codeigniter4 · kenjis · Jun 29, 2023 · Jun 23, 2023 · Jun 23, 2023 · Jun 25, 2023
diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php
@@ -22,6 +22,7 @@
 use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\RedirectResponse;
 use CodeIgniter\HTTP\Request;
+use CodeIgniter\HTTP\ResponsableInterface;
 use CodeIgniter\HTTP\ResponseInterface;
 use CodeIgniter\HTTP\URI;
 use CodeIgniter\Router\Exceptions\RedirectException as DeprecatedRedirectException;
@@ -337,20 +338,17 @@ public function run(?RouteCollectionInterface $routes = null, bool $returnRespon
  $this->getRequestObject();
  $this->getResponseObject();
 
- $this->forceSecureAccess();
-
  $this->spoofRequestMethod();
 
  try {
  $this->response = $this->handleRequest($routes, config(Cache::class), $returnResponse);
- } catch (RedirectException|DeprecatedRedirectException $e) {
+ } catch (ResponsableInterface|DeprecatedRedirectException $e) {
  $this->outputBufferingEnd();
- $logger = Services::logger();
- $logger->info('REDIRECTED ROUTE at ' . $e->getMessage());
+ if ($e instanceof DeprecatedRedirectException) {
+ $e = new RedirectException($e->getMessage(), $e->getCode(), $e);
+ }
 
- // If the route is a 'redirect' route, it throws
- // the exception with the $to as the message
- $this->response->redirect(base_url($e->getMessage()), 'auto', $e->getCode());
+ $this->response = $e->getResponse();
  } catch (PageNotFoundException $e) {
  $this->response = $this->display404errors($e);
  } catch (Throwable $e) {
@@ -419,6 +417,8 @@ public function disableFilters(): void
  */
  protected function handleRequest(?RouteCollectionInterface $routes, Cache $cacheConfig, bool $returnResponse = false)
  {
+ $this->forceSecureAccess();
+
  if ($this->request instanceof IncomingRequest && strtolower($this->request->getMethod()) === 'cli') {
  return $this->response->setStatusCode(405)->setBody('Method Not Allowed');
  }

diff --git a/system/Common.php b/system/Common.php
@@ -21,6 +21,7 @@
 use CodeIgniter\Files\Exceptions\FileNotFoundException;
 use CodeIgniter\HTTP\CLIRequest;
 use CodeIgniter\HTTP\Exceptions\HTTPException;
+use CodeIgniter\HTTP\Exceptions\RedirectException;
 use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\RedirectResponse;
 use CodeIgniter\HTTP\RequestInterface;
@@ -476,22 +477,24 @@ function esc($data, string $context = 'html', ?string $encoding = null)
  * @param ResponseInterface $response
  *
  * @throws HTTPException
+ * @throws RedirectException
  */
- function force_https(int $duration = 31_536_000, ?RequestInterface $request = null, ?ResponseInterface $response = null)
- {
- if ($request === null) {
- $request = Services::request(null, true);
- }
+ function force_https(
+ int $duration = 31_536_000,
+ ?RequestInterface $request = null,
+ ?ResponseInterface $response = null
+ ) {
+ $request ??= Services::request();
 
  if (! $request instanceof IncomingRequest) {
  return;
  }
 
- if ($response === null) {
- $response = Services::response(null, true);
- }
+ $response ??= Services::response();
 
- if ((ENVIRONMENT !== 'testing' && (is_cli() || $request->isSecure())) || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'test')) {
+ if ((ENVIRONMENT !== 'testing' && (is_cli() || $request->isSecure()))
+ || $request->getServer('HTTPS') === 'test'
+ ) {
  return; // @codeCoverageIgnore
  }
 
@@ -520,13 +523,14 @@ function force_https(int $duration = 31_536_000, ?RequestInterface $request = nu
  );
 
  // Set an HSTS header
- $response->setHeader('Strict-Transport-Security', 'max-age=' . $duration);
- $response->redirect($uri);
- $response->sendHeaders();
-
- if (ENVIRONMENT !== 'testing') {
- exit(); // @codeCoverageIgnore
- }
+ $response->setHeader('Strict-Transport-Security', 'max-age=' . $duration)
+ ->redirect($uri)
+ ->setStatusCode(307)
+ ->setBody('')
+ ->getCookieStore()
+ ->clear();
+
+ throw new RedirectException($response);
  }
 }
 

diff --git a/system/HTTP/Exceptions/RedirectException.php b/system/HTTP/Exceptions/RedirectException.php
@@ -12,17 +12,72 @@
 namespace CodeIgniter\HTTP\Exceptions;
 
 use CodeIgniter\Exceptions\HTTPExceptionInterface;
+use CodeIgniter\HTTP\ResponsableInterface;
+use CodeIgniter\HTTP\ResponseInterface;
+use Config\Services;
 use Exception;
+use InvalidArgumentException;
+use LogicException;
+use Throwable;
 
