From 0d52c906561077bc315623de94b8aee2e8085d55 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Fri, 3 Nov 2023 11:45:27 +0900
Subject: [PATCH] refactor!: move forceSecureAccess() ForceHTTPS filter

---
 app/Config/App.php               |  2 ++
 app/Config/Filters.php           |  3 ++
 system/CodeIgniter.php           | 16 ++-------
 system/Filters/ForceHTTPS.php    | 56 ++++++++++++++++++++++++++++++++
 tests/system/CodeIgniterTest.php |  6 ++--
 5 files changed, 66 insertions(+), 17 deletions(-)
 create mode 100644 system/Filters/ForceHTTPS.php

diff --git a/app/Config/App.php b/app/Config/App.php
index 6ae678625e7b..5c693cf76e90 100644
--- a/app/Config/App.php
+++ b/app/Config/App.php
@@ -131,6 +131,8 @@ class App extends BaseConfig
      * made via a secure connection (HTTPS). If the incoming request is not
      * secure, the user will be redirected to a secure version of the page
      * and the HTTP Strict Transport Security header will be set.
+     *
+     * @deprecated 4.5.0 No longer used. Use `forcehttps` filter.
      */
     public bool $forceGlobalSecureRequests = false;
 
diff --git a/app/Config/Filters.php b/app/Config/Filters.php
index 8a900aff7994..b9ccf6dc6358 100644
--- a/app/Config/Filters.php
+++ b/app/Config/Filters.php
@@ -5,6 +5,7 @@
 use CodeIgniter\Config\BaseConfig;
 use CodeIgniter\Filters\CSRF;
 use CodeIgniter\Filters\DebugToolbar;
+use CodeIgniter\Filters\ForceHTTPS;
 use CodeIgniter\Filters\Honeypot;
 use CodeIgniter\Filters\InvalidChars;
 use CodeIgniter\Filters\PageCache;
@@ -26,6 +27,7 @@ class Filters extends BaseConfig
         'honeypot'      => Honeypot::class,
         'invalidchars'  => InvalidChars::class,
         'secureheaders' => SecureHeaders::class,
+        'forcehttps'    => ForceHTTPS::class,
         'pagecache'     => PageCache::class,
         'performance'   => PerformanceMetrics::class,
     ];
@@ -40,6 +42,7 @@ class Filters extends BaseConfig
      */
     public array $required = [
         'before' => [
+            // 'forcehttps',
             'pagecache',
         ],
         'after' => [
diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php
index 7dc2193d8006..5ed3f7f3d3ed 100644
--- a/system/CodeIgniter.php
+++ b/system/CodeIgniter.php
@@ -339,20 +339,6 @@ public function run(?RouteCollectionInterface $routes = null, bool $returnRespon
         $this->getRequestObject();
         $this->getResponseObject();
 
-        try {
-            $this->forceSecureAccess();
-        } catch (RedirectException $e) {
-            $this->response = $e->getResponse();
-
-            if ($returnResponse) {
-                return $this->response;
-            }
-
-            $this->sendResponse();
-
-            return;
-        }
-
         Events::trigger('pre_system');
 
         $this->benchmark->stop('bootstrap');
@@ -699,6 +685,8 @@ protected function getResponseObject()
      *                      should be enforced for this URL.
      *
      * @return void
+     *
+     * @deprecated 4.5.0 No longer used. Moved to ForceHTTPS filter.
      */
     protected function forceSecureAccess($duration = 31_536_000)
     {
diff --git a/system/Filters/ForceHTTPS.php b/system/Filters/ForceHTTPS.php
new file mode 100644
index 000000000000..201f348128fe
--- /dev/null
+++ b/system/Filters/ForceHTTPS.php
@@ -0,0 +1,56 @@
+<?php
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) CodeIgniter Foundation <admin@codeigniter.com>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace CodeIgniter\Filters;
+
+use CodeIgniter\HTTP\Exceptions\RedirectException;
+use CodeIgniter\HTTP\RequestInterface;
+use CodeIgniter\HTTP\ResponseInterface;
+use Config\Services;
+
+/**
+ * Force HTTPS filter
+ */
+class ForceHTTPS implements FilterInterface
+{
+    /**
+     * Force Secure Site Access? If the config value 'forceGlobalSecureRequests'
+     * is true, will enforce that all requests to this site are made through
+     * HTTPS. Will redirect the user to the current page with HTTPS, as well
+     * as set the HTTP Strict Transport Security header for those browsers
+     * that support it.
+     *
+     * @param array|null $arguments
+     *
+     * @return ResponseInterface|void
+     */
+    public function before(RequestInterface $request, $arguments = null)
+    {
+        $response = Services::response();
+
+        try {
+            force_https(YEAR, $request, $response);
+        } catch (RedirectException $e) {
+            return $e->getResponse();
+        }
+    }
+
+    /**
+     * We don't have anything to do here.
+     *
+     * @param array|null $arguments
+     *
+     * @return void
+     */
+    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
+    {
+    }
+}
diff --git a/tests/system/CodeIgniterTest.php b/tests/system/CodeIgniterTest.php
index 505d1f5e5a7b..6bfa90288045 100644
--- a/tests/system/CodeIgniterTest.php
+++ b/tests/system/CodeIgniterTest.php
@@ -439,10 +439,10 @@ public function testRunForceSecure(): void
         $_SERVER['argv'] = ['index.php', '/'];
         $_SERVER['argc'] = 2;
 
-        $config = new App();
-
-        $config->forceGlobalSecureRequests = true;
+        $filterConfig                       = config(FiltersConfig::class);
+        $filterConfig->required['before'][] = 'forcehttps';
 
+        $config      = new App();
         $codeigniter = new MockCodeIgniter($config);
         $codeigniter->setContext('web');