From 75e62fb4e886b973cf2e7c0e8b8bda38c87e2e3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=A0kop?= Date: Fri, 17 Apr 2026 16:43:27 +0200 Subject: [PATCH] Check authorization before input validation Moves checkAuth() call before ParamsProcessor in ApiPresenter::run() to prevent unauthenticated clients from probing API validation rules. Previously, requests with missing/invalid auth would return "400 wrong input" when the body was also invalid, leaking information about required fields and validation rules to unauthenticated callers. Per OWASP ASVS V4.1.1, authorization must be enforced before request processing. Trade-off: error handlers (handleAuthorization, handleAuthorizationException) now receive an empty params array on auth failure. Debugging context is lost on failed auth, but authorization itself does not use params (ApiAuthorizationInterface::authorized() takes no arguments), so the security behavior is unchanged. --- src/Presenters/ApiPresenter.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/Presenters/ApiPresenter.php b/src/Presenters/ApiPresenter.php index 53ea901..3cff8cf 100644 --- a/src/Presenters/ApiPresenter.php +++ b/src/Presenters/ApiPresenter.php @@ -84,6 +84,11 @@ public function run(Request $request): IResponse return $rateLimitResponse; } + $authResponse = $this->checkAuth($authorization, []); + if ($authResponse !== null) { + return $authResponse; + } + $paramsProcessor = new ParamsProcessor($handler->params()); if ($paramsProcessor->isError()) { $response = $this->errorHandler->handleInputParams($paramsProcessor->getErrors()); @@ -93,11 +98,6 @@ public function run(Request $request): IResponse $params = $paramsProcessor->getValues(); - $authResponse = $this->checkAuth($authorization, $params); - if ($authResponse !== null) { - return $authResponse; - } - try { $response = $handler->handle($params); $code = $response->getCode();