Chris@18: <?php
Chris@18: 
Chris@18: namespace Drupal\jsonapi\EventSubscriber;
Chris@18: 
Chris@18: use Drupal\Core\Cache\CacheableMetadata;
Chris@18: use Drupal\jsonapi\JsonApiSpec;
Chris@18: use Symfony\Component\EventDispatcher\EventSubscriberInterface;
Chris@18: use Symfony\Component\HttpFoundation\Request;
Chris@18: use Symfony\Component\HttpKernel\Event\GetResponseEvent;
Chris@18: use Drupal\Core\Http\Exception\CacheableBadRequestHttpException;
Chris@18: use Symfony\Component\HttpKernel\KernelEvents;
Chris@18: 
Chris@18: /**
Chris@18:  * Request subscriber that validates a JSON:API request.
Chris@18:  *
Chris@18:  * @internal JSON:API maintains no PHP API. The API is the HTTP API. This class
Chris@18:  *   may change at any time and could break any dependencies on it.
Chris@18:  *
Chris@18:  * @see https://www.drupal.org/project/jsonapi/issues/3032787
Chris@18:  * @see jsonapi.api.php
Chris@18:  */
Chris@18: class JsonApiRequestValidator implements EventSubscriberInterface {
Chris@18: 
Chris@18:   /**
Chris@18:    * Validates JSON:API requests.
Chris@18:    *
Chris@18:    * @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event
Chris@18:    *   The event to process.
Chris@18:    */
Chris@18:   public function onRequest(GetResponseEvent $event) {
Chris@18:     $request = $event->getRequest();
Chris@18:     if ($request->getRequestFormat() !== 'api_json') {
Chris@18:       return;
Chris@18:     }
Chris@18: 
Chris@18:     $this->validateQueryParams($request);
Chris@18:   }
Chris@18: 
Chris@18:   /**
Chris@18:    * Validates custom (implementation-specific) query parameter names.
Chris@18:    *
Chris@18:    * @param \Symfony\Component\HttpFoundation\Request $request
Chris@18:    *   The request for which to validate JSON:API query parameters.
Chris@18:    *
Chris@18:    * @return \Drupal\jsonapi\ResourceResponse|null
Chris@18:    *   A JSON:API resource response.
Chris@18:    *
Chris@18:    * @see http://jsonapi.org/format/#query-parameters
Chris@18:    */
Chris@18:   protected function validateQueryParams(Request $request) {
Chris@18:     $invalid_query_params = [];
Chris@18:     foreach (array_keys($request->query->all()) as $query_parameter_name) {
Chris@18:       // Ignore reserved (official) query parameters.
Chris@18:       if (in_array($query_parameter_name, JsonApiSpec::getReservedQueryParameters())) {
Chris@18:         continue;
Chris@18:       }
Chris@18: 
Chris@18:       if (!JsonApiSpec::isValidCustomQueryParameter($query_parameter_name)) {
Chris@18:         $invalid_query_params[] = $query_parameter_name;
Chris@18:       }
Chris@18:     }
Chris@18: 
Chris@18:     // Drupal uses the `_format` query parameter for Content-Type negotiation.
Chris@18:     // Using it violates the JSON:API spec. Nudge people nicely in the correct
Chris@18:     // direction. (This is special cased because using it is pretty common.)
Chris@18:     if (in_array('_format', $invalid_query_params, TRUE)) {
Chris@18:       $uri_without_query_string = $request->getSchemeAndHttpHost() . $request->getBaseUrl() . $request->getPathInfo();
Chris@18:       $exception = new CacheableBadRequestHttpException((new CacheableMetadata())->addCacheContexts(['url.query_args:_format']), 'JSON:API does not need that ugly \'_format\' query string! 🤘 Use the URL provided in \'links\' 🙏');
Chris@18:       $exception->setHeaders(['Link' => $uri_without_query_string]);
Chris@18:       throw $exception;
Chris@18:     }
Chris@18: 
Chris@18:     if (empty($invalid_query_params)) {
Chris@18:       return NULL;
Chris@18:     }
Chris@18: 
Chris@18:     $message = sprintf('The following query parameters violate the JSON:API spec: \'%s\'.', implode("', '", $invalid_query_params));
Chris@18:     $exception = new CacheableBadRequestHttpException((new CacheableMetadata())->addCacheContexts(['url.query_args']), $message);
Chris@18:     $exception->setHeaders(['Link' => 'http://jsonapi.org/format/#query-parameters']);
Chris@18:     throw $exception;
Chris@18:   }
Chris@18: 
Chris@18:   /**
Chris@18:    * {@inheritdoc}
Chris@18:    */
Chris@18:   public static function getSubscribedEvents() {
Chris@18:     $events[KernelEvents::REQUEST][] = ['onRequest'];
Chris@18:     return $events;
Chris@18:   }
Chris@18: 
Chris@18: }