Fix: move request asserting to from core to v1

Jan-Schuppik · Jan-Schuppik · commit 101eac3f6705 · 2025-09-19T11:56:50.000+02:00
diff --git a/library/Notifications/Api/ApiCore.php b/library/Notifications/Api/ApiCore.php
@@ -67,9 +67,6 @@ public function handle(ServerRequestInterface $request): ResponseInterface
                 ->setHeader('Allow', $this->getAllowedMethods());
         }
         $request = $request->withAttribute('httpMethod', $httpMethod);
-        $identifier = $request->getAttribute('identifier');
-        $filterStr = $request->getUri()->getQuery();
-
 
         if (! method_exists($this, $httpMethod->lowercase())) {
             throw (new HttpException(
@@ -79,33 +76,6 @@ public function handle(ServerRequestInterface $request): ResponseInterface
                 ->setHeader('Allow', $this->getAllowedMethods());
         }
 
-        if ($httpMethod !== HttpMethod::GET && ! empty($filterStr)) {
-            throw new HttpBadRequestException(
-                'Unexpected query parameter: Filter is only allowed for GET requests'
-            );
-        }
-        if ($httpMethod === HttpMethod::GET && ! empty($identifier) && ! empty($filterStr)) {
-            throw new HttpBadRequestException(
-                'Invalid request: ' . $httpMethod->uppercase() . ' with identifier and query parameters,'
-                . " it's not allowed to use both together."
-            );
-        }
-        if (
-            in_array($httpMethod, [HttpMethod::PUT, HttpMethod::POST])
-            && $request->getHeaderLine('Content-Type') !== 'application/json'
-        ) {
-            throw new HttpBadRequestException('Invalid request header: Content-Type must be application/json');
-        }
-        if (
-            ! in_array($httpMethod, [HttpMethod::PUT, HttpMethod::POST])
-            && (! empty($request->getBody()->getSize()) || ! empty($request->getParsedBody()))
-        ) {
-            throw new HttpBadRequestException('Invalid request: Body is only allowed for POST and PUT requests');
-        }
-        if (in_array($httpMethod, [HttpMethod::PUT, HttpMethod::DELETE]) && empty($identifier)) {
-            throw new HttpBadRequestException("Invalid request: Identifier is required");
-        }
-
         $this->assertValidRequest($request);
 
         return $this->handleRequest($request);
diff --git a/library/Notifications/Api/V1/ApiV1.php b/library/Notifications/Api/V1/ApiV1.php
@@ -109,7 +109,32 @@ public function handleRequest(ServerRequestInterface $request): ResponseInterfac
 
     protected function assertValidRequest(ServerRequestInterface $request): void
     {
-        if (! empty($identifier = $request->getAttribute('identifier')) && ! Uuid::isValid($identifier)) {
+        $httpMethod = $request->getAttribute('httpMethod');
+        $identifier = $request->getAttribute('identifier');
+        $filterStr = $request->getUri()->getQuery();
+
+        if ($httpMethod !== HttpMethod::GET && ! empty($filterStr)) {
+            throw new HttpBadRequestException(
+                'Unexpected query parameter: Filter is only allowed for GET requests'
+            );
+        }
+        if ($httpMethod === HttpMethod::GET && ! empty($identifier) && ! empty($filterStr)) {
+            throw new HttpBadRequestException(
+                'Invalid request: ' . $httpMethod->uppercase() . ' with identifier and query parameters,'
+                . " it's not allowed to use both together."
+            );
+        }
+        if (
+            ! in_array($httpMethod, [HttpMethod::PUT, HttpMethod::POST])
+            && (! empty($request->getBody()->getSize()) || ! empty($request->getParsedBody()))
+        ) {
+            throw new HttpBadRequestException('Invalid request: Body is only allowed for POST and PUT requests');
+        }
+        if (in_array($httpMethod, [HttpMethod::PUT, HttpMethod::DELETE]) && empty($identifier)) {
+            throw new HttpBadRequestException("Invalid request: Identifier is required");
+        }
+
+        if (! empty($identifier) && ! Uuid::isValid($identifier)) {
             throw new HttpBadRequestException('The given identifier is not a valid UUID');
         }
     }
@@ -173,6 +198,10 @@ function (Condition $condition) use ($allowedColumns, $idColumnName) {
      */
     private function getValidRequestBody(ServerRequestInterface $request): array
     {
+        if ($request->getHeaderLine('Content-Type') !== 'application/json') {
+            throw new HttpBadRequestException('Invalid request header: Content-Type must be application/json');
+        }
+
         if (! empty($parsedBody = $request->getParsedBody()) && is_array($parsedBody)) {
             return $parsedBody;
         }
