tourze / json-rpc-security-bundle
JsonRPC授权处理
Installs: 3 917
Dependents: 8
Suggesters: 0
Security: 0
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Type:symfony-bundle
pkg:composer/tourze/json-rpc-security-bundle
Requires
- symfony/config: ^7.3
- symfony/console: ^7.3
- symfony/dependency-injection: ^7.3
- symfony/event-dispatcher: ^7.3
- symfony/expression-language: ^7.3
- symfony/framework-bundle: ^7.3
- symfony/http-foundation: ^7.3
- symfony/http-kernel: ^7.3
- symfony/messenger: ^7.3
- symfony/property-access: ^7.3
- symfony/security-bundle: ^7.3
- symfony/security-core: ^7.3
- symfony/security-http: ^7.3
- symfony/string: ^7.3
- symfony/yaml: ^7.3
- tourze/bundle-dependency: 1.*
- tourze/json-rpc-core: 1.0.*
- tourze/symfony-dependency-service-loader: 1.*
Requires (Dev)
- phpstan/phpstan: ^2.1
- phpunit/phpunit: ^11.5
- tourze/phpunit-symfony-kernel-test: 1.0.*
- tourze/phpunit-symfony-unit-test: 1.*
This package is auto-updated.
Last update: 2025-11-01 19:18:47 UTC
README
[]
(https://packagist.org/packages/tourze/json-rpc-security-bundle)
[
]
(https://packagist.org/packages/tourze/json-rpc-security-bundle)
[
]
(https://github.com/tourze/php-monorepo/actions)
[]
(https://github.com/tourze/php-monorepo)
Table of Contents
- Overview
- Requirements
- Installation
- Quick Start
- Features
- Usage
- Architecture
- Configuration
- Advanced Usage
- Testing
- API Reference
- Contributing
- License
Overview
A Symfony Bundle providing authorization handling for JSON-RPC services.
Requirements
- PHP 8.1+
- Symfony 6.4+
- tourze/json-rpc-core
- tourze/bundle-dependency
Installation
composer require tourze/json-rpc-security-bundle
Quick Start
- Add the bundle to your Symfony project:
// config/bundles.php return [ // ... Tourze\JsonRPCSecurityBundle\JsonRPCSecurityBundle::class => ['all' => true], ];
- Use the
IsGrantedattribute on your JSON-RPC methods:
use Symfony\Component\Security\Http\Attribute\IsGranted; use Tourze\JsonRPC\Core\Domain\JsonRpcMethodInterface; #[IsGranted(attribute: 'ROLE_ADMIN')] class AdminMethod implements JsonRpcMethodInterface { public function __invoke(JsonRpcRequest $request): mixed { // Only users with ROLE_ADMIN can access this method return ['message' => 'Hello Admin!']; } }
Features
- Seamless integration with Symfony Security component
- Fine-grained permission control for JSON-RPC methods
- Attribute-based permission declarations
- Support for both class-level and method-level authorization
- Automatic event-driven security checks
Usage
Basic Role-Based Authorization
use Symfony\Component\Security\Http\Attribute\IsGranted; use Tourze\JsonRPC\Core\Domain\JsonRpcMethodInterface; use Tourze\JsonRPC\Core\Model\JsonRpcRequest; #[IsGranted(attribute: 'ROLE_USER')] class UserProfileMethod implements JsonRpcMethodInterface { public function __invoke(JsonRpcRequest $request): mixed { // Accessible to authenticated users return ['profile' => 'user data']; } }
Method-Level Authorization
use Symfony\Component\Security\Http\Attribute\IsGranted; use Tourze\JsonRPC\Core\Domain\JsonRpcMethodInterface; use Tourze\JsonRPC\Core\Model\JsonRpcRequest; class UserManagementMethod implements JsonRpcMethodInterface { #[IsGranted(attribute: 'ROLE_ADMIN')] public function deleteUser(int $userId): bool { // Only admins can delete users return true; } #[IsGranted(attribute: 'ROLE_USER')] public function viewProfile(int $userId): array { // Regular users can view profiles return ['id' => $userId, 'name' => 'John']; } }
Custom Permission Attributes
For more fine-grained control, use the MethodPermission attribute:
use Tourze\JsonRPCSecurityBundle\Attribute\MethodPermission; use Tourze\JsonRPC\Core\Domain\JsonRpcMethodInterface; #[MethodPermission("user.edit", "Edit user information")] class UserEditMethod implements JsonRpcMethodInterface { public function __invoke(JsonRpcRequest $request): mixed { // Custom permission check return ['success' => true]; } }
Architecture
Core Components
GrantService: Core authorization service that checks permissionsIsGrantSubscriber: Event subscriber that automatically triggers security checksMethodPermission: Custom attribute for declaring method permissions
How It Works
- When a JSON-RPC method is called, the
IsGrantSubscriberintercepts the request - The
GrantServiceanalyzes the method's attributes using reflection - Security checks are performed against the current user's permissions
- Access is granted or denied based on the results
Exception Handling
AccessDeniedException: Thrown when no user is authenticatedApiException: Thrown when the user lacks required permissions (code: -3)
Configuration
Security Configuration
Ensure your Symfony security configuration is properly set up:
# config/packages/security.yaml security: providers: # Your user providers firewalls: main: # Your firewall configuration access_control: # Your access control rules
Service Configuration
The bundle automatically registers its services. No additional configuration is required.
Advanced Usage
Custom Attributes
You can create custom permission attributes by extending the MethodPermission attribute:
use Tourze\JsonRPCSecurityBundle\Attribute\MethodPermission; #[\Attribute(\Attribute::TARGET_CLASS | \Attribute::TARGET_METHOD)] class AdminOnly extends MethodPermission { public function __construct(?string $title = 'Admin Only') { parent::__construct('ROLE_ADMIN', $title); } }
Multiple Permission Levels
Apply multiple permission checks for complex authorization scenarios:
#[IsGranted('ROLE_USER')] #[MethodPermission('user.advanced.access')] class AdvancedUserMethod implements JsonRpcMethodInterface { // Requires both ROLE_USER and custom permission }
Testing
Run the test suite with:
./vendor/bin/phpunit packages/json-rpc-security-bundle/tests
Test Coverage
- ✅
MethodPermissionattribute: Complete unit tests - ✅
JsonRPCSecurityBundle: Bundle registration tests - ✅
JsonRPCSecurityExtension: DI container tests - ✅
GrantService: Core authorization logic tests - ✅
IsGrantSubscriber: Event handling tests - ✅ Integration tests: SecurityBundle dependency now properly configured via BundleDependencyInterface
Current test status: 23/23 tests passing with comprehensive unit test coverage.
API Reference
GrantService
public function checkProcedure(JsonRpcMethodInterface $procedure): void
Checks if the current user has permission to access the given procedure.
Throws:
AccessDeniedException: When no user is authenticatedApiException: When the user lacks required permissions
MethodPermission Attribute
#[MethodPermission(string $permission, ?string $title = null)]
Parameters:
$permission: Permission identifier (e.g., "user.edit", "admin::users")$title: Optional human-readable description
Contributing
- Fork the repository
- Create a feature branch
- Add tests for new functionality
- Ensure all tests pass
- Submit a pull request
License
This project is licensed under the MIT License.