 |
VOOZH | about |
|
VOOZH | about |
This page documents the Request object's capabilities for session management, user authentication, request validation, and URL signature verification. These features enable secure request handling, user identification, input validation, and URL integrity checking.
For general request data access methods, see Input & Data Access. For information about route parameters and URL construction, see URL & Route Information.
The Request class provides four distinct security and state management subsystems:
| Subsystem | Purpose | Primary Methods |
|---|---|---|
| Session Access | Retrieve and manage session data | hasSession(), session() |
| Authentication | Identify authenticated users | user(), setUserResolver(), bearerToken() |
| Validation | Validate request input data | validate() |
| URL Signatures | Verify signed URL integrity | hasValidSignature(), hasValidRelativeSignature() |
These features integrate with external Hypervel packages through dependency injection, enabling flexible authentication strategies and validation rules.
Sources: src/Request.php31-985 src/Contracts/RequestContract.php18-442
The hasSession() method determines whether session functionality is available by checking if SessionContract is bound in the DI container. This allows graceful degradation when session functionality is not installed.
Implementation Details:
The method queries the Hyperf application container for the Hypervel\Session\Contracts\Session binding. If the binding exists, session operations are available; otherwise, applications must handle requests without session support.
Sources: src/Request.php869-873 src/Contracts/RequestContract.php387-389
The session() method retrieves the session instance for the current request. This provides access to session storage operations like getting, setting, and deleting session data.
Error Handling:
The method directly resolves SessionContract from the container without checking availability first. If session functionality is not installed, this will throw a container resolution exception. Applications should call hasSession() first when session availability is uncertain.
Sources: src/Request.php878-882 src/Contracts/RequestContract.php391-394
Sources: src/Request.php869-882 src/Contracts/RequestContract.php387-394
The Request class provides a flexible authentication system based on a user resolver callback pattern. This design allows different authentication strategies without coupling the HTTP layer to specific authentication implementations.
Authentication is implemented through a resolver callback that can be set by authentication middleware or service providers. The callback receives an optional guard name and returns the authenticated user, or null if no user is authenticated.
Sources: src/Request.php34-36 src/Request.php899-921
The setUserResolver() method accepts a Closure that will be invoked when user() is called. This callback is stored in the protected $userResolver property src/Request.php36
Sources: src/Request.php908-913 src/Contracts/RequestContract.php409-411
The user() method invokes the user resolver callback with the optional guard parameter. If no resolver has been set, it returns the result of an empty closure (effectively null).
Sources: src/Request.php918-921 src/Contracts/RequestContract.php413-416
The bearerToken() method extracts OAuth 2.0 bearer tokens from the Authorization header. This is commonly used for API authentication.
Parsing Logic:
Authorization header src/Request.php766"Bearer " in the header src/Request.php768"Bearer " src/Request.php771This implementation follows RFC 6750 for bearer token authentication.
Sources: src/Request.php764-777 src/Contracts/RequestContract.php330-333
Sources: src/Request.php899-921
| Method | Purpose | Return Type | Notes |
|---|---|---|---|
setUserResolver(Closure $callback) | Register authentication resolver | static | Typically called by middleware |
getUserResolver() | Get current resolver | Closure | Returns empty closure if none set |
user(?string $guard = null) | Get authenticated user | mixed | Invokes resolver with guard parameter |
bearerToken() | Extract bearer token | ?string | Parses Authorization header |
Sources: src/Request.php764-777 src/Request.php899-921 src/Contracts/RequestContract.php330-333 src/Contracts/RequestContract.php404-416
The validate() method provides direct access to validation functionality from the request object, eliminating the need to manually retrieve the validator factory.
Sources: src/Request.php889-894 src/Contracts/RequestContract.php396-401
The validate() method src/Request.php889-894 performs these operations:
ValidatorFactoryContract from the DI container src/Request.php891-892$this->all() as the data to validate src/Request.php893$rules, $messages, and $customAttributes parameters src/Request.php893\Hypervel\Validation\ValidationException on failureData Source: The method validates all request input returned by all(), which includes query parameters, POST data, JSON payloads, and uploaded files merged together.
Sources: src/Request.php889-894 src/Contracts/RequestContract.php396-401
Sources: src/Request.php889-894
URL signature verification ensures that URLs have not been tampered with and were generated by the application. This is commonly used for temporary access links, email verification URLs, and password reset links.
The Request class provides four methods for verifying URL signatures, offering flexibility for different use cases:
| Method | Checks Absolute URL | Can Ignore Query Params | Use Case |
|---|---|---|---|
hasValidSignature(bool $absolute = true) | Yes (default) | No | Standard signed URLs |
hasValidRelativeSignature() | No | No | Domain-agnostic signed URLs |
hasValidSignatureWhileIgnoring(array $ignoreQuery, bool $absolute) | Configurable | Yes | URLs with additional tracking params |
hasValidRelativeSignatureWhileIgnoring(array $ignoreQuery) | No | Yes | Relative URLs with extra params |
Sources: src/Request.php926-961 src/Contracts/RequestContract.php418-436
Absolute signature verification validates that the complete URL (including scheme and domain) matches the signature.
Use Cases:
Sources: src/Request.php926-931 src/Contracts/RequestContract.php418-421
Relative signature verification validates only the path and query string, ignoring the domain. This allows signed URLs to work across multiple domains (e.g., staging and production).
Use Cases:
Sources: src/Request.php936-941 src/Contracts/RequestContract.php423-426
When URLs contain additional tracking or analytics parameters that should not affect signature validity, use the "while ignoring" variants:
Use Cases:
Sources: src/Request.php946-961 src/Contracts/RequestContract.php428-436
Sources: src/Request.php926-961
All signature verification methods delegate to the UrlGeneratorContract:
UrlGeneratorContract from the application container src/Request.php928-929 src/Request.php938-939 src/Request.php948-949 src/Request.php958-959hasValidSignature($request, $absolute, $ignoreQuery) on the generator src/Request.php930 src/Request.php940 src/Request.php950 src/Request.php960The URL generator compares the signature query parameter against a computed HMAC of the URL components, using the application's secret key.
Sources: src/Request.php926-961 src/Contracts/RequestContract.php418-436
Sources: src/Request.php926-961
Sources: src/Request.php869-882 src/Contracts/RequestContract.php387-394
Sources: src/Request.php764-777 src/Request.php899-921 src/Contracts/RequestContract.php330-333 src/Contracts/RequestContract.php404-416
Sources: src/Request.php889-894 src/Contracts/RequestContract.php396-401
Sources: src/Request.php926-961 src/Contracts/RequestContract.php418-436
Refresh this wiki