Skip to content

Commit c523a8d

Browse files
santysisisantysisi
committed
[HttpFoundation] Add documentation for #[IsSignatureValid] attribute with usage examples and options
1 parent 3e4ebb5 commit c523a8d

File tree

1 file changed

+67
-0
lines changed

1 file changed

+67
-0
lines changed

routing.rst

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3151,6 +3151,73 @@ If you need to know the reason why a signed URI is invalid, you can use the
31513151
Support for :doc:`Symfony Clock </components/clock>` in ``UriSigner`` was
31523152
introduced in Symfony 7.3.
31533153

3154+
Another way to validate incoming requests is to use the ``#[IsSignatureValid]`` attribute.
3155+
3156+
In the following example, all incoming requests to this controller action will be verified for
3157+
a valid signature. If the signature is missing or invalid,
3158+
a ``SignedUriException`` will be thrown::
3159+
3160+
.. code-block:: php-attributes
3161+
3162+
// src/Controller/SomeController.php
3163+
// ...
3164+
3165+
use App\Security\Attribute\IsSignatureValid;
3166+
3167+
#[IsSignatureValid]
3168+
public function someAction(): Response
3169+
{
3170+
// ...
3171+
}
3172+
3173+
To restrict signature validation to specific HTTP methods,
3174+
use the ``methods`` argument. This can be a string or an array of methods::
3175+
3176+
// Only validate POST requests
3177+
#[IsSignatureValid(methods: 'POST')]
3178+
public function createItem(): Response
3179+
{
3180+
// ...
3181+
}
3182+
3183+
// Validate both POST and PUT requests
3184+
#[IsSignatureValid(methods: ['POST', 'PUT'])]
3185+
public function updateItem(): Response
3186+
{
3187+
// ...
3188+
}
3189+
3190+
You can also apply ``#[IsSignatureValid]`` at the controller class level.
3191+
This way, all actions within the controller will automatically
3192+
be protected by signature validation::
3193+
3194+
// src/Controller/SecureController.php
3195+
// ...
3196+
3197+
use App\Security\Attribute\IsSignatureValid;
3198+
3199+
#[IsSignatureValid]
3200+
class SecureController extends AbstractController
3201+
{
3202+
public function index(): Response
3203+
{
3204+
// ...
3205+
}
3206+
3207+
public function submit(): Response
3208+
{
3209+
// ...
3210+
}
3211+
}
3212+
3213+
3214+
This attribute provides a declarative way to enforce request signature validation directly
3215+
at the controller level, helping to keep your security logic consistent and maintainable.
3216+
3217+
.. versionadded:: 7.4
3218+
3219+
The ``#[IsSignatureValid]`` attribute was introduced in Symfony 7.4.
3220+
31543221
Troubleshooting
31553222
---------------
31563223

0 commit comments

Comments
 (0)