You are here

class JsonApiRequestValidator in JSON:API 8.2

Request subscriber that validates a JSON:API request.

@internal JSON:API maintains no PHP API. The API is the HTTP API. This class may change at any time and could break any dependencies on it.

Hierarchy

  • class \Drupal\jsonapi\EventSubscriber\JsonApiRequestValidator implements \Symfony\Component\EventDispatcher\EventSubscriberInterface

Expanded class hierarchy of JsonApiRequestValidator

See also

https://www.drupal.org/project/jsonapi/issues/3032787

jsonapi.api.php

1 string reference to 'JsonApiRequestValidator'
jsonapi.services.yml in ./jsonapi.services.yml
jsonapi.services.yml
1 service uses JsonApiRequestValidator
jsonapi.custom_query_parameter_names_validator.subscriber in ./jsonapi.services.yml
Drupal\jsonapi\EventSubscriber\JsonApiRequestValidator

File

src/EventSubscriber/JsonApiRequestValidator.php, line 22

Namespace

Drupal\jsonapi\EventSubscriber
View source
class JsonApiRequestValidator implements EventSubscriberInterface {

  /**
   * Validates JSON:API requests.
   *
   * @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event
   *   The event to process.
   */
  public function onRequest(GetResponseEvent $event) {
    $request = $event
      ->getRequest();
    if ($request
      ->getRequestFormat() !== 'api_json') {
      return;
    }
    $this
      ->validateQueryParams($request);
  }

  /**
   * Validates custom (implementation-specific) query parameter names.
   *
   * @param \Symfony\Component\HttpFoundation\Request $request
   *   The request for which to validate JSON:API query parameters.
   *
   * @return \Drupal\jsonapi\ResourceResponse|null
   *   A JSON:API resource response.
   *
   * @see http://jsonapi.org/format/#query-parameters
   */
  protected function validateQueryParams(Request $request) {
    $invalid_query_params = [];
    foreach (array_keys($request->query
      ->all()) as $query_parameter_name) {

      // Ignore reserved (official) query parameters.
      if (in_array($query_parameter_name, JsonApiSpec::getReservedQueryParameters())) {
        continue;
      }
      if (!JsonApiSpec::isValidCustomQueryParameter($query_parameter_name)) {
        $invalid_query_params[] = $query_parameter_name;
      }
    }

    // Drupal uses the `_format` query parameter for Content-Type negotiation.
    // Using it violates the JSON:API spec. Nudge people nicely in the correct
    // direction. (This is special cased because using it is pretty common.)
    if (in_array('_format', $invalid_query_params, TRUE)) {
      $uri_without_query_string = $request
        ->getSchemeAndHttpHost() . $request
        ->getBaseUrl() . $request
        ->getPathInfo();
      $exception = new CacheableBadRequestHttpException((new CacheableMetadata())
        ->addCacheContexts([
        'url.query_args:_format',
      ]), 'JSON:API does not need that ugly \'_format\' query string! 🤘 Use the URL provided in \'links\' 🙏');
      $exception
        ->setHeaders([
        'Link' => $uri_without_query_string,
      ]);
      throw $exception;
    }
    if (empty($invalid_query_params)) {
      return NULL;
    }
    $message = sprintf('The following query parameters violate the JSON:API spec: \'%s\'.', implode("', '", $invalid_query_params));
    $exception = new CacheableBadRequestHttpException((new CacheableMetadata())
      ->addCacheContexts([
      'url.query_args',
    ]), $message);
    $exception
      ->setHeaders([
      'Link' => 'http://jsonapi.org/format/#query-parameters',
    ]);
    throw $exception;
  }

  /**
   * {@inheritdoc}
   */
  public static function getSubscribedEvents() {
    $events[KernelEvents::REQUEST][] = [
      'onRequest',
    ];
    return $events;
  }

}

Members

Namesort descending Modifiers Type Description Overrides
JsonApiRequestValidator::getSubscribedEvents public static function Returns an array of event names this subscriber wants to listen to.
JsonApiRequestValidator::onRequest public function Validates JSON:API requests.
JsonApiRequestValidator::validateQueryParams protected function Validates custom (implementation-specific) query parameter names.