Merge pull request #984 from shlinkio/release/2.5.2

Release/2.5.2

.dockerignore

@@ -21,3 +21,4 @@ infection*
 **/test*
 build*
 **/.*
+bin/helper

CHANGELOG.md

@@ -4,7 +4,44 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com), and this project adheres to [Semantic Versioning](https://semver.org).
 
-## [Unreleased]
+## [2.5.2] - 2021-01-24
+### Added
+* [#965](https://github.com/shlinkio/shlink/issues/965) Added docs section for Architectural Decision Records, including the one for API key roles.
+
+### Changed
+* *Nothing*
+
+### Deprecated
+* *Nothing*
+
+### Removed
+* *Nothing*
+
+### Fixed
+* [#979](https://github.com/shlinkio/shlink/issues/979) Added missing `itemsPerPage` query param to swagger docs for short RULs list.
+* [#980](https://github.com/shlinkio/shlink/issues/980) Fixed value used for `Access-Control-Allow-Origin`, that could not work as expected when including an IP address.
+* [#947](https://github.com/shlinkio/shlink/issues/947) Fixed incorrect value returned in `Access-Control-Allow-Methods` header, which always contained all methods.
+
+
+## [2.5.1] - 2021-01-21
+### Added
+* *Nothing*
+
+### Changed
+* *Nothing*
+
+### Deprecated
+* *Nothing*
+
+### Removed
+* *Nothing*
+
+### Fixed
+* [#968](https://github.com/shlinkio/shlink/issues/968) Fixed index error in MariaDB while updating to v2.5.0.
+* [#972](https://github.com/shlinkio/shlink/issues/972) Fixed 500 error when calling single-step short URL creation endpoint.
+
+
+## [2.5.0] - 2021-01-17
 ### Added
 * [#795](https://github.com/shlinkio/shlink/issues/795) and [#882](https://github.com/shlinkio/shlink/issues/882) Added new roles system to API keys.
 
@@ -24,6 +61,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com), and this
 
 ### Changed
 * [#912](https://github.com/shlinkio/shlink/issues/912) Changed error templates to be plain html files, removing the dependency on `league/plates` package.
+* [#875](https://github.com/shlinkio/shlink/issues/875) Updated to `mezzio/mezzio-swoole` v3.1.
+* [#952](https://github.com/shlinkio/shlink/issues/952) Simplified in-project docs, by keeping only the basics and linking to the websites docs for anything else.
 
 ### Deprecated
 * [#917](https://github.com/shlinkio/shlink/issues/917) Deprecated `/{shortCode}/qr-code/{size}` URL, in favor of providing the size in the query instead, `/{shortCode}/qr-code?size={size}`.

CONTRIBUTING.md

@@ -46,27 +46,28 @@ This is a simplified version of the project structure:
 ```
 shlink
 ├── bin
-│   ├── cli
-│   ├── install
-│   └── update
+│   ├── cli
+│   ├── install
+│   └── update
 ├── config
-│   ├── autoload
-│   ├── params
-│   ├── config.php
-│   └── container.php
+│   ├── autoload
+│   ├── params
+│   ├── config.php
+│   └── container.php
 ├── data
-│   ├── cache
-│   ├── locks
-│   ├── log
-│   ├── migrations
-│   └── proxies
+│   ├── cache
+│   ├── locks
+│   ├── log
+│   ├── migrations
+│   └── proxies
 ├── docs
-│   ├── async-api
-│   └── swagger
+│   ├── adr
+│   ├── async-api
+│   └── swagger
 ├── module
-│   ├── CLI
-│   ├── Core
-│   └── Rest
+│   ├── CLI
+│   ├── Core
+│   └── Rest
 ├── public
 ├── composer.json
 └── README.md
@@ -77,7 +78,7 @@ The purposes of every folder are:
 * `bin`: It contains the CLI tools. The `cli` one is the main entry point to run shlink from the command line, while `install` and `update` are helper tools used to install and update shlink when not using the docker image.
 * `config`: Contains application-wide configurations, which are later merged with the ones provided by every module.
 * `data`: Common runtime-generated git-ignored assets, like logs, caches, etc.
-* `docs`: Any project documentation is stored here, like API spec definitions.
+* `docs`: Any project documentation is stored here, like API spec definitions or architectural decision records.
 * `module`: Contains a subfolder for every module in the project. Modules contain the source code, tests and configurations for every context in the project.
 * `public`: Few assets (like `favicon.ico` or `robots.txt`) and the web entry point are stored here. This web entry point is not used when serving the app with swoole.
 
@@ -134,3 +135,9 @@ In order to provide pull requests to this project, you should always start by cr
 The base branch should always be `develop`, and the target branch for the pull request should also be `develop`.
 
 Before your branch can be merged, all the checks described in [Running code checks](#running-code-checks) have to be passing. You can verify that manually by running `./indocker composer ci`, or wait for the build to be run automatically after the pull request is created.
+
+## Architectural Decision Records
+
+The project includes logs for some architectural decisions, using the [adr](https://adr.github.io/) proposal.
+
+If you are curious or want to understand why something has been built in some specific way, [take a look at them](docs/adr).

README.md

@@ -9,36 +9,33 @@
 
 A PHP-based self-hosted URL shortener that can be used to serve shortened URLs under your own custom domain.
 
-> This document references Shlink 2.x. If you are using an older version and want to upgrade, follow the [UPGRADE](UPGRADE.md) doc.
-
-> If you are trying to find out how to run the project in development mode or how to provide contributions, read the [CONTRIBUTING](CONTRIBUTING.md) doc.
-
 ## Table of Contents
 
-- [Installation](#installation)
+- [Full documentation](#full-documentation)
+- [Docker image](#docker-image)
+- [Self hosted](#self-hosted)
     - [Download](#download)
     - [Configure](#configure)
-    - [Serve](#serve)
-    - [Bonus](#bonus)
-- [Update to new version](#update-to-new-version)
-    - [Update a configuration option](#update-a-configuration-option)
-- [Using a docker image](#using-a-docker-image)
 - [Using shlink](#using-shlink)
-    - [Shlink CLI Help](#shlink-cli-help)
-- [Multiple domains](#multiple-domains)
-    - [Management](#management)
-    - [Visits](#visits)
-    - [Special redirects](#special-redirects)
+- [Contributing](#contributing)
 
-## Installation
+## Full documentation
 
-> These are the steps needed to install Shlink if you plan to manually host it. 
->
-> Alternatively, you can use the official docker image. If that's your intention, jump directly to [Using a docker image](#using-a-docker-image)
+This document contains the very basics to get started with Shlink. If you want to learn everything you can do with it, visit the [full searchable documentation](https://shlink.io/documentation/).
+
+## Docker image
+
+Starting with version 1.15.0, an official docker image is provided. You can learn how to use it by reading [the docs](https://shlink.io/documentation/install-docker-image/).
+
+The idea is that you can just generate a container using the image and provide the custom config via env vars.
+
+## Self hosted
 
 First, make sure the host where you are going to run shlink fulfills these requirements:
 
-* PHP 7.4 or greater with JSON, curl, PDO, intl and gd extensions enabled.
+* PHP 7.4 with JSON, curl, PDO, intl and gd extensions enabled (PHP 8.0 support is coming).
+    * apcu extension is recommended if you don't plan to use swoole.
+    * xml extension is required if you want to generate QR codes in svg format.
 * MySQL, MariaDB, PostgreSQL, Microsoft SQL Server or SQLite.
 * The web server of your choice with PHP integration (Apache or Nginx recommended).
 
@@ -64,7 +61,7 @@ In order to run Shlink, you will need a built version of the project. There are
 
     After that, you will have a `shlink_x.x.x_dist.zip` dist file inside the `build` directory, that you need to decompress in the location fo your choice.
 
-    > This is the process used when releasing new shlink versions. After tagging the new version with git, the Github release is automatically created by [travis](https://travis-ci.com/shlinkio/shlink), attaching the generated dist file to it.
+    > This is the process used when releasing new shlink versions. After tagging the new version with git, the Github release is automatically created by a [GitHub workflow](https://github.com/shlinkio/shlink/actions?query=workflow%3A%22Publish+release%22), attaching the generated dist file to it.
 
 ### Configure
 
@@ -75,172 +72,6 @@ Despite how you built the project, you now need to configure it, by following th
 * Setup the application by running the `bin/install` script. It is a command line tool that will guide you through the installation process. **Take into account that this tool has to be run directly on the server where you plan to host Shlink. Do not run it before uploading/moving it there.**
 * Generate your first API key by running `bin/cli api-key:generate`. You will need the key in order to interact with shlink's API.
 
-### Serve
-
-Once Shlink is configured, you need to expose it to the web, either by using a traditional web server + fast CGI approach, or by using a [swoole](https://www.swoole.co.uk/) non-blocking server.
-
-* **Using a web server:**
-
-    For example, assuming your domain is doma.in and shlink is in the `/path/to/shlink` folder, these would be the basic configurations for Nginx and Apache.
