Yii2 Rest - Custom action and OPTIONS method

2019-04-23 18:33发布

站内问答 / PHP
1880 5 4

I'm having trouble with the following action "/login" route action in my UsersController class

public function actionLogin(){
        $data = Yii::$app->getRequest()->getBodyParams();
        $model = new Usuario();

        //Validamos que se hayan recibido los campos
        if(empty($data['email']) || empty($data['password'])){
            throw new \yii\web\BadRequestHttpException("Debe ingresar email y password");
        }

        //Validamos usuario y contraseña
        $usuario = $model->findByUsername($data['email']);
        if(empty($usuario) || !$usuario->validatePassword($data['password'])){
            throw new \yii\web\UnauthorizedHttpException("Usuario y/o contraseña incorrectos");
        }
        return $usuario;
    }

The situation is that I'm using POST method to perform login, and I'm calling this route from a different domain, so the frontend library first try to call /login route with OPTIONS method to check if it is allowed or not to call /login with POST..

The problem is that the built in functionality of yii2 rest ActiveController is only for /users and /users/{id}

If I manually add this /login route to be available in both POST and OPTIONS through actions verbFilter, then yii Is trying to actually call the login action with the OPTIONS request. I mean, it is trying to perform login. Of course it can't, because it is not sending email and passwords fields, but I can see an error in the log file.

So, my question is... Is there any way to configure correctly this "custom" routes actions and make OPTIONS performs transparently? Because I'm expecting that login action not get executed when calling it with OPTIONS, but instead to return directly the OPTIONS allowed methods headers.

Update Info: Added URL manager rules

'urlManager' => [
        'enablePrettyUrl' => true,
        'enableStrictParsing' => true,
        'showScriptName' => true,
        'rules' => [
            [
                'class' => 'yii\rest\UrlRule', 
                'controller' => ['v1/users'],
                'pluralize' => false,
                'tokens' => [
                    '{id}' => '<id:\\w+>'
                ]
            ],
            //Rutas usuario
            'v1/login' => '/v1/users/login'
        ],        
    ],

标签: php rest yii2
举报
5条回答
仙女界的扛把子
2楼-- · 2019-04-23 18:49

I had this same issue.

This is how I fixed it:

I added an extraPatterns parameter to my rule, like this:

    'urlManager' => [
        'enablePrettyUrl' => true,
        'showScriptName' => false,
        'rules' => [
            [
                'class' => 'yii\rest\UrlRule',
                'pluralize' => false,
                'controller' => [
                    'athlete',
                    'admin',
                    'address',
                    'program'
                ],
                'extraPatterns' => [
                    'OPTIONS <action:\w+>' => 'options'
                ]
            ]
        ],
    ],

This way, the options action will be called for every custom action that I have in any of these controllers.

查看更多
0人赞 添加讨论(0) 举报
疯言疯语
3楼-- · 2019-04-23 18:52

You need to attach Cors filter in your controller's behaviours() method (see how in official guide) with following conditions:

  1. Cors filter should be defined before Authentication / Authorization filters
  2. Open access for all users to action option in AccessControl filter

In your situation, UsersController might have such behaviors() method:

public function behaviors()
{
    return ArrayHelper::merge(
        [
            'cors' => [
                'class' => Cors::className(),
            ],
        ],
        parent::behaviors(),
        [
            'access' => [
                'class' => AccessControl::className(),
                'rules' => [
                     ['allow' => true, 'actions' => ['options']],
                ]
            ],
        ]
    );
}
查看更多
0人赞 添加讨论(0) 举报
混吃等死
4楼-- · 2019-04-23 18:53

I solved issue by extending Cors filter class:

use Yii;
use yii\filters\Cors;

class CorsCustom extends  Cors

{
    public function beforeAction($action)
    {
        parent::beforeAction($action);

        if (Yii::$app->getRequest()->getMethod() === 'OPTIONS') {
            Yii::$app->getResponse()->getHeaders()->set('Allow', 'POST GET PUT');
            Yii::$app->end();
        }

        return true;
    }
}

and then 

public function behaviors()
{
    $behaviors = parent::behaviors();
    unset($behaviors['authenticator']);
    $behaviors['corsFilter'] = [
        'class' => CorsCustom::className(),
    ];
    $behaviors['authenticator'] = [
        'class' => HttpBearerAuth::className(),
        'optional' => ['login']
    ];
    return $behaviors;
}
查看更多
0人赞 添加讨论(0) 举报
姐就是有狂的资本
5楼-- · 2019-04-23 19:00

By default the yii\rest\UrlRule class will apply those patterns to any endpoint :

'patterns' => [
    'PUT,PATCH {id}' => 'update',
    'DELETE {id}' => 'delete',
    'GET,HEAD {id}' => 'view',
    'POST' => 'create',
    'GET,HEAD' => 'index',
    '{id}' => 'options',
    '' => 'options',
]

Which means that any request holding OPTIONS verbs will be redirected to yii\rest\OptionsAction if your loginAction is written inside a class extending ActiveController.

What I suggest is to override patterns by leaving the only used verbs as your login action doesn't need any of the other CRUD actions. this should work with your case :

'rules' => [
    [
        'class' => 'yii\rest\UrlRule', 
        'controller' => ['v1/users'],
        'pluralize' => false,
        'tokens' => [
            '{id}' => '<id:\\w+>'
        ]
    ],
    [
        'class' => 'yii\rest\UrlRule',
        'controller' => ['v1/login' => '/v1/users/login'],
        'patterns' => [
            'POST' => 'login',
            '' => 'options',
        ]
    ] 
],

NOTE: the solution by @CreatoR is also a requirement here and exactly as he did it without defining keys. otherwise OPTIONS verbs will be rejected if not authenticated.

In case if your login action is defined under a class extending yii\rest\Controller directly instead of passing through yii\rest\ActiveController (which should be appropriate for authentication actions as there is no CRUD needed here) then the same rules configs should work fine but you'll need to manually add the actionOptions to your code :

// grabbed from yii\rest\OptionsAction with a little work around
private $_verbs = ['POST','OPTIONS'];

public function actionOptions ()
{
    if (Yii::$app->getRequest()->getMethod() !== 'OPTIONS') {
        Yii::$app->getResponse()->setStatusCode(405);
    }
    $options = $this->_verbs;
    Yii::$app->getResponse()->getHeaders()->set('Allow', implode(', ', $options));
}
查看更多
0人赞 添加讨论(0) 举报
仙女界的扛把子
6楼-- · 2019-04-23 19:01 
'rules' => [
    [
        'class' => 'yii\rest\UrlRule', 
        'controller' => ['v1/users'],
        'pluralize' => false,
        'tokens' => [
            '{id}' => '<id:\\w+>'
        ]
    ],
    [
        'class' => 'yii\rest\UrlRule',
        'controller' => ['v1/login' => '/v1/users/login'],
        'patterns' => [
            'POST' => 'login',
            'OPTIONS' => 'options',
        ]
    ] 
],
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)