symfony · santysisi · May 9, 2025
@@ -48,6 +48,7 @@
 use Symfony\Component\Security\Http\Controller\SecurityTokenValueResolver;
 use Symfony\Component\Security\Http\Controller\UserValueResolver;
 use Symfony\Component\Security\Http\EventListener\IsGrantedAttributeListener;
+use Symfony\Component\Security\Http\EventListener\IsSignatureValidAttributeListener;
 use Symfony\Component\Security\Http\Firewall;
 use Symfony\Component\Security\Http\FirewallMapInterface;
 use Symfony\Component\Security\Http\HttpUtils;
@@ -323,5 +324,11 @@
         ->set('cache.security_is_csrf_token_valid_attribute_expression_language')
             ->parent('cache.system')
             ->tag('cache.pool')
+
+        ->set('controller.is_signature_valid_attribute_listener', IsSignatureValidAttributeListener::class)
+            ->args([
+                service('uri_signer'),
+            ])
+            ->tag('kernel.event_subscriber')
     ;
 };
@@ -28,7 +28,7 @@
         "symfony/password-hasher": "^6.4|^7.0",
         "symfony/security-core": "^7.3",
         "symfony/security-csrf": "^6.4|^7.0",
-        "symfony/security-http": "^7.3",
+        "symfony/security-http": "^7.4",
         "symfony/service-contracts": "^2.5|^3"
     },
     "require-dev": {

@@ -0,0 +1,38 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Attribute;
+
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * Attribute to ensure the request URI contains a valid signature before allowing controller execution.
+ *
+ * When applied, this attribute verifies that the request is signed and the signature is still valid (e.g., not expired).
+ * Behavior can be customized to either return a specific HTTP status code or throw an exception to be handled globally.
+ *
+ * @author Santiago San Martin <sanmartindev@gmail.com>
+ */
+#[\Attribute(\Attribute::IS_REPEATABLE | \Attribute::TARGET_CLASS | \Attribute::TARGET_METHOD | \Attribute::TARGET_FUNCTION)]
+final class IsSignatureValid
+{
+    /**
+     * @param int|null     $validationFailedStatusCode The HTTP status code to return if the signature is invalid.
+     * @param bool|null    $throw                      If true, an exception is thrown on signature failure instead of returning a response.
+     * @param array|string $methods                    HTTP methods that require signature validation.
+     */
+    public function __construct(
+        public ?int $validationFailedStatusCode = Response::HTTP_NOT_FOUND,
+        public ?bool $throw = null,
+        public array|string $methods = [],
+    ) {
+    }
+}
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+7.4
+---
+
+ * Add `#[IsSignatureValid]` attribute to validate URI signatures
+
 7.3
 ---
 

@@ -0,0 +1,61 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\EventListener;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\UriSigner;
+use Symfony\Component\HttpKernel\Event\ControllerArgumentsEvent;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\Security\Http\Attribute\IsSignatureValid;
+
+/**
+ * Handles the IsSignatureValid attribute.
+ *
+ * @author Santiago San Martin <sanmartindev@gmail.com>
+ */
+class IsSignatureValidAttributeListener implements EventSubscriberInterface
+{
+    public function __construct(
+        private readonly UriSigner $uriSigner,
+    ) {
+    }
+
+    public function onKernelControllerArguments(ControllerArgumentsEvent $event): void
+    {
+        /** @var IsSignatureValid[] $attributes */
+        if (!\is_array($attributes = $event->getAttributes()[IsSignatureValid::class] ?? null)) {
+            return;
+        }
+
+        $request = $event->getRequest();
+        foreach ($attributes as $attribute) {
+            $methods = \array_map('strtoupper', (array) $attribute->methods);
+            if ($methods && !\in_array($request->getMethod(), $methods, true)) {
+                continue;
+            }
+
+            if ($attribute->throw) {
+                $this->uriSigner->verify($request);
+                continue;
+            }
+            if (!$this->uriSigner->checkRequest($request)) {
+                throw new HttpException($attribute->validationFailedStatusCode, 'The URI signature is invalid.');
+            }
+        }
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [KernelEvents::CONTROLLER_ARGUMENTS => ['onKernelControllerArguments', 30]];
+    }
+}