-
-    *Nginx:*
-
-    ```nginx
-    server {
-        server_name doma.in;
-        listen 80;
-        root /path/to/shlink/public;
-        index index.php;
-        charset utf-8;
-
-        location / {
-            try_files $uri $uri/ /index.php$is_args$args;
-        }
-
-        location ~ \.php$ {
-            fastcgi_split_path_info ^(.+\.php)(/.+)$;
-            fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
-            fastcgi_index index.php;
-            include fastcgi.conf;
-        }
-
-        location ~ /\.ht {
-            deny all;
-        }
-    }
-    ```
-
-    *Apache:*
-
-    ```apache
-    <VirtualHost *:80>
-        ServerName doma.in
-        DocumentRoot "/path/to/shlink/public"
-
-        <Directory "/path/to/shlink/public">
-            Options FollowSymLinks Includes ExecCGI
-            AllowOverride all
-            Order allow,deny
-            Allow from all
-        </Directory>
-    </VirtualHost>
-    ```
-
-* **Using swoole:**
-
-    First you need to install the swoole PHP extension with [pecl](https://pecl.php.net/package/swoole), `pecl install swoole`.
-
-    Once installed, it's actually pretty easy to get shlink up and running with swoole. Run `./vendor/bin/mezzio-swoole start -d` and you will get shlink running on port 8080.
-
-    However, by doing it this way, you are loosing all the access logs, and the service won't be automatically run if the server has to be restarted.
-
-    For that reason, you should create a daemon script, in `/etc/init.d/shlink_swoole`, like this one, replacing `/path/to/shlink` by the path to your shlink installation:
-
-    ```bash
-    #!/bin/bash
-    ### BEGIN INIT INFO
-    # Provides:          shlink_swoole
-    # Required-Start:    $local_fs $network $named $time $syslog
-    # Required-Stop:     $local_fs $network $named $time $syslog
-    # Default-Start:     2 3 4 5
-    # Default-Stop:      0 1 6
-    # Description:       Shlink non-blocking server with swoole
-    ### END INIT INFO
-
-    SCRIPT=/path/to/shlink/vendor/bin/mezzio-swoole\ start
-    RUNAS=root
-
-    PIDFILE=/var/run/shlink_swoole.pid
-    LOGDIR=/var/log/shlink
-    LOGFILE=${LOGDIR}/shlink_swoole.log
-
-    start() {
-      if [[ -f "$PIDFILE" ]] && kill -0 $(cat "$PIDFILE"); then
-        echo 'Shlink with swoole already running' >&2
-        return 1
-      fi
-      echo 'Starting shlink with swoole' >&2
-      mkdir -p "$LOGDIR"
-      touch "$LOGFILE"
-      local CMD="$SCRIPT &> \"$LOGFILE\" & echo \$!"
-      su -c "$CMD" $RUNAS > "$PIDFILE"
-      echo 'Shlink started' >&2
-    }
-
-    stop() {
-      if [[ ! -f "$PIDFILE" ]] || ! kill -0 $(cat "$PIDFILE"); then
-        echo 'Shlink with swoole not running' >&2
-        return 1
-      fi
-      echo 'Stopping shlink with swoole' >&2
-      kill -15 $(cat "$PIDFILE") && rm -f "$PIDFILE"
-      echo 'Shlink stopped' >&2
-    }
-
-    case "$1" in
-      start)
-        start
-        ;;
-      stop)
-        stop
-        ;;
-      restart)
-        stop
-        start
-        ;;
-      *)
-        echo "Usage: $0 {start|stop|restart}"
-    esac
-    ```
-
-    Then run these commands to enable the service and start it:
-
-    * `sudo chmod +x /etc/init.d/shlink_swoole`
-    * `sudo update-rc.d shlink_swoole defaults`
-    * `sudo update-rc.d shlink_swoole enable`
-    * `/etc/init.d/shlink_swoole start`
-
-    Now again, you can access shlink on port 8080, but this time the service will be automatically run at system start-up, and all access logs will be written in `/var/log/shlink/shlink_swoole.log` (you will probably want to [rotate those logs](https://www.digitalocean.com/community/tutorials/how-to-manage-logfiles-with-logrotate-on-ubuntu-16-04). You can find an example logrotate config file [here](data/infra/examples/shlink-daemon-logrotate.conf)).
-
-Finally access to [https://app.shlink.io](https://app.shlink.io) and configure your server to start creating short URLs.
-
-### Bonus
-
-Geo-locating visits to your short links is a time-consuming task. When serving Shlink with swoole, the geo-location task is automatically run asynchronously just after a visit to a short URL happens.
-
-However, if you are not serving Shlink with swoole, you will have to schedule the geo-location task to be run regularly in the background (for example, using cron jobs):
-
-The command you need to run is `/path/to/shlink/bin/cli visit:locate`, and you can optionally provide the `-q` flag to remove any output and avoid your cron logs to be polluted.
-
-## Update to new version
-
-When a new Shlink version is available, you don't need to repeat the entire process. Instead, follow these steps:
-
-1. Rename your existing Shlink directory to something else (ie. `shlink` ---> `shlink-old`).
-2. Download and extract the new version of Shlink, and set the directory name to that of the old version (ie. `shlink`).
-3. Run the `bin/update` script in the new version's directory to migrate your configuration over. You will be asked to provide the path to the old instance (ie. `shlink-old`).
-4. If you are using shlink with swoole, restart the service by running `/etc/init.d/shlink_swoole restart`.
-
-The `bin/update` will use the location from previous shlink version to import the configuration. It will then update the database and generate some assets shlink needs to work.
-
-**Important!** It is recommended that you don't skip any version when using this process. The update tool gets better on every version, but older versions might make assumptions.
-
-### Update a configuration option
-
-Sometimes you need to update the configuration on your shlink instance. Maybe you want to change the GeoLite2 license key, or move from http to https.
-
-In order to do that, run `bin/set-option` and follow the instructions. You will be asked to select the option to change, and then you will be asked to provide the new value.
-
-This script will take care of updating that value without changing anything else, and it will also delete the configuration cache so that the new value is applied.
-
-> This script will fail if you didn't run `bin/install` at least once.
-
-## Using a docker image
-
-Starting with version 1.15.0, an official docker image is provided. You can learn how to use it by reading [the docs](docker/README.md).
-
-The idea is that you can just generate a container using the image and provide custom config via env vars.
-
 ## Using shlink
 
 Once shlink is installed, there are two main ways to interact with it:
@@ -253,109 +84,13 @@ Once shlink is installed, there are two main ways to interact with it:
 
 * **The REST API**. The complete docs on how to use the API can be found [here](https://shlink.io/documentation/api-docs), and a sandbox which also documents every endpoint can be found in the [API Spec](https://api-spec.shlink.io/) portal.
 
-    However, you probably don't want to consume the raw API yourself. That's why a nice [web client](https://github.com/shlinkio/shlink-web-client) is provided that can be directly used from [https://app.shlink.io](https://app.shlink.io), or you can host it yourself too.
+    However, you probably don't want to consume the raw API yourself. That's why a nice [web client](https://github.com/shlinkio/shlink-web-client) is provided that can be directly used from [https://app.shlink.io](https://app.shlink.io), or hosted by yourself.
 
 Both the API and CLI allow you to do the same operations, except for API key management, which can be done from the command line interface only.
 
-### Shlink CLI Help
+## Contributing
 
-```
-Usage:
-  command [options] [arguments]
-
-Options:
-  -h, --help            Display this help message
-  -q, --quiet           Do not output any message
-  -V, --version         Display this application version
-      --ansi            Force ANSI output
-      --no-ansi         Disable ANSI output
-  -n, --no-interaction  Do not ask any interactive question
-  -v|vv|vvv, --verbose  Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug
-
-Available commands:
-  help                Displays help for a command
-  list                Lists commands
- api-key
-  api-key:disable     Disables an API key.
-  api-key:generate    Generates a new valid API key.
-  api-key:list        Lists all the available API keys.
- db
-  db:create           Creates the database needed for shlink to work. It will do nothing if the database already exists
-  db:migrate          Runs database migrations, which will ensure the shlink database is up to date.
- short-url
-  short-url:delete    Deletes a short URL
-  short-url:generate  Generates a short URL for provided long URL and returns it
-  short-url:list      List all short URLs
-  short-url:parse     Returns the long URL behind a short code
-  short-url:visits    Returns the detailed visits information for provided short code
- tag
-  tag:create          Creates one or more tags.
-  tag:delete          Deletes one or more tags.
-  tag:list            Lists existing tags.
-  tag:rename          Renames one existing tag.
- visit
-  visit:locate        Resolves visits origin locations.
-```
-
-## Multiple domains
-
-While in many cases you will just have one short domain and you'll want all your short URLs to be served from it, there are some cases in which you might want to have multiple short domains served from the same Shlink instance.
-
-If that's the case, you need to understand how Shlink will behave when managing your short URLs or any of them is visited.
