Nyholm / psr7-server

Helper classes to use any PSR7 implementation as your main request and response
MIT License
90 stars 21 forks source link

Scheme detection problem #54

Open thebodzio opened 1 year ago

thebodzio commented 1 year ago

Recently I was bringing up a site based on Grav, which uses psr7-server/ServerRequestCreator.php directly to prepare a request object for further manipulation. The server I was using had the following peculiarity: it had $_SERVER['REQUEST_SCHEME'] set to http and at the same time $_SERVER['HTTPS'] set to on. All of that while I was using exclusively HTTPS. This caused an occasional problem when a redirection was made to e.g. http://example.com:443/about instead of https://example.com/about. I believe the way the scheme detection works now is a problem, since current code will set scheme as http even though the server also reports $_SERVER['HTTPS'] as being used. I mean this fragment:

https://github.com/Nyholm/psr7-server/blob/b846a689844cef114e8079d8c80f0afd96745ae3/src/ServerRequestCreator.php#L272-L276

Shouldn't HTTPS header have precedence here? Something like this code here (from https://www.designcise.com/web/tutorial/how-to-check-for-https-request-in-php):

$isHttps = 
    $_SERVER['HTTPS']
    ?? $_SERVER['REQUEST_SCHEME']
    ?? $_SERVER['HTTP_X_FORWARDED_PROTO']
    ?? null
;

$isHttps = 
    $isHttps && (
        strcasecmp('on', $isHttps) == 0
        || strcasecmp('https', $isHttps) == 0
    )
;

or, at least, reverse the order of condition checks?

I think this problem is somewhat related, but not identical to https://github.com/Nyholm/psr7-server/issues/29.