Skip to content

Commit c8d14ef

Browse files
santysisisantysisi
committed
[HttpFoundation] Add documentation for #[IsSignatureValid] attribute with usage examples and options
1 parent 3e4ebb5 commit c8d14ef

File tree

1 file changed

+65
-0
lines changed

1 file changed

+65
-0
lines changed

routing.rst

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3151,6 +3151,71 @@ If you need to know the reason why a signed URI is invalid, you can use the
31513151
Support for :doc:`Symfony Clock </components/clock>` in ``UriSigner`` was
31523152
introduced in Symfony 7.3.
31533153

3154+
Another way to validate incoming requests is to use the ``#[IsSignatureValid]`` attribute.
3155+
3156+
In the following example, all incoming requests to this controller action will be verified for
3157+
a valid signature. If the signature is missing or invalid,
3158+
a ``SignedUriException`` will be thrown::
3159+
3160+
// src/Controller/SomeController.php
3161+
// ...
3162+
3163+
use App\Security\Attribute\IsSignatureValid;
3164+
3165+
#[IsSignatureValid]
3166+
public function someAction(): Response
3167+
{
3168+
// ...
3169+
}
3170+
3171+
To restrict signature validation to specific HTTP methods,
3172+
use the ``methods`` argument. This can be a string or an array of methods::
3173+
3174+
// Only validate POST requests
3175+
#[IsSignatureValid(methods: 'POST')]
3176+
public function createItem(): Response
3177+
{
3178+
// ...
3179+
}
3180+
3181+
// Validate both POST and PUT requests
3182+
#[IsSignatureValid(methods: ['POST', 'PUT'])]
3183+
public function updateItem(): Response
3184+
{
3185+
// ...
3186+
}
3187+
3188+
You can also apply ``#[IsSignatureValid]`` at the controller class level.
3189+
This way, all actions within the controller will automatically
3190+
be protected by signature validation::
3191+
3192+
// src/Controller/SecureController.php
3193+
// ...
3194+
3195+
use App\Security\Attribute\IsSignatureValid;
3196+
3197+
#[IsSignatureValid]
3198+
class SecureController extends AbstractController
3199+
{
3200+
public function index(): Response
3201+
{
3202+
// ...
3203+
}
3204+
3205+
public function submit(): Response
3206+
{
3207+
// ...
3208+
}
3209+
}
3210+
3211+
3212+
This attribute provides a declarative way to enforce request signature validation directly
3213+
at the controller level, helping to keep your security logic consistent and maintainable.
3214+
3215+
.. versionadded:: 7.4
3216+
3217+
The ``#[IsSignatureValid]`` attribute was introduced in Symfony 7.4.
3218+
31543219
Troubleshooting
31553220
---------------
31563221

0 commit comments

Comments
 (0)