-
-### Management
-
-When you create a short URL it is possible to optionally pass a `domain` param. If you don't pass it, the short URL will be created for the default domain (the one provided during Shlink's installation or in the `SHORT_DOMAIN_HOST` env var when using the docker image).
-
-However, if you pass it, the short URL will be "linked" to that domain.
-
-> Note that, if the default domain is passed, Shlink will ignore it and will behave as if no `domain` param was provided.
-
-The main benefit of being able to pass the domain is that Shlink will allow the same custom slug to be used in multiple short URLs, as long as the domain is different (like `example.com/my-compaign`, `another.com/my-compaign` and `foo.com/my-compaign`).
-
-Then, each short URL will be tracked separately and you will be able to define specific tags and metadata for each one of them.
-
-However, this has a side effect. When you try to interact with an existing short URL (editing tags, editing meta, resolving it or deleting it), either from the REST API or the CLI tool, you will have to provide the domain appropriately.
-
-Let's imagine this situation. Shlink's default domain is `example.com`, and you have the next short URLs:
-
-* `https://example.com/abc123` -> a regular short URL where no domain was provided.
-* `https://example.com/my-campaign` -> a regular short URL where no domain was provided, but it has a custom slug.
-* `https://another.com/my-campaign` -> a short URL where the `another.com` domain was provided, and it has a custom slug.
-* `https://another.com/def456` -> a short URL where the `another.com` domain was provided.
-
-These are some of the results you will get when trying to interact with them, depending on the params you provide:
-
-* Providing just the `abc123` short code -> the first URL will be matched.
-* Providing just the `my-campaign` short code -> the second URL will be matched, since you did not specify a domain, therefor, Shlink looks for the one with the short code/slug `my-campaign` which is also linked to default domain (or not linked to any domain, to be more accurate).
-* Providing the `my-campaign` short code and the `another.com` domain -> The third one will be matched.
-* Providing just the `def456` short code -> Shlink will fail/not find any short URL, since there's none with the short code `def456` linked to default domain.
-* Providing the `def456` short code and the `another.com` domain -> The fourth short URL will be matched.
-* Providing any short code and the `foo.com` domain -> Again, no short URL will be found, as there's none linked to `foo.com` domain.
-
-### Visits
-
-Before adding support for multiple domains, you could point as many domains as you wanted to Shlink, and they would have always worked for existing short codes/slugs.
-
-In order to keep backwards compatibility, Shlink's behavior when a short URL is visited is slightly different, getting to fallback in some cases.
-
-Let's continue with previous example, and also consider we have three domains that will resolve to our Shlink instance, which are `example.com`, `another.com` and `foo.com`.
-
-With that in mind, this is how Shlink will behave when the next short URLs are visited:
-
-* `https://another.com/abc123` -> There was no short URL specifically defined for domain `another.com` and short code `abc123`, but it exists for default domain (`example.com`), so it will fall back to it and redirect to where `example.com/abc123` is configured to redirect.
-* `https://example.com/def456` -> The fall-back does not happen from default domain to specific ones, only the other way around (like in previous case). Because of that, this one will result in a not-found URL, even though the `def456` short code exists for `another.com` domain.
-* `https://foo.com/abc123` -> This will also fall-back to `example.com/abc123`, like in the first case.
-* `https://another.com/non-existing` -> The combination of `another.com` domain with the `non-existing` slug does not exist, so Shlink will try to fall-back to the same but for default domain (`example.com`). However, since that combination does not exist either, it will result in a not-found URL.
-* Any other short URL visited exactly as it was configured will, of course, resolve as expected.
-
-### Special redirects
-
-It is currently possible to configure some special redirects when the base domain is visited, a URL does not match, or an invalid/disabled short URL is visited.
-
-Those are configured during Shlink's installation or via env vars when using the docker image.
-
-Currently those are all shared for all domains serving the same Shlink instance, but the plan is to update that and allow specific ones for every existing domain.
+If you are trying to find out how to run the project in development mode or how to provide contributions, read the [CONTRIBUTING](CONTRIBUTING.md) doc.
 
 ---
 

bin/helper/mezzio-swoole

@@ -0,0 +1,51 @@
+#!/usr/bin/env php
+<?php
+
+/**
+ * @deprecated To be removed with Shlink 3.0.0
+ * This script is provided to keep backwards compatibility on how to run shlink with swoole while being still able to
+ * update to mezzio/mezzio-swoole 3.x
+ */
+
+declare(strict_types=1);
+
+namespace Mezzio\Swoole\Command;
+
+use Laminas\ServiceManager\ServiceManager;
+use PackageVersions\Versions;
+use Symfony\Component\Console\Application as CommandLine;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\CommandLoader\ContainerCommandLoader;
+
+use function explode;
+use function Functional\filter;
+use function str_starts_with;
+use function strstr;
+
+/** @var ServiceManager $container */
+$container = require __DIR__ . '/../../config/container.php';
+$version = strstr(Versions::getVersion('mezzio/mezzio-swoole'), '@', true);
+$commandsPrefix = 'mezzio:swoole:';
+$commands = filter(
+    $container->get('config')['laminas-cli']['commands'] ?? [],
+    fn ($c, string $command) => str_starts_with($command, $commandsPrefix),
+);
+$registeredCommands = [];
+
+foreach ($commands as $newName => $commandServiceName) {
+    [, $oldName] = explode($commandsPrefix, $newName);
+    $registeredCommands[$oldName] = $commandServiceName;
+
+    $container->addDelegator($commandServiceName, static function ($c, $n, callable $factory) use ($oldName) {
+        /** @var Command $command */
+        $command = $factory();
+        $command->setAliases([$oldName]);
+
+        return $command;
+    });
+}
+
+$commandLine = new CommandLine('Mezzio web server', $version);
+$commandLine->setAutoExit(true);
+$commandLine->setCommandLoader(new ContainerCommandLoader($container, $registeredCommands));
+$commandLine->run();

bin/test/run-api-tests.sh

@@ -4,16 +4,16 @@ export DB_DRIVER=mysql
 export TEST_ENV=api
 
 # Try to stop server just in case it hanged in last execution
-vendor/bin/mezzio-swoole stop
+vendor/bin/laminas mezzio:swoole:stop
 
 echo 'Starting server...'
-vendor/bin/mezzio-swoole start -d
+vendor/bin/laminas mezzio:swoole:start -d
 sleep 2
 
 vendor/bin/phpunit --order-by=random -c phpunit-api.xml --testdox --colors=always --log-junit=build/coverage-api/junit.xml $*
 testsExitCode=$?
 
-vendor/bin/mezzio-swoole stop
+vendor/bin/laminas mezzio:swoole:stop
 
 # Exit this script with the same code as the tests. If tests failed, this script has to fail
 exit $testsExitCode

build.sh

@@ -28,6 +28,9 @@ echo "Installing dependencies with $composerBin..."
 ${composerBin} self-update
 ${composerBin} install --no-dev --optimize-autoloader --prefer-dist --no-progress --no-interaction
 
+# Copy mezzio helper script to vendor (deprecated - Remove with Shlink 3.0.0)
+cp "${projectdir}/bin/helper/mezzio-swoole" "./vendor/bin"
+
 # Delete development files
 echo 'Deleting dev files...'
