/**
* If the $url is a relative URL, will attempt to create
* a full URL by prepending $this->baseURI to it.
*
* @param string $url
*
* @return string
*/
protected function prepareURL(string $url) : string
{
// If it's a full URI, then we have nothing to do here...
if (strpos($url, '://') !== false) {
return $url;
}
$uri = $this->baseURI->resolveRelativeURI($url);
return (string) $uri;
}
/**
* Sets up our URI object based on the information we have. This is
* either provided by the user in the baseURL Config setting, or
* determined from the environment as needed.
*
* @param $protocol
* @param $baseURL
*/
protected function detectURI($protocol, $baseURL)
{
$this->uri->setPath($this->detectPath($protocol));
// Based on our baseURL provided by the developer (if set)
// set our current domain name, scheme
if (!empty($baseURL)) {
$this->uri->setScheme(parse_url($baseURL, PHP_URL_SCHEME));
$this->uri->setHost(parse_url($baseURL, PHP_URL_HOST));
$this->uri->setPort(parse_url($baseURL, PHP_URL_PORT));
} else {
$this->isSecure() ? $this->uri->setScheme('https') : $this->uri->setScheme('http');
// While both SERVER_NAME and HTTP_HOST are open to security issues,
// if we have to choose, we will go with the server-controlled version first.
!empty($_SERVER['SERVER_NAME']) ? isset($_SERVER['SERVER_NAME']) ? $this->uri->setHost($_SERVER['SERVER_NAME']) : null : (isset($_SERVER['HTTP_HOST']) ? $this->uri->setHost($_SERVER['HTTP_HOST']) : null);
if (!empty($_SERVER['SERVER_PORT'])) {
$this->uri->setPort($_SERVER['SERVER_PORT']);
}
}
}
/**
* @dataProvider defaultResolutions
*/
public function testResolveRelativeURI($rel, $expected)
{
$base = 'http://a/b/c/d';
$uri = new URI($base);
$new = $uri->resolveRelativeURI($rel);
$this->assertEquals($expected, (string) $new);
}
/**
* Used to force a page to be accessed in via HTTPS.
* Uses a standard redirect, plus will set the HSTS header
* for modern browsers that support, which gives best
* protection against man-in-the-middle attacks.
*
* @see https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
*
* @param int $duration How long should the SSL header be set for? (in seconds)
* Defaults to 1 year.
* @param RequestInterface $request
* @param ResponseInterface $response
*/
function force_https(int $duration = 31536000, RequestInterface $request = null, ResponseInterface $response = null)
{
if (is_null($request)) {
$request = Services::request(null, true);
}
if (is_null($response)) {
$response = Services::response(null, true);
}
if ($request->isSecure()) {
return;
}
// If the session library is loaded, we should regenerate
// the session ID for safety sake.
if (class_exists('Session', false)) {
Services::session(null, true)->regenerate();
}
$uri = $request->uri;
$uri->setScheme('https');
$uri = \CodeIgniter\HTTP\URI::createURIString($uri->getScheme(), $uri->getAuthority(true), $uri->getPath(), $uri->getQuery(), $uri->getFragment());
// Set an HSTS header
$response->setHeader('Strict-Transport-Security', 'max-age=' . $duration);
$response->redirect($uri);
exit;
}