 /**
  * RedirectException
  */
-class RedirectException extends Exception implements HTTPExceptionInterface
+class RedirectException extends Exception implements ResponsableInterface, HTTPExceptionInterface
 {
  /**
  * HTTP status code for redirects
  *
  * @var int
  */
  protected $code = 302;
+
+ protected ?ResponseInterface $response = null;
+
+ /**
+ * @param ResponseInterface|string $message Response object or a string containing a relative URI.
+ * @param int $code HTTP status code to redirect if $message is a string.
+ */
+ public function __construct($message = '', int $code = 0, ?Throwable $previous = null)
+ {
+ if (! is_string($message) && ! $message instanceof ResponseInterface) {
+ throw new InvalidArgumentException(
+ 'RedirectException::__construct() first argument must be a string or ResponseInterface',
+ 0,
+ $this
+ );
+ }
+
+ if ($message instanceof ResponseInterface) {
+ $this->response = $message;
+ $message = '';
+
+ if ($this->response->getHeaderLine('Location') === '' && $this->response->getHeaderLine('Refresh') === '') {
+ throw new LogicException(
+ 'The Response object passed to RedirectException does not contain a redirect address.'
+ );
+ }
+
+ if ($this->response->getStatusCode() < 301 || $this->response->getStatusCode() > 308) {
+ $this->response->setStatusCode($this->code);
+ }
+ }
+
+ parent::__construct($message, $code, $previous);
+ }
+
+ public function getResponse(): ResponseInterface
+ {
+ if (null === $this->response) {
+ $this->response = Services::response()
+ ->redirect(base_url($this->getMessage()), 'auto', $this->getCode());
+ }
+
+ Services::logger()->info(
+ 'REDIRECTED ROUTE at '
+ . ($this->response->getHeaderLine('Location') ?: substr($this->response->getHeaderLine('Refresh'), 6))
+ );
+
+ return $this->response;
+ }
 }
diff --git a/system/HTTP/ResponsableInterface.php b/system/HTTP/ResponsableInterface.php
@@ -0,0 +1,17 @@
+<?php
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) CodeIgniter Foundation <admin@codeigniter.com>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace CodeIgniter\HTTP;
+
+interface ResponsableInterface
+{
+ public function getResponse(): ResponseInterface;
+}
diff --git a/tests/system/CodeIgniterTest.php b/tests/system/CodeIgniterTest.php
@@ -441,9 +441,7 @@ public function testRunForceSecure()
  $response = $this->getPrivateProperty($codeigniter, 'response');
  $this->assertNull($response->header('Location'));
 
- ob_start();
- $codeigniter->run();
- ob_get_clean();
+ $response = $codeigniter->run(null, true);
 
  $this->assertSame('https://example.com/', $response->header('Location')->getValue());
  }

diff --git a/tests/system/CommonFunctionsTest.php b/tests/system/CommonFunctionsTest.php
@@ -14,6 +14,7 @@
 use CodeIgniter\Config\BaseService;
 use CodeIgniter\Config\Factories;
 use CodeIgniter\HTTP\CLIRequest;
+use CodeIgniter\HTTP\Exceptions\RedirectException;
 use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\RedirectResponse;
 use CodeIgniter\HTTP\Response;
@@ -35,6 +36,7 @@
 use Config\Routing;
 use Config\Services;
 use Config\Session as SessionConfig;
+use Exception;
 use Kint;
 use RuntimeException;
 use stdClass;
@@ -599,10 +601,23 @@ public function testViewNotSaveData()
  public function testForceHttpsNullRequestAndResponse()
  {
  $this->assertNull(Services::response()->header('Location'));
+ Services::response()->setCookie('force', 'cookie');
+ Services::response()->setHeader('Force', 'header');
+ Services::response()->setBody('default body');
+
+ try {
+ force_https();
+ } catch (Exception $e) {
+ $this->assertInstanceOf(RedirectException::class, $e);
+ $this->assertSame('https://example.com/', $e->getResponse()->header('Location')->getValue());
+ $this->assertFalse($e->getResponse()->hasCookie('force'));
+ $this->assertSame('header', $e->getResponse()->getHeaderLine('Force'));
+ $this->assertSame('', $e->getResponse()->getBody());
+ $this->assertSame(307, $e->getResponse()->getStatusCode());
+ }
 
+ $this->expectException(RedirectException::class);
  force_https();
-
- $this->assertSame('https://example.com/', Services::response()->header('Location')->getValue());
  }
 
  /**

diff --git a/tests/system/ControllerTest.php b/tests/system/ControllerTest.php
@@ -12,6 +12,7 @@
 namespace CodeIgniter;
 
 use CodeIgniter\Config\Factories;
+use CodeIgniter\HTTP\Exceptions\RedirectException;
 use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\Request;
 use CodeIgniter\HTTP\Response;
@@ -75,10 +76,13 @@ public function testConstructorHTTPS()
  $original = $_SERVER;
  $_SERVER = ['HTTPS' => 'on'];
  // make sure we can instantiate one
- $this->controller = new class () extends Controller {
- protected $forceHTTPS = 1;
- };
- $this->controller->initController($this->request, $this->response, $this->logger);
+ try {
+ $this->controller = new class () extends Controller {
+ protected $forceHTTPS = 1;
+ };
+ $this->controller->initController($this->request, $this->response, $this->logger);
+ } catch (RedirectException $e) {
+ }
 