 rm composer.*

composer.json

@@ -39,7 +39,7 @@
         "mezzio/mezzio-fastroute": "^3.1",
         "mezzio/mezzio-helpers": "^5.3",
         "mezzio/mezzio-problem-details": "^1.1",
-        "mezzio/mezzio-swoole": "^2.6.4",
+        "mezzio/mezzio-swoole": "^3.1",
         "monolog/monolog": "^2.0",
         "nikolaposa/monolog-factory": "^3.1",
         "ocramius/proxy-manager": "^2.11",
@@ -47,9 +47,9 @@
         "predis/predis": "^1.1",
         "pugx/shortid-php": "^0.7",
         "ramsey/uuid": "^3.9",
-        "shlinkio/shlink-common": "dev-main#1311861 as 3.4",
+        "shlinkio/shlink-common": "^3.4",
         "shlinkio/shlink-config": "^1.0",
-        "shlinkio/shlink-event-dispatcher": "^1.6",
+        "shlinkio/shlink-event-dispatcher": "^2.0",
         "shlinkio/shlink-importer": "^2.1",
         "shlinkio/shlink-installer": "^5.3",
         "shlinkio/shlink-ip-geolocation": "^1.5",
@@ -71,7 +71,7 @@
         "phpunit/phpunit": "^9.5",
         "roave/security-advisories": "dev-master",
         "shlinkio/php-coding-standard": "~2.1.1",
-        "shlinkio/shlink-test-utils": "^1.7",
+        "shlinkio/shlink-test-utils": "^2.0",
         "symfony/var-dumper": "^5.2",
         "veewee/composer-run-parallel": "^0.1.0"
     },

data/infra/examples/shlink-daemon.sh

@@ -8,7 +8,7 @@
 # Description:       Shlink non-blocking server with swoole
 ### END INIT INFO
 
-SCRIPT=/path/to/shlink/vendor/bin/mezzio-swoole\ start
+SCRIPT=/path/to/shlink/vendor/bin/laminas\ mezzio:swoole:start
 RUNAS=root
 
 PIDFILE=/var/run/shlink_swoole.pid

data/infra/swoole.Dockerfile

@@ -95,4 +95,4 @@ CMD \
     if [[ ! -d "./vendor" ]]; then /usr/local/bin/composer install ; fi && \
     # When restarting the container, swoole might think it is already in execution
     # This forces the app to be started every second until the exit code is 0
-    until php ./vendor/bin/mezzio-swoole start; do sleep 1 ; done
+    until php ./vendor/bin/laminas mezzio:swoole:start; do sleep 1 ; done

data/migrations/Version20210102174433.php

@@ -25,7 +25,7 @@ final class Version20210102174433 extends AbstractMigration
         $table->setPrimaryKey(['id']);
 
         $table->addColumn('role_name', Types::STRING, [
-            'length' => 256,
+            'length' => 255,
             'notnull' => true,
         ]);
         $table->addColumn('meta', Types::JSON, [

data/migrations/Version20210118153932.php

@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ShlinkMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+final class Version20210118153932 extends AbstractMigration
+{
+    public function up(Schema $schema): void
+    {
+        // Prev migration used to set the length to 256, which made some set-ups crash
+        // It has been updated to 255, and this migration ensures whoever managed to run the prev one, gets the value
+        // also updated to 255
+
+        $rolesTable = $schema->getTable('api_key_roles');
+        $nameColumn = $rolesTable->getColumn('role_name');
+        $nameColumn->setLength(255);
+    }
+
+    public function down(Schema $schema): void
+    {
+    }
+}

docker/README.md

@@ -1,76 +1,21 @@
 # Shlink Docker image
 
-[![Docker pulls](https://img.shields.io/docker/pulls/shlinkio/shlink.svg?style=flat-square)](https://hub.docker.com/r/shlinkio/shlink/)
+[![Docker build status](https://img.shields.io/github/workflow/status/shlinkio/shlink/Build%20docker%20image?logo=docker&style=flat-square)](https://github.com/shlinkio/shlink/actions?query=workflow%3A%22Build+docker+image%22)
+[![Docker pulls](https://img.shields.io/docker/pulls/shlinkio/shlink.svg?logo=docker&style=flat-square)](https://hub.docker.com/r/shlinkio/shlink/)
 
 This image provides an easy way to set up [shlink](https://shlink.io) on a container-based runtime.
 
-It exposes a shlink instance served with [swoole](https://www.swoole.co.uk/), which persists data in a local [sqlite](https://www.sqlite.org/index.html) database.
+It exposes a shlink instance served with [swoole](https://www.swoole.co.uk/), which can be linked to external databases to persist data.
 
 ## Usage
 
-Shlink docker image exposes port `8080` in order to interact with its HTTP interface.
-
-It also expects these two env vars to be provided, in order to properly generate short URLs at runtime.
+The most basic way to run Shlink's docker image is by providing these mandatory env vars.
 
 * `SHORT_DOMAIN_HOST`: The custom short domain used for this shlink instance. For example **doma.in**.
 * `SHORT_DOMAIN_SCHEMA`: Either **http** or **https**.
+* `GEOLITE_LICENSE_KEY`: Your GeoLite2 license key. [Learn more](https://shlink.io/documentation/geolite-license-key/) about this.
 
-So based on this, to run shlink on a local docker service, you should run a command like this:
-
-```bash
-docker run --name shlink -p 8080:8080 -e SHORT_DOMAIN_HOST=doma.in -e SHORT_DOMAIN_SCHEMA=https -e GEOLITE_LICENSE_KEY=kjh23ljkbndskj345 shlinkio/shlink:stable
-```
-
-### Interact with shlink's CLI on a running container.
-
-Once the shlink container is running, you can interact with the CLI tool by running `shlink` with any of the supported commands.
-
-For example, if the container is called `shlink_container`, you can generate a new API key with:
-
-```bash
-docker exec -it shlink_container shlink api-key:generate
-```
-
-Or you can list all tags with:
-
-```bash
-docker exec -it shlink_container shlink tag:list
-```
-
-Or locate remaining visits with:
-
-```bash
-docker exec -it shlink_container shlink visit:locate
-```
-
-All shlink commands will work the same way.
-
-You can also list all available commands just by running this:
-
-```bash
-docker exec -it shlink_container shlink
-```
-
-## Use an external DB
-
-The image comes with a working sqlite database, but in production, it's strongly recommended using a distributed database.
-
-It is possible to use a set of env vars to make this shlink instance interact with an external MySQL, MariaDB, PostgreSQL or Microsoft SQL Server database.
-
-* `DB_DRIVER`: **[Mandatory]**. Use the value **mysql**, **maria**, **postgres** or **mssql** to prevent the sqlite database to be used.
-* `DB_NAME`: [Optional]. The database name to be used. Defaults to **shlink**.
-* `DB_USER`: **[Mandatory]**. The username credential for the database server.
-* `DB_PASSWORD`: **[Mandatory]**. The password credential for the database server.
-* `DB_HOST`: **[Mandatory]**. The host name of the server running the database engine.
-* `DB_PORT`: [Optional]. The port in which the database service is running.
-    * Default value is based on the value provided for `DB_DRIVER`:
-        * **mysql** or **maria** -> `3306`
-        * **postgres** -> `5432`
-        * **mssql** -> `1433`
-
-> PostgreSQL is supported since v1.16.1 and Microsoft SQL server since v2.1.0. Do not try to use them with previous versions.
-
-Taking this into account, you could run shlink on a local docker service like this:
+To run shlink on top of a local docker service, and using an internal SQLite database, do the following:
 
 ```bash
 docker run \
@@ -78,227 +23,12 @@ docker run \
     -p 8080:8080 \
     -e SHORT_DOMAIN_HOST=doma.in \
     -e SHORT_DOMAIN_SCHEMA=https \
-    -e DB_DRIVER=mysql \
-    -e DB_USER=root \
-    -e DB_PASSWORD=123abc \
-    -e DB_HOST=something.rds.amazonaws.com \
-    shlinkio/shlink:stable
-```
-
-You could even link to a local database running on a different container:
-
-```bash
-docker run \
-    --name shlink \
-    -p 8080:8080 \
-    [...] \
-    -e DB_HOST=some_mysql_container \
-    --link some_mysql_container \
-    shlinkio/shlink:stable
-```
-
-> If you have considered using SQLite but sharing the database file with a volume, read [this issue](https://github.com/shlinkio/shlink-docker-image/issues/40) first.
-
-## Other integrations
-
-### Use an external redis server
-
-If you plan to run more than one Shlink instance, there are some resources that should be shared ([Multi instance considerations](#multi-instance-considerations)).
-
-One of those resources are the locks Shlink generates to prevent some operations to be run more than once in parallel (in the future, these redis servers could be used for other caching operations).
-
-In order to share those locks, you should use an external redis server (or a cluster of redis servers), by providing the `REDIS_SERVERS` env var.
-
-It can be either one server name or a comma-separated list of servers.
-
-> If more than one redis server is provided, Shlink will expect them to be configured as a [redis cluster](https://redis.io/topics/cluster-tutorial).
-
-### Integrate with a mercure hub server
-
-One way to get real time updates when certain events happen in Shlink is by integrating it with a [mercure hub](https://mercure.rocks/) server.
-
-If you do that, Shlink will publish updates and other clients can subscribe to those.
-
-There are three env vars you need to provide if you want to enable this:
-
-* `MERCURE_PUBLIC_HUB_URL`: **[Mandatory]**. The public URL of a mercure hub server to which Shlink will sent updates. This URL will also be served to consumers that want to subscribe to those updates.
-* `MERCURE_INTERNAL_HUB_URL`: **[Optional]**. An internal URL for a mercure hub. Will be used only when publishing updates to mercure, and does not need to be public. If this is not provided, the `MERCURE_PUBLIC_HUB_URL` one will be used to publish updates.
-* `MERCURE_JWT_SECRET`: **[Mandatory]**. The secret key that was provided to the mercure hub server, in order to be able to generate valid JWTs for publishing/subscribing to that server.
-
-So in order to run shlink with mercure integration, you would do it like this:
-
-```bash
-docker run \
-    --name shlink \
-    -p 8080:8080 \
-    -e SHORT_DOMAIN_HOST=doma.in \
-    -e SHORT_DOMAIN_SCHEMA=https \
-    -e "MERCURE_PUBLIC_HUB_URL=https://example.com"
-    -e "MERCURE_INTERNAL_HUB_URL=http://my-mercure-hub.prod.svc.cluster.local"
-    -e MERCURE_JWT_SECRET=super_secret_key
-    shlinkio/shlink:stable
-```
-
-## All supported env vars
-
-A few env vars have been already used in previous examples, but this image supports others that can be used to customize its behavior.
-
-This is the complete list of supported env vars:
-
-* `SHORT_DOMAIN_HOST`: The custom short domain used for this shlink instance. For example **doma.in**.
