Central routes without Route::domain(), configurable tenant/central routes by default for domain/subdomain identification, allow accessing central routes in early identification for path & request data middleware (#3)

* Update url binding bootstrapper test

* Fix parent::temporarySignedRoute() call

* Add universal route tests for all identification types

* Improve determineContextFromRequest()

* Add setting `TenancyUrlGenerator::$prefixRouteNames` to true in TSP stub

* Delete seemingly redundant test (making one route universal won't make all routes universal in any case)

* Use collection syntax in ReregisterUniversalRoutes

* Improve comments

* Add domain identification MW annotation

* Update condition in GloballyUsable

* Set `tenancy.bootstrappers` instead of adding the bootstrappers using `tenancy.bootstrappers.x`, move test

* Revert GloballyUsable condition change

* Delete assigning bootstrappers to tenancy.bootstrappers.x

* Exclude cache prefixing bootstrapper from the initial configuration

* Fix test

* Unset bypass parameter

* Set static kernel identification-related properties in TestCase

* Update bootstrapper name in annotation

* Move unset() into a condition

* Update TenancyUrlGenerator condition

* Set static properties without instantiating Tenancy

* Fix unsetting bypass parameter

* formatting changes

* add a comment

* improve docblock

* add docblock to TenancyUrlGenerator [ci skip]

* docblock changes [ci skip]

* Update TenancyUrlGenerator (rename variable, allow bypassing prefixing temporarySignedRoute name)

* Improve determineContextFromRequest

* Only return the new url generator instance when extending 'url' in UrlBindingBootstrapper

* Check route's MW groups for the path ID MW

* Remove extra imports from config

* Rename MiddlewareContext to Context, add condition for skipping ID MW

* Set only the needed bootstrappers in TestCase

* Fix code style (php-cs-fixer)

* Remove condition

* Use correct return type

* Fix PHPStan issue

* Update comment

* Check for tenant parameter instead of prefix

* Update shouldBeSkipped condition for universal routes

* Don't remove the 'universal' MW group after route re-registration, update test

* Fix code style (php-cs-fixer)

* Fix typo

* Add test for mixing placement of access prevention and identification MW

* Add test for mixing placement of access prevention and identification MW

* Update docblock

* Add setting the session and key resolvers in UrlBindingBootstrapper (required with LW file uploads)

* Update stub

* Update variable name in route reregistering action

* Add trailing comma

* Fix code style (php-cs-fixer)

* Require routes using path identification to be flagged as tenant in order to be recognized as tenant routes

* Add tenant flag while re-registering routes

* Update determineContextFromRequest condition (wip)

* Fix code style (php-cs-fixer)

* Update the middleware context logic so that universal routes have to be flagged as tenant instead of just having ID MW

* Update path identification condition

* Fix re-registering the LW localized route (add 'tenant' MW)

* Update docblock

* Simplify LW route re-registration

* Add comment

* Update comment

* Simplify determineContextFromRequest, add comment

* Improve stub

* Add skipRoute method + test

* Fix typo

* Update assets/TenancyServiceProvider.stub.php

* Update src/Concerns/DealsWithEarlyIdentification.php

* Fix typo

Co-authored-by: Samuel Štancl <samuel.stancl@gmail.com>

* Improve comment

* Update test structure

* Restructure Fortify test

* code style

* Fix typo

* Update ReregisterUniversalRoutes annotation

* Only prefix route  name if it wasn't already prefixed

* Add todo@docs

* Delete `Tenancy::$kernelAccessPreventionSkipped` and related logic

* Delete test tenant cleanup

* Test MW group unpacking, restructure and improve test

* Test that tenancy isn't initialized after visiting a central route with the tenant parameter

* Delete "in both central and tenant contexts" from test names

* Test that re-registering works with controllers too

* Set misc route properties during re-registering

* Determine context instead of guessing, update universal route tests

* Use randomly generated tenant ID instead of hardcoding `acme`

* Remove setting route validators

* Rename and update determine context method, add comments

* Update ForgetTenantParameter annotation

* Add comment

* Delete comment, delete variable assignment

* Update early domain identification test

* Improve domain identification tests (test defaulting accurately)

* Improve readability

* Simplify domain early ID test

* Use randomly generated tenant instead of 'acme'

* Simplify request data ID test, use random tenant instead of 'acme'

* Simplify defaulting domain identification test

* Use RouteFacade alias for the Route facade, improve test code

* Add defaulting to the request data and path ID tests

* Merge path identification tenant parameter removal tests, clean up

* Correct wording

Co-authored-by: Samuel Štancl <samuel.stancl@gmail.com>

* Delete debugging things from UniversalRouteTest

* Update annotation

* Add `// Creates a matrix`

* Improve comment wording

* Add MiddlewareUsableWithUniversalRoutes, refactor code accordingly

* Fix code style (php-cs-fixer)

