Brynjar Ingimarsson

Software Developer

Add meta-data to Slim routes using PHP 8 attributes

August 31, 2022
Web Development
PHP

PHP 8.0 introduced attributes. They can be used to add meta-data to classes, methods and more. Here we look at how we can use attributes with Slim to add meta-data to routes.

Introduction

As of PHP 8.0, it is possible to use attributes (also known as annotations or decorators in other languages). Attributes can be added to classes, methods, properties, parameters and more. Here is what an attribute looks like on a class.

1#[ClassAttribute(foo: "bar")]
2class ExampleClass {
3    /* ... */
4}

I have been using attributes to make it more convenient to write route endpoints with Slim. For example, we can protect certain routes with an authentication attribute.

My typical Slim setup

I have been using the Slim framework for several projects. The route definitions usually look something like this.

1$app->get('/users', [UserController::class, 'getUsers']);
2$app->post('/users', [UserController::class, 'postUsers']);

We often need to restrict access to certain routes based on whether a user is authenticated and has the right privileges. My usual solution has been to write a middleware called AuthMiddleware that checks the route name against an array of protected route names. We can now make it more convenient by using attributes.

An authentication attribute

Let's create an attribute to restrict access to routes where we require an authenticated user. We start by creating the attribute.

1<?php
2
3namespace App\Attribute;
4
5use Attribute;
6
7#[Attribute]
8class AuthRequired {
9    public function __construct(?boolean $admin = false) {}
10}

This attribute also has an optional boolean argument, to restrict the route to admin users. We can now put the attribute on endpoints in our controllers.

1<?php
2
3use App\Attribute\AuthRequired;
4
5class UserController {
6    /* ... */
7
8    #[AuthRequired]
9    function getUsers(Request $request, Response $response) {
10        /* ... */
11    }
12
13    #[AuthRequired(admin: true)]
14    function postUsers(Request $request, Response $response) {
15        /* ... */
16    }
17}

Now our endpoints have the attribute, but it is not being used anywhere. We need to write a middleware class that checks if the endpoint has our attribute, and then checks if a user is authenticated or has admin rights.

1<?php
2
3namespace App\Middleware;
4
5use Slim\Psr7\Response;
6use Psr\Http\Message\ServerRequestInterface as Request;
7use Psr\Http\Server\RequestHandlerInterface as Handler;
8use Slim\Routing\RouteContext;
9
10class AuthMiddleware {
11    public function __invoke(Request $request, Handler $handler): Response {
12        $routeContext = RouteContext::fromRequest($request);
13        $basePath = $routeContext->getRoute();
14        $callable = $basePath->getCallable();
15        
16        $reflection = new ReflectionMethod($callable[0], $callable[1]);
17        $authAttributes = $reflection->getAttributes(AuthRequired::class);
18
19        if ($authAttributes) {
20            $attribute = $authAttributes[0]->newInstance();
21
22            $isAuthenticated = /** your validation logic */
23            $isAdmin = /** your validation logic */
24    
25            if (!$isAuthenticated || ($attribute->admin && !$isAdmin)) {
26                return (new Response())->withStatus(403);
27            }
28        }
29
30        $response = $handler->handle($request);
31        return $response;
32    }
33}

The middleware starts by getting the class and method name for the endpoint (#12-14) and then gets the attributes for that method using reflection (#16-17). If an attribute is found, we check that a user is authenticated (and optionally, admin). If the check fails, it returns a 403 forbidden response. Otherwise we proceed to call the request handler.

Conclusion

Using attributes like this can give us short and more readable code in my opinion. There are definitely more use cases for attributes on controller endpoints, for example if we need rate limiting on certain endpoints, or we want to specify an input validation schema. Maybe I will explore it more in a later post :)