-* `SHORT_DOMAIN_SCHEMA`: Either **http** or **https**.
-* `DB_DRIVER`: **sqlite** (which is the default value), **mysql**, **maria**, **postgres** or **mssql**.
-* `DB_NAME`: The database name to be used when using an external database driver. Defaults to **shlink**.
-* `DB_USER`: The username credential to be used when using an external database driver.
-* `DB_PASSWORD`: The password credential to be used when using an external database driver.
-* `DB_HOST`: The host name of the database server  when using an external database driver.
-* `DB_PORT`: The port in which the database service is running when using an external database driver.
-    * Default value is based on the value provided for `DB_DRIVER`:
-        * **mysql** or **maria** -> `3306`
-        * **postgres** -> `5432`
-        * **mssql** -> `1433`
-* `DB_UNIX_SOCKET`: Alternatively to the `DB_HOST`, you can provide this to connect through unix sockets when using `mysql`, `maria` or `postgres` drivers.
-* `DISABLE_TRACK_PARAM`: The name of a query param that can be used to visit short URLs avoiding the visit to be tracked. This feature won't be available if not value is provided.
-* `DELETE_SHORT_URL_THRESHOLD`: The amount of visits on short URLs which will not allow them to be deleted. Defaults to `15`.
-* `VALIDATE_URLS`: Boolean which tells if shlink should validate a status 20x is returned (after following redirects) when trying to shorten a URL. Defaults to `false`.
-* `INVALID_SHORT_URL_REDIRECT_TO`: If a URL is provided here, when a user tries to access an invalid short URL, he/she will be redirected to this value. If this env var is not provided, the user will see a generic `404 - not found` page.
-* `REGULAR_404_REDIRECT_TO`: If a URL is provided here, when a user tries to access a URL not matching any one supported by the router, he/she will be redirected to this value. If this env var is not provided, the user will see a generic `404 - not found` page.
-* `BASE_URL_REDIRECT_TO`: If a URL is provided here, when a user tries to access Shlink's base URL, he/she will be redirected to this value. If this env var is not provided, the user will see a generic `404 - not found` page.
-* `BASE_PATH`: The base path from which you plan to serve shlink, in case you don't want to serve it from the root of the domain. Defaults to `''`.
-* `WEB_WORKER_NUM`: The amount of concurrent http requests this shlink instance will be able to server. Defaults to 16.
-* `TASK_WORKER_NUM`: The amount of concurrent background tasks this shlink instance will be able to execute. Defaults to 16.
-* `VISITS_WEBHOOKS`: A comma-separated list of URLs that will receive a `POST` request when a short URL receives a visit.
-* `DEFAULT_SHORT_CODES_LENGTH`: The length you want generated short codes to have. It defaults to 5 and has to be at least 4, so any value smaller than that will fall back to 4.
-* `GEOLITE_LICENSE_KEY`: The license key used to download new GeoLite2 database files. This is not mandatory, as a default license key is provided, but it is **strongly recommended** that you provide your own. Go to [https://shlink.io/documentation/geolite-license-key](https://shlink.io/documentation/geolite-license-key) to know how to generate it.
-* `REDIS_SERVERS`: A comma-separated list of redis servers where Shlink locks are stored (locks are used to prevent some operations to be run more than once in parallel).
-* `MERCURE_PUBLIC_HUB_URL`: The public URL of a mercure hub server to which Shlink will sent updates. This URL will also be served to consumers that want to subscribe to those updates.
-* `MERCURE_INTERNAL_HUB_URL`: An internal URL for a mercure hub. Will be used only when publishing updates to mercure, and does not need to be public. If this is not provided but `MERCURE_PUBLIC_HUB_URL` was, the former one will be used to publish updates.
-* `MERCURE_JWT_SECRET`: The secret key that was provided to the mercure hub server, in order to be able to generate valid JWTs for publishing/subscribing to that server.
-* `ANONYMIZE_REMOTE_ADDR`: Tells if IP addresses from visitors should be obfuscated before storing them in the database. Default value is `true`. **Careful!** Setting this to `false` will make your Shlink instance no longer be in compliance with the GDPR and other similar data protection regulations. 
-* `REDIRECT_STATUS_CODE`: Either **301** or **302**. Used to determine if redirects from short to long URLs should be done with a 301 or 302 status. Defaults to 302.
-* `REDIRECT_CACHE_LIFETIME`: Allows to set the amount of seconds that redirects should be cached when redirect status is 301. Default values is 30. 
-* `PORT`: Can be used to set the port in which shlink listens. Defaults to 8080 (Some cloud providers, like Google cloud or Heroku, expect to be able to customize exposed port by providing this env var). 
-
-An example using all env vars could look like this:
-
-```bash
-docker run \
-    --name shlink \
-    -p 8080:8888 \
-    -e SHORT_DOMAIN_HOST=doma.in \
-    -e SHORT_DOMAIN_SCHEMA=https \
-    -e PORT=8888 \
-    -e DB_DRIVER=mysql \
-    -e DB_NAME=shlink \
-    -e DB_USER=root \
-    -e DB_PASSWORD=123abc \
-    -e DB_HOST=something.rds.amazonaws.com \
-    -e DB_PORT=3306 \
-    -e DISABLE_TRACK_PARAM="no-track" \
-    -e DELETE_SHORT_URL_THRESHOLD=30 \
-    -e VALIDATE_URLS=true \
-    -e "INVALID_SHORT_URL_REDIRECT_TO=https://my-landing-page.com" \
-    -e "REGULAR_404_REDIRECT_TO=https://my-landing-page.com" \
-    -e "BASE_URL_REDIRECT_TO=https://my-landing-page.com" \
-    -e "REDIS_SERVERS=tcp://172.20.0.1:6379,tcp://172.20.0.2:6379" \
-    -e "BASE_PATH=/my-campaign" \
-    -e WEB_WORKER_NUM=64 \
-    -e TASK_WORKER_NUM=32 \
-    -e "VISITS_WEBHOOKS=http://my-api.com/api/v2.3/notify,https://third-party.io/foo" \
-    -e DEFAULT_SHORT_CODES_LENGTH=6 \
     -e GEOLITE_LICENSE_KEY=kjh23ljkbndskj345 \
-    -e "MERCURE_PUBLIC_HUB_URL=https://example.com" \
-    -e "MERCURE_INTERNAL_HUB_URL=http://my-mercure-hub.prod.svc.cluster.local" \
-    -e MERCURE_JWT_SECRET=super_secret_key \
-    -e ANONYMIZE_REMOTE_ADDR=false \
-    -e REDIRECT_STATUS_CODE=301 \
-    -e REDIRECT_CACHE_LIFETIME=90 \
     shlinkio/shlink:stable
 ```
 
-## [DEPRECATED] Provide config via volumes
+## Full documentation
 
-> As of v2.5.0, providing config through volumes is deprecated, and no new options will be added anymore. Use env vars instead.
->
-> Support for config options through volumes will be removed in Shlink v3.0.0
+All the features supported by Shlink are also supported by the docker image.
 
-Rather than providing custom configuration via env vars, it is also possible ot provide config files in json format.
-
-Mounting a volume at `config/params` you will make shlink load all the files on it with the `.config.json` suffix.
-
-The whole configuration should have this format, but it can be split into multiple files that will be merged:
-
-```json
-{
-    "disable_track_param": "my_param",
-    "delete_short_url_threshold": 30,
-    "short_domain_schema": "https",
-    "short_domain_host": "doma.in",
-    "validate_url": true,
-    "invalid_short_url_redirect_to": "https://my-landing-page.com",
-    "regular_404_redirect_to": "https://my-landing-page.com",
-    "base_url_redirect_to": "https://my-landing-page.com",
-    "base_path": "/my-campaign",
-    "web_worker_num": 64,
-    "task_worker_num": 32,
-    "default_short_codes_length": 6,
-    "redis_servers": [
-        "tcp://172.20.0.1:6379",
-        "tcp://172.20.0.2:6379"
-    ],
-    "visits_webhooks": [
-        "http://my-api.com/api/v2.3/notify",
-        "https://third-party.io/foo"
-    ],
-    "db_config": {
-        "driver": "pdo_mysql",
-        "dbname": "shlink",
-        "user": "root",
-        "password": "123abc",
-        "host": "something.rds.amazonaws.com",
-        "port": "3306"
-    },
-    "geolite_license_key": "kjh23ljkbndskj345",
-    "mercure_public_hub_url": "https://example.com",
-    "mercure_internal_hub_url": "http://my-mercure-hub.prod.svc.cluster.local",
-    "mercure_jwt_secret": "super_secret_key",
-    "anonymize_remote_addr": false,
-    "redirect_status_code": 301,
-    "redirect_cache_lifetime": 90,
-    "port": 8888
-}
-```
-
-> This is internally parsed to how shlink expects the config. If you are using a version previous to 1.17.0, this parser is not present and you need to provide a config structure like the one [documented previously](https://github.com/shlinkio/shlink-docker-image/tree/v1.16.3#provide-config-via-volumes).
