
+    private function isGoingToBeForcedToHttps($match = null) : bool
     {
+        $is404 = $match === null || ($match instanceof RouteResult && $match->isFailure());
+        if (isset($this->config['allow_404']) &&
+            $this->config['allow_404'] === true &&
+            $is404
+        ) {
+            return true;
+        }
+
+        if ($is404) {
+            return false;
+        }
+
         if (! $this->config['force_all_routes'] &&
             ! \in_array(
                 $match->getMatchedRouteName(),
@@ -44,11 +56,11 @@ private function isGoingToBeForcedToHttps($match) : bool
     /**
      * Check if Setup Strict-Transport-Security need to be skipped.
      *
-     * @param RouteMatch|RouteResult     $match
-     * @param Response|ResponseInterface $response
+     * @param RouteMatch|RouteResult|null $match
+     * @param Response|ResponseInterface  $response
      *
      */
-    private function isSkippedHttpStrictTransportSecurity(string $uriScheme, $match, $response) : bool
+    private function isSkippedHttpStrictTransportSecurity(string $uriScheme, $match = null, $response) : bool
     {
         return ! $this->isSchemeHttps($uriScheme) ||
             ! $this->isGoingToBeForcedToHttps($match) ||

src/Listener/ForceHttps.php

@@ -33,9 +33,10 @@ public function attach(EventManagerInterface $events, $priority = 1) : void
         }
 
         $this->listeners[] = $events->attach(MvcEvent::EVENT_ROUTE, [$this, 'forceHttpsScheme']);
+        $this->listeners[] = $events->attach(MvcEvent::EVENT_DISPATCH_ERROR, [$this, 'forceHttpsScheme'], 1000);
     }
 
-    private function setHttpStrictTransportSecurity(string $uriScheme, RouteMatch $match, Response $response) : Response
+    private function setHttpStrictTransportSecurity(string $uriScheme, RouteMatch $match = null, Response $response) : Response
     {
         if ($this->isSkippedHttpStrictTransportSecurity($uriScheme, $match, $response)) {
             return $response;
@@ -67,7 +68,7 @@ public function forceHttpsScheme(MvcEvent $e) : void
         /** @var string  $uriScheme*/
         $uriScheme = $uri->getScheme();
 
-        /** @var RouteMatch $routeMatch */
+        /** @var RouteMatch|null $routeMatch */
         $routeMatch = $e->getRouteMatch();
         $response   = $this->setHttpStrictTransportSecurity($uriScheme, $routeMatch, $response);
         if (! $this->isGoingToBeForcedToHttps($routeMatch)) {

src/Listener/ForceHttpsOnSharedEventManager.php

@@ -0,0 +1,92 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ForceHttpsModule\Listener;
+
+use ForceHttpsModule\HttpsTrait;
+use Zend\Http\PhpEnvironment\Response;
+use Zend\Mvc\MvcEvent;
+use Zend\Router\RouteMatch;
+
+class ForceHttpsOnSharedEventManager
+{
+    use HttpsTrait;
+
+    /**
+     * @var array
+     */
+    private $config;
+
+    public function __construct(array $config)
+    {
+        $this->config = $config;
+    }
+
+    private function setHttpStrictTransportSecurity(string $uriScheme, Response $response) : Response
+    {
+        if ($this->isSkippedHttpStrictTransportSecurity($uriScheme, null, $response)) {
+            return $response;
+        }
+
+        if ($this->config['strict_transport_security']['enable'] === true) {
+            $response->getHeaders()
+                     ->addHeaderLine('Strict-Transport-Security: ' . $this->config['strict_transport_security']['value']);
+            return $response;
+        }
+
+        // set max-age = 0 to strictly expire it,
+        $response->getHeaders()
+                 ->addHeaderLine('Strict-Transport-Security: max-age=0');
+        return $response;
+    }
+
+    public function __invoke(MvcEvent $e)
+    {
+        /** @var \Zend\Router\RouteMatch $routeMatch */
+        $routeMatch = $e->getRouteMatch();
+
+        $controller = $e->getTarget();
+        $action     = \str_replace('-', '', $routeMatch->getParam('action')) . 'Action';
+
+        if (\method_exists($controller, $action)) {
+            return;
+        }
+
+        /** @var \Zend\Http\PhpEnvironment\Request $request */
+        $request   = $e->getRequest();
+        /** @var Response $response */
+        $response  = $e->getResponse();
+
+        $uri       = $request->getUri();
+        /** @var string  $uriScheme*/
+        $uriScheme = $uri->getScheme();
+
+        $response   = $this->setHttpStrictTransportSecurity($uriScheme, $response);
+        if (! $this->isGoingToBeForcedToHttps(null)) {
+            return;
+        }
+
+        if ($this->isSchemeHttps($uriScheme)) {
+            $uriString       = $uri->toString();
+            $httpsRequestUri = $this->getFinalhttpsRequestUri($uriString);
+
+            if ($uriString === $httpsRequestUri) {
+                return;
+            }
+        }
+
+        if (! isset($httpsRequestUri)) {
+            $uriString       = $uri->setScheme('https')->toString();
+            $httpsRequestUri = $this->getFinalhttpsRequestUri($uriString);
+        }
+
+        // 308 keeps headers, request method, and request body
+        $response->setStatusCode(308);
+        $response->getHeaders()
+                 ->addHeaderLine('Location', $httpsRequestUri);
+        $response->send();
+
+        exit(0);
+    }
+}

src/Listener/ForceHttpsOnSharedEventManagerFactory.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ForceHttpsModule\Listener;
+
+use Psr\Container\ContainerInterface;
+
+class ForceHttpsOnSharedEventManagerFactory
+{
+    public function __invoke(ContainerInterface $container) : ForceHttps
+    {
+        $config           = $container->get('config');
+        $forceHttpsConfig = $config['force-https-module'] ?? ['enable' => false];
+
+        return new ForceHttpsOnSharedEventManager($forceHttpsConfig);
+    }
+}