Updated method spoofing to be applied on request mapping instead

WendellAdriel · WendellAdriel · commit bf7eee3f51fc · 2025-09-14T12:06:20.000+01:00
diff --git a/packages/http/src/Mappers/PsrRequestToGenericRequestMapper.php b/packages/http/src/Mappers/PsrRequestToGenericRequestMapper.php
@@ -52,7 +52,7 @@ public function map(mixed $from, mixed $to): GenericRequest
         );
 
         return map([
-            'method' => Method::from($from->getMethod()),
+            'method' => $this->requestMethod($from, $data),
             'uri' => (string) $from->getUri(),
             'raw' => $raw,
             'body' => $data,
@@ -70,4 +70,31 @@ public function map(mixed $from, mixed $to): GenericRequest
         ])
             ->to(GenericRequest::class);
     }
+
+    private function requestMethod(mixed $from, array $data): Method
+    {
+        $originalMethod = Method::from($from->getMethod());
+        if ($originalMethod !== Method::POST) {
+            return $originalMethod;
+        }
+
+        if (! isset($data['_method'])) {
+            return $originalMethod;
+        }
+
+        $spoofedMethod = Method::tryFrom(strtoupper($data['_method']));
+        if ($spoofedMethod === null) {
+            return $originalMethod;
+        }
+
+        $allowedMethods = [
+            Method::PUT,
+            Method::PATCH,
+            Method::DELETE,
+        ];
+
+        return ! in_array($spoofedMethod, $allowedMethods, strict: true)
+            ? $originalMethod
+            : $spoofedMethod;
+    }
 }
diff --git a/packages/http/tests/MethodSpoofingTest.php b/packages/http/tests/MethodSpoofingTest.php
@@ -2,15 +2,14 @@
 
 declare(strict_types=1);
 
-namespace Tempest\Router\Tests;
+namespace Tempest\Http\Tests;
 
 use PHPUnit\Framework\TestCase;
 use Tempest\Container\Container;
 use Tempest\Container\GenericContainer;
 use Tempest\Http\GenericRequest;
 use Tempest\Http\Method;
 use Tempest\Http\Request;
-use Tempest\Http\Response;
 use Tempest\Http\Responses\NotFound;
 use Tempest\Http\Responses\Ok;
 use Tempest\Router\HttpMiddlewareCallable;
@@ -19,7 +18,7 @@
 use Tempest\Router\RouteConfig;
 use Tempest\Router\Routing\Matching\GenericRouteMatcher;
 
-final class MatchRouteMiddlewareTest extends TestCase
+final class MethodSpoofingTest extends TestCase
 {
     private Container $container;
     private RouteConfig $routeConfig;
diff --git a/packages/router/src/MatchRouteMiddleware.php b/packages/router/src/MatchRouteMiddleware.php
@@ -24,8 +24,6 @@ public function __construct(
 
     public function __invoke(Request $request, HttpMiddlewareCallable $next): Response
     {
-        $request = $this->applyMethodSpoofing($request);
-
         $matchedRoute = $this->routeMatcher->match($request);
 
         if ($matchedRoute === null && $request->method === Method::HEAD && $request instanceof GenericRequest) {
@@ -72,37 +70,4 @@ private function resolveRequest(Request $request, MatchedRoute $matchedRoute): R
 
         return $request;
     }
-
-    private function applyMethodSpoofing(Request $request): Request
-    {
-        if ($request->method !== Method::POST) {
-            return $request;
-        }
-
-        if (! ($request instanceof GenericRequest)) {
-            return $request;
-        }
-
-        if (! $request->hasBody('_method')) {
-            return $request;
-        }
-
-        $spoofedMethod = Method::tryFrom(strtoupper((string) $request->get('_method')));
-
-        if ($spoofedMethod === null) {
-            return $request;
-        }
-
-        $allowedMethods = [
-            Method::PUT,
-            Method::PATCH,
-            Method::DELETE,
-        ];
-
-        if (! in_array($spoofedMethod, $allowedMethods, strict: true)) {
-            return $request;
-        }
-
-        return $request->withMethod($spoofedMethod);
-    }
 }