-
-Once created just run shlink with the volume:
-
-```bash
-docker run --name shlink -p 8080:8080 -v ${PWD}/my/config/dir:/etc/shlink/config/params shlinkio/shlink:stable
-```
-
-## Multi-architecture
-
-Starting on v2.3.0, Shlink's docker image is built for multiple architectures.
-
-The only limitation is that images for architectures other than `amd64` will not have support for Microsoft SQL databases, since there are no official binaries.
-
-## Multi-instance considerations
-
-These are some considerations to take into account when running multiple instances of shlink.
-
-* Some operations performed by Shlink should never be run more than once at the same time (like creating the database for the first time, or downloading the GeoLite2 database). For this reason, Shlink uses a locking system.
-
-    However, these locks are locally scoped to each Shlink instance by default.
-
-    You can (and should) make the locks to be shared by all Shlink instances by using a redis server/cluster. Just define the `REDIS_SERVERS` env var with the list of servers.
-
-## Versions
-
-Versioning on this docker image works as follows:
-
-* `X.X.X`:  when providing a specific version number, the image version will match the shlink version it contains. For example, installing `shlinkio/shlink:1.15.0`, you will get an image containing shlink v1.15.0.
-* `stable`: always holds the latest stable tag. For example, if latest shlink version is 2.0.0, installing `shlinkio/shlink:stable`, you will get an image containing shlink v2.0.0
-* `latest`: always holds the latest contents, and it's considered unstable and not suitable for production.
-
-> **Important**: The docker image was introduced with shlink v1.15.0, so there are no official images previous to that versions.
+If you want to learn more, visit the [full documentation](https://shlink.io/documentation/install-docker-image/).

docker/docker-entrypoint.sh

@@ -17,4 +17,4 @@ php vendor/doctrine/orm/bin/doctrine.php orm:clear-cache:metadata -n -q
 
 # When restarting the container, swoole might think it is already in execution
 # This forces the app to be started every second until the exit code is 0
-until php vendor/mezzio/mezzio-swoole/bin/mezzio-swoole start; do sleep 1 ; done
+until php vendor/bin/laminas mezzio:swoole:start; do sleep 1 ; done

docs/adr/2021-01-17-support-restrictions-and-permissions-in-api-keys.md

@@ -0,0 +1,50 @@
+# Support restrictions and permissions in API keys
+
+* Status: Accepted
+* Date: 2021-01-17
+
+## Context and problem statement
+
+Historically, every API key generated for Shlink granted you access to all existing resources.
+
+The intention is to be able to apply some form of restriction to API keys, so that only a subset of "resources" can be accessed with it, naming:
+
+* Allowing interactions only with short URLs and related resources, that have been created with the same API key.
+* Allowing interactions only with short URLs and related resources, that have been attached to a specific domain.
+
+The intention is to implement a system that allows adding to API keys as many of these restrictions as wanted.
+
+Supporting more restrictions in the future is also desirable.
+
+## Considered option
+
+* Using an ACL/RBAC library, and checking roles in a middleware.
+* Using a service that, provided an API key, tells if certain resource is reachable while it also allows building queries dynamically.
+* Using some library implementing the specification pattern, to dynamically build queries transparently for outer layers.
+
+## Decision outcome
+
+The main difficulty on implementing this is that the entity conditioning the behavior (the API key) comes in the request in some form, but it can potentially affect database queries performed in the persistence layer.
+
+Because of this, it has to traverse all the application layers from top to bottom, in most of the cases.
+
+This motivated selecting the third option, as we can propagate the API key and delay its handling to the last step, without changing the behavior of the rest of the layers that much (except in some individual use cases).
+
+The domain term used to refer these "restrictions" is finally **roles**.
+
+It can be combined in the future with an ACL/RBAC library, if we want to restrict access to certain resources, but it didn't fulfil the initial requirements.
+
+## Pros and Cons of the Options
+
+### An ACL/RBAC library
+
+* Good, because there are many good libraries out there.
+* Bad, because when you need to filter resources lists this kind of libraries doesn't really work.
+
+### A service with the logic
+
+* Bad, because it would need to be used in many layers of the application, mixing unrelated concerns.
+
+### A library implementing the specification pattern
+
+* Good, because allows centralizing the generation of dynamic specs by the entity itself, that are later translated automatically into database queries.

docs/adr/README.md

@@ -0,0 +1,5 @@
+# Architectural Decision Records
+
+Here listed you will find the different architectural decisions taken in the project, including all the reasoning behind it, options considered, and final outcome.
+
+* [2021-01-17 Support restrictions and permissions in API keys](2021-01-17-support-restrictions-and-permissions-in-api-keys.md)

docs/swagger/paths/v1_short-urls.json

@@ -19,6 +19,15 @@
                     "type": "integer"
                 }
             },
+            {
+                "name": "itemsPerPage",
+                "in": "query",
+                "description": "The amount of items to return on every page. Defaults to 10",
+                "required": false,
+                "schema": {
+                    "type": "number"
+                }
+            },
             {
                 "name": "searchTerm",
                 "in": "query",

module/Core/config/event_dispatcher.config.php

@@ -14,13 +14,13 @@ return [
 
     'events' => [
         'regular' => [
-            EventDispatcher\VisitLocated::class => [
+            EventDispatcher\Event\VisitLocated::class => [
                 EventDispatcher\NotifyVisitToMercure::class,
                 EventDispatcher\NotifyVisitToWebHooks::class,
             ],
         ],
         'async' => [
-            EventDispatcher\ShortUrlVisited::class => [
+            EventDispatcher\Event\ShortUrlVisited::class => [
                 EventDispatcher\LocateShortUrlVisit::class,
             ],
         ],

module/Core/src/EventDispatcher/Event/AbstractVisitEvent.php

@@ -2,13 +2,13 @@
 
 declare(strict_types=1);
 
-namespace Shlinkio\Shlink\Core\EventDispatcher;
+namespace Shlinkio\Shlink\Core\EventDispatcher\Event;
 
 use JsonSerializable;
 
-final class VisitLocated implements JsonSerializable
+abstract class AbstractVisitEvent implements JsonSerializable
 {
-    private string $visitId;
+    protected string $visitId;
 
     public function __construct(string $visitId)
     {

module/Core/src/EventDispatcher/Event/ShortUrlVisited.php

@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Shlinkio\Shlink\Core\EventDispatcher\Event;
+
+final class ShortUrlVisited extends AbstractVisitEvent
+{
+    private ?string $originalIpAddress;
+
+    public function __construct(string $visitId, ?string $originalIpAddress = null)
+    {
+        parent::__construct($visitId);
+        $this->originalIpAddress = $originalIpAddress;
+    }
+
+    public function originalIpAddress(): ?string
+    {
+        return $this->originalIpAddress;
+    }
+}

module/Core/src/EventDispatcher/Event/VisitLocated.php

@@ -0,0 +1,9 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Shlinkio\Shlink\Core\EventDispatcher\Event;
+
+final class VisitLocated extends AbstractVisitEvent
+{
+}

module/Core/src/EventDispatcher/LocateShortUrlVisit.php

@@ -11,6 +11,8 @@ use Shlinkio\Shlink\CLI\Exception\GeolocationDbUpdateFailedException;
 use Shlinkio\Shlink\CLI\Util\GeolocationDbUpdaterInterface;
 use Shlinkio\Shlink\Core\Entity\Visit;
 use Shlinkio\Shlink\Core\Entity\VisitLocation;
+use Shlinkio\Shlink\Core\EventDispatcher\Event\ShortUrlVisited;
+use Shlinkio\Shlink\Core\EventDispatcher\Event\VisitLocated;
 use Shlinkio\Shlink\IpGeolocation\Exception\WrongIpException;
 use Shlinkio\Shlink\IpGeolocation\Model\Location;
 use Shlinkio\Shlink\IpGeolocation\Resolver\IpLocationResolverInterface;