  $this->assertInstanceOf(Controller::class, $this->controller);
  $_SERVER = $original; // restore so code coverage doesn't break

diff --git a/tests/system/HTTP/RedirectExceptionTest.php b/tests/system/HTTP/RedirectExceptionTest.php
@@ -0,0 +1,93 @@
+<?php
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) CodeIgniter Foundation <admin@codeigniter.com>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace CodeIgniter\HTTP;
+
+use CodeIgniter\HTTP\Exceptions\RedirectException;
+use CodeIgniter\Log\Logger;
+use CodeIgniter\Test\Mock\MockLogger as LoggerConfig;
+use Config\Services;
+use LogicException;
+use PHPUnit\Framework\TestCase;
+use Tests\Support\Log\Handlers\TestHandler;
+
+/**
+ * @internal
+ *
+ * @group Others
+ */
+final class RedirectExceptionTest extends TestCase
+{
+ protected function setUp(): void
+ {
+ Services::reset();
+ Services::injectMock('logger', new Logger(new LoggerConfig()));
+ }
+
+ public function testResponse(): void
+ {
+ $response = (new RedirectException(
+ Services::response()
+ ->redirect('redirect')
+ ->setCookie('cookie', 'value')
+ ->setHeader('Redirect-Header', 'value')
+ ))->getResponse();
+
+ $this->assertSame('redirect', $response->getHeaderLine('location'));
+ $this->assertSame(302, $response->getStatusCode());
+ $this->assertSame('value', $response->getHeaderLine('Redirect-Header'));
+ $this->assertSame('value', $response->getCookie('cookie')->getValue());
+ }
+
+ public function testResponseWithoutLocation(): void
+ {
+ $this->expectException(LogicException::class);
+ $this->expectExceptionMessage(
+ 'The Response object passed to RedirectException does not contain a redirect address.'
+ );
+
+ new RedirectException(Services::response());
+ }
+
+ public function testResponseWithoutStatusCode(): void
+ {
+ $response = (new RedirectException(Services::response()->setHeader('Location', 'location')))->getResponse();
+
+ $this->assertSame('location', $response->getHeaderLine('location'));
+ $this->assertSame(302, $response->getStatusCode());
+ }
+
+ public function testLoggingLocationHeader(): void
+ {
+ $uri = 'http://location';
+ $expected = 'INFO - ' . date('Y-m-d') . ' --> REDIRECTED ROUTE at ' . $uri;
+ $response = (new RedirectException(Services::response()->redirect($uri)))->getResponse();
+
+ $logs = TestHandler::getLogs();
+
+ $this->assertSame($uri, $response->getHeaderLine('Location'));
+ $this->assertSame('', $response->getHeaderLine('Refresh'));
+ $this->assertSame($expected, $logs[0]);
+ }
+
+ public function testLoggingRefreshHeader(): void
+ {
+ $uri = 'http://location';
+ $expected = 'INFO - ' . date('Y-m-d') . ' --> REDIRECTED ROUTE at ' . $uri;
+ $response = (new RedirectException(Services::response()->redirect($uri, 'refresh')))->getResponse();
+
+ $logs = TestHandler::getLogs();
+
+ $this->assertSame($uri, substr($response->getHeaderLine('Refresh'), 6));
+ $this->assertSame('', $response->getHeaderLine('Location'));
+ $this->assertSame($expected, $logs[0]);
+ }
+}
diff --git a/user_guide_src/source/changelogs/v4.4.0.rst b/user_guide_src/source/changelogs/v4.4.0.rst
@@ -104,6 +104,7 @@ Helpers and Functions
 
 - **Array:** Added :php:func:`array_group_by()` helper function to group data
  values together. Supports dot-notation syntax.
+- **Common:** :php:func:`force_https()` no longer terminates the application, but throws a ``RedirectException``.
 
 Others
 ======
@@ -123,6 +124,8 @@ Others
 - **Request:** Added ``IncomingRequest::setValidLocales()`` method to set valid locales.
 - **Table:** Added ``Table::setSyncRowsWithHeading()`` method to synchronize row columns with headings. See :ref:`table-sync-rows-with-headings` for details.
 - **Error Handling:** Now you can use :ref:`custom-exception-handlers`.
+- **RedirectException:** can also take an object that implements ResponseInterface as its first argument.
+- **RedirectException:** implements ResponsableInterface.
 
 Message Changes
 ***************
@@ -146,6 +149,10 @@ Changes
  this restriction has been removed.
 - **RouteCollection:** The array structure of the protected property ``$routes``
  has been modified for performance.
+- **HSTS:** Now :php:func:`force_https()` or
+ ``Config\App::$forceGlobalSecureRequests = true`` sets the HTTP status code 307,
+ which allows the HTTP request method to be preserved after the redirect.
+ In previous versions, it was 302.
 
 Deprecations
 ************