* Delete debugging leftovers

* Delete unused import

* Update universal route GloballyUsable condition

* Don't implement the universal route interface in access prevention MW

* Check if request host is in the central domains in domain ID MW

* Test universal routes with domain identification without access prevent MW

* Test that universal routes work only with identification MW implementing the universal route interface

* Fix code style (php-cs-fixer)

* Rename GloballyUsable to UsableWithEarlyIdentification

* Fix annotation

* Update requestHasTenant annotations

* Update comment

* Add `with()` comments

* Add with() comments where missing

* Rename interface, update/add comments

* Rename exception, update its default message

* Fix code style (php-cs-fixer)

* Fix interface name

* Delete redundant code from subdomain ID MW

* Change domainOrSubdomain ID MW so that instead of passing the identification to other MWs, it happens in the domainOrSubdomain MW

* Test domainOrSubdomain identification with universal routes

* Fix code style (php-cs-fixer)

* Rename universal routes interface

* Fix code style (php-cs-fixer)

* Try explaining forgetting the tenant parameter better

* update interface name reference

* uncouple example from query parameters

* Update ForgetTenantParameter.php

* Update ForgetTenantParameter annotation

* Check both routeHasMiddleware and routeHasIdentificationMiddleware in the route MW detection test

* Hardcode tenant subdomain

* Delete redundant event listening code

* Delete unused imports

* Delete misuse of `tenancy()->getMiddlewareContext()` from conditions

* Delete unused variable

* Update comment

* Correct request data identification test (defaulting)

* Fix defaulting in path id test

* Move default route context configuration in domian id test

* Rename and update the tenant parameter test

* Delete extra tenant parameter test

* Use `tenant-domain.test` instead of `127.0.0.2`

* Add `default_to_universal_routes` config key

* Deal with defaulting to universal routes in the reregistering action

* Update logic to make defaulting to universal routes possible

* Test defaulting to universal routes

* Fix code style (php-cs-fixer)

* Delete extra tests

* Delete "without access prevention" from datasets

* Add defaulting to universal routes to datasets

* Override universal flag by central/tenant flag

* Add universal flag overriding test

* Update "a route can be universal in both route modes" so that the name corresponds with the tested thing

* Ignore the PHPStan error

* Reset `InitializeTenancyByPath::$onFail` in PathIdentificationTest

* Simplify expression

* Use 'Tenancy (not) initialized.' in instead of `tenant()?->getTenantKey()` for better assertions

* Properly test removing tenant parameter

* Reset static properties in tests

* Correct comments in EarlyIdentificationTest

* Add comment

* Add detail to annotation

* Throw exception if payload isn't string or null in request data ID MW

* Fix code style (php-cs-fixer)

* Delete static `$kernelIdentificationSkipped` property, use `$request->attributes` instead

* Use 'default_route_mode' instead of 'default_to_tenant/universal_routes'

* Fix code style (php-cs-fixer)

* Make path identification MW, tenantParameterName and tenantRouteNamePrefix configurable in ReregisterUniversalRoutes

* Delete unused import

* Add `$passTenantParameterToRoute` to TenancyUrlGenerator

* Use `$passTenantParameterToRoute` in BootstrapperTest

* Bypass tenant parameter passing

* Improve TenancyUrlGenerator so that both ID methods work

* Fix code style (php-cs-fixer)

* Improve TenancyUrlGenerator readability

* Add modifyBehavior() to TenancyUrlGenerator

* Fix code style (php-cs-fixer)

* Improve comment

* Toggle route name prefixing in path/request data ID MW (route-level identification)

* Fix code style (php-cs-fixer)

* Add path identification MW config key, add `getTenantParameterName()` to ForgetTenantParameter

* Fix code style (php-cs-fixer)

* Fix modifyBehavior and routeBehaviorModificationBypassed

* Add type to `$parameters` parameter

* Split modifyBehavior into two methods, don't pass name and parameters by reference

* Update UrlBindingBootstrapper annotation

* Correct naming in tests (request data -> query string identification)

* Add info to annotation

* Pass arrays to the behavior modification methods instead of `mixed`

* Fix default value of static property in Fortify bootstrapper

* Fix code style (php-cs-fixer)

* Correct annotation

* Enable prefixing routes directly using path identification MW

* Test re-registration of routes with path ID MW

* Prefix names of routes directly using path ID MW

* Fix code style (php-cs-fixer)

* Add Livewire v3 integration example to TSP stub

* Prefix route name only if it's not prefixed already

* Rename ReregisterUniversalRoutes to ReregisterRoutesAsTenant

* Fix code style (php-cs-fixer)

* Improve ReregisterRoutesAsTenant

* Add/update TenancyUrlGenerator docblocks

* Update action name in comments/test names

* Update reregister action annotation

* Delete unused imports

* Improve comments

* Make method protected

* Improve TenancyUrlGenerator code

* Test bypass parameter removal

* Fix comment

* Update annotation

* Improve shouldReregisterRoute

* Fix typo, delete redundant comment

* Improve skipRoute

* Improve shouldBeSkipped

* Add and test `$passTenantParameterToRoutes`

* add a comment

* Fix typo in comment

* Pass array as $parameters in prepareRouteInputs

* Make path_identification_middleware an array

* Fix code style (php-cs-fixer)