module/Core/src/EventDispatcher/NotifyVisitToMercure.php

@@ -7,6 +7,7 @@ namespace Shlinkio\Shlink\Core\EventDispatcher;
 use Doctrine\ORM\EntityManagerInterface;
 use Psr\Log\LoggerInterface;
 use Shlinkio\Shlink\Core\Entity\Visit;
+use Shlinkio\Shlink\Core\EventDispatcher\Event\VisitLocated;
 use Shlinkio\Shlink\Core\Mercure\MercureUpdatesGeneratorInterface;
 use Symfony\Component\Mercure\PublisherInterface;
 use Throwable;

module/Core/src/EventDispatcher/NotifyVisitToWebHooks.php

@@ -13,6 +13,7 @@ use GuzzleHttp\Promise\PromiseInterface;
 use GuzzleHttp\RequestOptions;
 use Psr\Log\LoggerInterface;
 use Shlinkio\Shlink\Core\Entity\Visit;
+use Shlinkio\Shlink\Core\EventDispatcher\Event\VisitLocated;
 use Shlinkio\Shlink\Core\Options\AppOptions;
 use Shlinkio\Shlink\Core\Transformer\ShortUrlDataTransformer;
 use Throwable;

module/Core/src/EventDispatcher/ShortUrlVisited.php

@@ -1,34 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace Shlinkio\Shlink\Core\EventDispatcher;
-
-use JsonSerializable;
-
-final class ShortUrlVisited implements JsonSerializable
-{
-    private string $visitId;
-    private ?string $originalIpAddress;
-
-    public function __construct(string $visitId, ?string $originalIpAddress = null)
-    {
-        $this->visitId = $visitId;
-        $this->originalIpAddress = $originalIpAddress;
-    }
-
-    public function visitId(): string
-    {
-        return $this->visitId;
-    }
-
-    public function originalIpAddress(): ?string
-    {
-        return $this->originalIpAddress;
-    }
-
-    public function jsonSerialize(): array
-    {
-        return ['visitId' => $this->visitId, 'originalIpAddress' => $this->originalIpAddress];
-    }
-}

module/Core/src/Service/VisitsTracker.php

@@ -10,7 +10,7 @@ use Psr\EventDispatcher\EventDispatcherInterface;
 use Shlinkio\Shlink\Core\Entity\ShortUrl;
 use Shlinkio\Shlink\Core\Entity\Tag;
 use Shlinkio\Shlink\Core\Entity\Visit;
-use Shlinkio\Shlink\Core\EventDispatcher\ShortUrlVisited;
+use Shlinkio\Shlink\Core\EventDispatcher\Event\ShortUrlVisited;
 use Shlinkio\Shlink\Core\Exception\ShortUrlNotFoundException;
 use Shlinkio\Shlink\Core\Exception\TagNotFoundException;
 use Shlinkio\Shlink\Core\Model\ShortUrlIdentifier;

module/Core/test-db/Domain/Repository/DomainRepositoryTest.php

@@ -15,11 +15,9 @@ use Shlinkio\Shlink\TestUtils\DbTest\DatabaseTestCase;
 
 class DomainRepositoryTest extends DatabaseTestCase
 {
-    protected const ENTITIES_TO_EMPTY = [ShortUrl::class, Domain::class, ApiKey::class];
-
     private DomainRepository $repo;
 
-    protected function setUp(): void
+    protected function beforeEach(): void
     {
         $this->repo = $this->getEntityManager()->getRepository(Domain::class);
     }

module/Core/test-db/Repository/ShortUrlRepositoryTest.php

@@ -29,17 +29,9 @@ class ShortUrlRepositoryTest extends DatabaseTestCase
 {
     use TagManagerTrait;
 
-    protected const ENTITIES_TO_EMPTY = [
-        Tag::class,
-        Visit::class,
-        ShortUrl::class,
-        Domain::class,
-        ApiKey::class,
-    ];
-
     private ShortUrlRepository $repo;
 
-    public function setUp(): void
+    public function beforeEach(): void
     {
         $this->repo = $this->getEntityManager()->getRepository(ShortUrl::class);
     }

module/Core/test-db/Repository/TagRepositoryTest.php

@@ -21,17 +21,9 @@ use function array_chunk;
 
 class TagRepositoryTest extends DatabaseTestCase
 {
-    protected const ENTITIES_TO_EMPTY = [
-        Visit::class,
-        ShortUrl::class,
-        Tag::class,
-        ApiKey::class,
-        Domain::class,
-    ];
-
     private TagRepository $repo;
 
-    protected function setUp(): void
+    protected function beforeEach(): void
     {
         $this->repo = $this->getEntityManager()->getRepository(Tag::class);
     }

module/Core/test-db/Repository/VisitRepositoryTest.php

@@ -27,18 +27,9 @@ use function sprintf;
 
 class VisitRepositoryTest extends DatabaseTestCase
 {
-    protected const ENTITIES_TO_EMPTY = [
-        VisitLocation::class,
-        Visit::class,
-        ShortUrl::class,
-        Domain::class,
-        Tag::class,
-        ApiKey::class,
-    ];
-
     private VisitRepository $repo;
 
-    protected function setUp(): void
+    protected function beforeEach(): void
     {
         $this->repo = $this->getEntityManager()->getRepository(Visit::class);
     }

module/Core/test/EventDispatcher/LocateShortUrlVisitTest.php

@@ -17,9 +17,9 @@ use Shlinkio\Shlink\Common\Util\IpAddress;
 use Shlinkio\Shlink\Core\Entity\ShortUrl;
 use Shlinkio\Shlink\Core\Entity\Visit;
 use Shlinkio\Shlink\Core\Entity\VisitLocation;
+use Shlinkio\Shlink\Core\EventDispatcher\Event\ShortUrlVisited;
+use Shlinkio\Shlink\Core\EventDispatcher\Event\VisitLocated;
 use Shlinkio\Shlink\Core\EventDispatcher\LocateShortUrlVisit;
-use Shlinkio\Shlink\Core\EventDispatcher\ShortUrlVisited;
-use Shlinkio\Shlink\Core\EventDispatcher\VisitLocated;
 use Shlinkio\Shlink\Core\Model\Visitor;
 use Shlinkio\Shlink\IpGeolocation\Exception\WrongIpException;
 use Shlinkio\Shlink\IpGeolocation\Model\Location;

module/Core/test/EventDispatcher/NotifyVisitToMercureTest.php

@@ -13,8 +13,8 @@ use Psr\Log\LoggerInterface;
 use RuntimeException;
 use Shlinkio\Shlink\Core\Entity\ShortUrl;
 use Shlinkio\Shlink\Core\Entity\Visit;
+use Shlinkio\Shlink\Core\EventDispatcher\Event\VisitLocated;
 use Shlinkio\Shlink\Core\EventDispatcher\NotifyVisitToMercure;
-use Shlinkio\Shlink\Core\EventDispatcher\VisitLocated;
 use Shlinkio\Shlink\Core\Mercure\MercureUpdatesGeneratorInterface;
 use Shlinkio\Shlink\Core\Model\Visitor;
 use Symfony\Component\Mercure\PublisherInterface;

module/Core/test/EventDispatcher/NotifyVisitToWebHooksTest.php

@@ -19,8 +19,8 @@ use Prophecy\Prophecy\ObjectProphecy;
 use Psr\Log\LoggerInterface;
 use Shlinkio\Shlink\Core\Entity\ShortUrl;
 use Shlinkio\Shlink\Core\Entity\Visit;
+use Shlinkio\Shlink\Core\EventDispatcher\Event\VisitLocated;
 use Shlinkio\Shlink\Core\EventDispatcher\NotifyVisitToWebHooks;
-use Shlinkio\Shlink\Core\EventDispatcher\VisitLocated;
 use Shlinkio\Shlink\Core\Model\Visitor;
 use Shlinkio\Shlink\Core\Options\AppOptions;
 

module/Core/test/Service/VisitsTrackerTest.php

@@ -15,7 +15,7 @@ use Shlinkio\Shlink\Common\Util\DateRange;
 use Shlinkio\Shlink\Core\Entity\ShortUrl;
 use Shlinkio\Shlink\Core\Entity\Tag;
 use Shlinkio\Shlink\Core\Entity\Visit;
-use Shlinkio\Shlink\Core\EventDispatcher\ShortUrlVisited;
+use Shlinkio\Shlink\Core\EventDispatcher\Event\ShortUrlVisited;
 use Shlinkio\Shlink\Core\Exception\ShortUrlNotFoundException;
 use Shlinkio\Shlink\Core\Exception\TagNotFoundException;
 use Shlinkio\Shlink\Core\Model\ShortUrlIdentifier;

module/Rest/config/auth.config.php

@@ -11,9 +11,12 @@ return [
     'auth' => [
         'routes_whitelist' => [
             Action\HealthAction::class,
-            Action\ShortUrl\SingleStepCreateShortUrlAction::class,
             ConfigProvider::UNVERSIONED_HEALTH_ENDPOINT_NAME,
         ],
+
+        'routes_with_query_api_key' => [
+            Action\ShortUrl\SingleStepCreateShortUrlAction::class,
+        ],
     ],
 
     'dependencies' => [
@@ -23,7 +26,11 @@ return [
     ],
 
     ConfigAbstractFactory::class => [
-        Middleware\AuthenticationMiddleware::class => [Service\ApiKeyService::class, 'config.auth.routes_whitelist'],
+        Middleware\AuthenticationMiddleware::class => [
+            Service\ApiKeyService::class,
+            'config.auth.routes_whitelist',
+            'config.auth.routes_with_query_api_key',
+        ],
     ],
 
 ];

module/Rest/config/dependencies.config.php

@@ -57,7 +57,6 @@ return [
         Action\ShortUrl\CreateShortUrlAction::class => [Service\UrlShortener::class, 'config.url_shortener.domain'],
         Action\ShortUrl\SingleStepCreateShortUrlAction::class => [
             Service\UrlShortener::class,
-            ApiKeyService::class,
             'config.url_shortener.domain',
         ],
         Action\ShortUrl\EditShortUrlAction::class => [Service\ShortUrlService::class],

module/Rest/config/entities-mappings/Shlinkio.Shlink.Rest.Entity.ApiKeyRole.php

@@ -24,7 +24,7 @@ return static function (ClassMetadata $metadata, array $emConfig): void {
 
     $builder->createField('roleName', Types::STRING)
             ->columnName('role_name')
-            ->length(256)
