Fix up authorization plugin support

Author: dereuromark

composer.json

@@ -32,7 +32,8 @@
 		"cakephp/debug_kit": "^5.0.1",
 		"composer/semver": "^3.0",
 		"fig-r/psr2r-sniffer": "dev-master",
-		"phpunit/phpunit": "^10.2"
+		"phpunit/phpunit": "^10.2",
+		"slevomat/coding-standard": "~8.15.0"
 	},
 	"minimum-stability": "stable",
 	"prefer-stable": true,

docs/AuthorizationPlugin.md

@@ -18,14 +18,19 @@ use Authorization\Middleware\AuthorizationMiddleware;
 use TinyAuth\Middleware\RequestAuthorizationMiddleware;
 
 // in Application::middleware()
-$config = [
+$middlewareQueue->add(new AuthorizationMiddleware($this, [
     'unauthorizedHandler' => [
         'className' => 'Authorization.Redirect',
-        ...
+        'url' => '...',
     ],
-];
-$middlewareQueue->add(new AuthorizationMiddleware($this, $config));
-$middlewareQueue->add(new RequestAuthorizationMiddleware());
+]));
+$middlewareQueue->add(new RequestAuthorizationMiddleware([
+    'unauthorizedHandler' => [
+        'className' => 'TinyAuth.Redirect',
+        'url' => '...',
+        'unauthorizedMessage' => '...',
+    ],
+])));
 ```
 
 For all the rest just follow the plugin's documentation.

src/Middleware/RequestAuthorizationMiddleware.php

@@ -2,6 +2,7 @@
 
 namespace TinyAuth\Middleware;
 
+use Authorization\Exception\Exception;
 use Authorization\Exception\ForbiddenException;
 use Authorization\Middleware\RequestAuthorizationMiddleware as PluginRequestAuthorizationMiddleware;
 use Authorization\Policy\Result;
@@ -30,7 +31,7 @@ class RequestAuthorizationMiddleware extends PluginRequestAuthorizationMiddlewar
 	/**
 	 * @param array $config Configuration options
 	 */
-	public function __construct($config = []) {
+	public function __construct(array $config = []) {
 		$config += Config::all();
 
 		parent::__construct($config);
@@ -56,10 +57,14 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
 		$identity = $request->getAttribute($this->getConfig('identityAttribute'));
 
 		$can = $service->can($identity, $this->getConfig('method'), $request);
-		if (!$can) {
-			$result = new Result($can, 'Can not ' . $this->getConfig('method') . ' request');
+		try {
+			if (!$can) {
+				$result = new Result($can, 'Can not ' . $this->getConfig('method') . ' request');
 
-			throw new ForbiddenException($result);
+				throw new ForbiddenException($result);
+			}
+		} catch (Exception $exception) {
+			return $this->handleException($exception, $request, $this->getConfig('unauthorizedHandler'));
 		}
 
 		return $handler->handle($request);

src/Middleware/UnauthorizedHandler/RedirectHandler.php

@@ -0,0 +1,57 @@
+<?php
+declare(strict_types=1);
+
+namespace TinyAuth\Middleware\UnauthorizedHandler;
+
+use Authorization\Exception\Exception;
+use Authorization\Exception\ForbiddenException;
+use Authorization\Exception\MissingIdentityException;
+use Authorization\Middleware\UnauthorizedHandler\RedirectHandler as CakeRedirectHandler;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+
+/**
+ * This handler will redirect the response if one of configured exception classes is encountered.
+ */
+class RedirectHandler extends CakeRedirectHandler {
+
+	/**
+	 * Default config:
+	 *
+	 *  - `exceptions` - A list of exception classes.
+	 *  - `url` - Url to redirect to.
+	 *  - `queryParam` - Query parameter name for the target url.
+	 *  - `statusCode` - Redirection status code.
+	 *
+	 * @var array<string, mixed>
+	 */
+	protected array $defaultOptions = [
+		'exceptions' => [
+			MissingIdentityException::class,
+			ForbiddenException::class,
+		],
+		'url' => '/login',
+		'queryParam' => 'redirect',
+		'statusCode' => 302,
+		'unauthorizedMessage' => null,
+	];
+
+	/**
+	 * @param \Authorization\Exception\Exception $exception
+	 * @param \Psr\Http\Message\ServerRequestInterface $request
+	 * @param array<string, mixed> $options
+	 * @return \Psr\Http\Message\ResponseInterface
+	 */
+	public function handle(Exception $exception, ServerRequestInterface $request, array $options = []): ResponseInterface {
+		$response = parent::handle($exception, $request, $options);
+
+		$message = $options['unauthorizedMessage'] ?? __('You are not authorized to access that location');
+		if ($message) {
+			/** @var \Cake\Http\ServerRequest $request */
+			$request->getFlash()->error($message);
+		}
+
+		return $response;
+	}
+
+}