* Fix ReregisterRouteAsTenant

* Move tenantParameterName and tenantRouteNamePrefix getting to PathIdentificationManager

* Make PathIdentificationManager properties `Closure|null`

* Fix code style (php-cs-fixer)

* Fix PathIdentificationManager

* Update comments

* Use foreach for dataset definition

* Extract repetitive inGlobalStack and routeHasMiddleware calls

* Refactor PathIdentificationManager

* Update TenancyUrlGenerator annotation

* Add $skippedRoutes, refactor ReregisterRoutesAsTenant

* Improve reregisterRoute

* Update re-register action annotation

* update test name

* Make PathIdentificationManager methods static again, update comments

* Add test comment

* Update ForgetTenantParameter annotation

* Improve route re-registration condition, add comment

* Change "re-register" to "clone"

* minor code improvements

---------

Co-authored-by: lukinovec <lukinovec@gmail.com>
Co-authored-by: Samuel Štancl <samuel.stancl@gmail.com>
Co-authored-by: PHP CS Fixer <phpcsfixer@example.com>

src/Middleware/PreventAccessFromUnwantedDomains.php

@@ -7,11 +7,23 @@ namespace Stancl\Tenancy\Middleware;
 use Closure;
 use Illuminate\Http\Request;
 use Illuminate\Routing\Route;
-use Illuminate\Support\Facades\Route as Router;
+use Stancl\Tenancy\Concerns\UsableWithEarlyIdentification;
+use Stancl\Tenancy\Context;
+use Stancl\Tenancy\RouteMode;
 
-// todo come up with a better name
+/**
+ * todo come up with a better name.
+ *
+ * Prevents accessing central domains in the tenant context/tenant domains in the central context.
+ * The access isn't prevented if the request is trying to access a route flagged as 'universal',
+ * or if this middleware should be skipped.
+ *
+ * @see UsableWithEarlyIdentification – more info about the skipping part
+ */
 class PreventAccessFromUnwantedDomains
 {
+    use UsableWithEarlyIdentification;
+
     /**
      * Set this property if you want to customize the on-fail behavior.
      */
@@ -20,14 +32,14 @@ class PreventAccessFromUnwantedDomains
     /** @return \Illuminate\Http\Response|mixed */
     public function handle(Request $request, Closure $next): mixed
     {
-        /** @var Route $route */
-        $route = $request->route();
+        $route = tenancy()->getRoute($request);
+        $routeIsUniversal = tenancy()->routeHasMiddleware($route, 'universal') || config('tenancy.default_route_mode') === RouteMode::UNIVERSAL;
 
-        if ($this->routeHasMiddleware($route, 'universal')) {
+        if ($this->shouldBeSkipped($route) || $routeIsUniversal) {
             return $next($request);
         }
 
-        if (in_array($request->getHost(), config('tenancy.central_domains'), true)) {
+        if ($this->accessingTenantRouteFromCentralDomain($request, $route) || $this->accessingCentralRouteFromTenantDomain($request, $route)) {
             $abortRequest = static::$abortRequest ?? function () {
                 abort(404);
             };
@@ -38,24 +50,23 @@ class PreventAccessFromUnwantedDomains
         return $next($request);
     }
 
-    protected function routeHasMiddleware(Route $route, string $middleware): bool
+    protected function accessingTenantRouteFromCentralDomain(Request $request, Route $route): bool
     {
-        /** @var array $routeMiddleware */
-        $routeMiddleware = $route->middleware();
+        return tenancy()->getMiddlewareContext($route) === RouteMode::TENANT // Current route's middleware context is tenant
+            && $this->isCentralDomain($request); // The request comes from a domain that IS present in the configured `tenancy.central_domains`
+    }
 
-        if (in_array($middleware, $routeMiddleware, true)) {
-            return true;
-        }
+    protected function accessingCentralRouteFromTenantDomain(Request $request, Route $route): bool
+    {
+        return tenancy()->getMiddlewareContext($route) === RouteMode::CENTRAL // Current route's middleware context is central
+            && ! $this->isCentralDomain($request); // The request comes from a domain that ISN'T present in the configured `tenancy.central_domains`
+    }
 
-        // Loop one level deep and check if the route's middleware
-        // groups have the searched middleware group inside them
-        $middlewareGroups = Router::getMiddlewareGroups();
-        foreach ($route->gatherMiddleware() as $inner) {
-            if (! $inner instanceof Closure && isset($middlewareGroups[$inner]) && in_array($middleware, $middlewareGroups[$inner], true)) {
-                return true;
-            }
-        }
-
-        return false;
+    /**
+     * Check if the request's host name is present in the configured `tenancy.central_domains`.
+     */
+    protected function isCentralDomain(Request $request): bool
+    {
+        return in_array($request->getHost(), config('tenancy.central_domains'), true);
     }
 }