+            ->length(255)
             ->nullable(false)
             ->build();
 

module/Rest/src/Action/ShortUrl/SingleStepCreateShortUrlAction.php

@@ -8,49 +8,28 @@ use Psr\Http\Message\ServerRequestInterface as Request;
 use Shlinkio\Shlink\Core\Exception\ValidationException;
 use Shlinkio\Shlink\Core\Model\CreateShortUrlData;
 use Shlinkio\Shlink\Core\Model\ShortUrlMeta;
-use Shlinkio\Shlink\Core\Service\UrlShortenerInterface;
 use Shlinkio\Shlink\Core\Validation\ShortUrlMetaInputFilter;
-use Shlinkio\Shlink\Rest\Service\ApiKeyServiceInterface;
+use Shlinkio\Shlink\Rest\Middleware\AuthenticationMiddleware;
 
 class SingleStepCreateShortUrlAction extends AbstractCreateShortUrlAction
 {
     protected const ROUTE_PATH = '/short-urls/shorten';
     protected const ROUTE_ALLOWED_METHODS = [self::METHOD_GET];
 
-    private ApiKeyServiceInterface $apiKeyService;
-
-    public function __construct(
-        UrlShortenerInterface $urlShortener,
-        ApiKeyServiceInterface $apiKeyService,
-        array $domainConfig
-    ) {
-        parent::__construct($urlShortener, $domainConfig);
-        $this->apiKeyService = $apiKeyService;
-    }
-
-    /**
-     * @throws ValidationException
-     */
     protected function buildShortUrlData(Request $request): CreateShortUrlData
     {
         $query = $request->getQueryParams();
         $longUrl = $query['longUrl'] ?? null;
 
-        $apiKeyResult = $this->apiKeyService->check($query['apiKey'] ?? '');
-        if (! $apiKeyResult->isValid()) {
-            throw ValidationException::fromArray([
-                'apiKey' => 'No API key was provided or it is not valid',
-            ]);
-        }
-
         if ($longUrl === null) {
             throw ValidationException::fromArray([
                 'longUrl' => 'A URL was not provided',
             ]);
         }
 
+        $apiKey = AuthenticationMiddleware::apiKeyFromRequest($request);
         return new CreateShortUrlData($longUrl, [], ShortUrlMeta::fromRawData([
-            ShortUrlMetaInputFilter::API_KEY => $apiKeyResult->apiKey(),
+            ShortUrlMetaInputFilter::API_KEY => $apiKey,
             // This will usually be null, unless this API key enforces one specific domain
             ShortUrlMetaInputFilter::DOMAIN => $request->getAttribute(ShortUrlMetaInputFilter::DOMAIN),
         ]));

module/Rest/src/Exception/MissingAuthenticationException.php

@@ -18,18 +18,36 @@ class MissingAuthenticationException extends RuntimeException implements Problem
     private const TITLE = 'Invalid authorization';
     private const TYPE = 'INVALID_AUTHORIZATION';
 
-    public static function fromExpectedTypes(array $expectedTypes): self
+    public static function forHeaders(array $expectedHeaders): self
     {
-        $e = new self(sprintf(
+        $e = self::withMessage(sprintf(
             'Expected one of the following authentication headers, ["%s"], but none were provided',
-            implode('", "', $expectedTypes),
+            implode('", "', $expectedHeaders),
         ));
+        $e->additional = [
+            'expectedTypes' => $expectedHeaders, // Deprecated
+            'expectedHeaders' => $expectedHeaders,
+        ];
 
-        $e->detail = $e->getMessage();
+        return $e;
+    }
+
+    public static function forQueryParam(string $param): self
+    {
+        $e = self::withMessage(sprintf('Expected authentication to be provided in "%s" query param', $param));
+        $e->additional = ['param' => $param];
+
+        return $e;
+    }
+
+    private static function withMessage(string $message): self
+    {
+        $e = new self($message);
+
+        $e->detail = $message;
         $e->title = self::TITLE;
         $e->type = self::TYPE;
         $e->status = StatusCodeInterface::STATUS_UNAUTHORIZED;
-        $e->additional = ['expectedTypes' => $expectedTypes];
 
         return $e;
     }

module/Rest/src/Middleware/AuthenticationMiddleware.php

@@ -8,6 +8,7 @@ use Fig\Http\Message\RequestMethodInterface;
 use Fig\Http\Message\StatusCodeInterface;
 use Mezzio\Router\RouteResult;
 use Psr\Http\Message\ResponseInterface as Response;
+use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Psr\Http\Server\MiddlewareInterface;
 use Psr\Http\Server\RequestHandlerInterface;
@@ -24,11 +25,16 @@ class AuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterfa
 
     private ApiKeyServiceInterface $apiKeyService;
     private array $routesWhitelist;
+    private array $routesWithQueryApiKey;
 
-    public function __construct(ApiKeyServiceInterface $apiKeyService, array $routesWhitelist)
-    {
+    public function __construct(
+        ApiKeyServiceInterface $apiKeyService,
+        array $routesWhitelist,
+        array $routesWithQueryApiKey
+    ) {
         $this->apiKeyService = $apiKeyService;
         $this->routesWhitelist = $routesWhitelist;
+        $this->routesWithQueryApiKey = $routesWithQueryApiKey;
     }
 
     public function process(Request $request, RequestHandlerInterface $handler): Response
@@ -44,11 +50,7 @@ class AuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterfa
             return $handler->handle($request);
         }
 
-        $apiKey = $request->getHeaderLine(self::API_KEY_HEADER);
-        if (empty($apiKey)) {
-            throw MissingAuthenticationException::fromExpectedTypes([self::API_KEY_HEADER]);
-        }
-
+        $apiKey = $this->getApiKeyFromRequest($request, $routeResult);
         $result = $this->apiKeyService->check($apiKey);
         if (! $result->isValid()) {
             throw VerifyAuthenticationException::forInvalidApiKey();
@@ -61,4 +63,20 @@ class AuthenticationMiddleware implements MiddlewareInterface, StatusCodeInterfa
     {
         return $request->getAttribute(ApiKey::class);
     }
+
+    private function getApiKeyFromRequest(ServerRequestInterface $request, RouteResult $routeResult): string
+    {
+        $routeName = $routeResult->getMatchedRouteName();
+        $query = $request->getQueryParams();
+        $isRouteWithApiKeyInQuery = contains($this->routesWithQueryApiKey, $routeName);
+        $apiKey = $isRouteWithApiKeyInQuery ? ($query['apiKey'] ?? '') : $request->getHeaderLine(self::API_KEY_HEADER);
+
+        if (empty($apiKey)) {
+            throw $isRouteWithApiKeyInQuery
+                ? MissingAuthenticationException::forQueryParam('apiKey')
+                : MissingAuthenticationException::forHeaders([self::API_KEY_HEADER]);
+        }
+
+        return $apiKey;
+    }
 }

module/Rest/src/Middleware/CrossDomainMiddleware.php

@@ -6,7 +6,6 @@ namespace Shlinkio\Shlink\Rest\Middleware;
 
 use Fig\Http\Message\RequestMethodInterface;
 use Laminas\Diactoros\Response\EmptyResponse;
-use Mezzio\Router\RouteResult;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
@@ -32,7 +31,7 @@ class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterfa
         }
 
         // Add Allow-Origin header
-        $response = $response->withHeader('Access-Control-Allow-Origin', $request->getHeader('Origin'));
+        $response = $response->withHeader('Access-Control-Allow-Origin', '*');
         if ($request->getMethod() !== self::METHOD_OPTIONS) {
             return $response;
         }
@@ -42,20 +41,8 @@ class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterfa
 
     private function addOptionsHeaders(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
     {
-        // TODO This won't work. The route has to be matched from the router as this middleware needs to be executed
-        //      before trying to match the route
-        /** @var RouteResult|null $matchedRoute */
-        $matchedRoute = $request->getAttribute(RouteResult::class);
-        $matchedMethods = $matchedRoute !== null ? $matchedRoute->getAllowedMethods() : [
-            self::METHOD_GET,
-            self::METHOD_POST,
-            self::METHOD_PUT,
-            self::METHOD_PATCH,
-            self::METHOD_DELETE,
-            self::METHOD_OPTIONS,
-        ];
         $corsHeaders = [
-            'Access-Control-Allow-Methods' => implode(',', $matchedMethods),
+            'Access-Control-Allow-Methods' => $this->resolveCorsAllowedMethods($response),
             'Access-Control-Allow-Headers' => $request->getHeaderLine('Access-Control-Request-Headers'),
             'Access-Control-Max-Age' => $this->config['max_age'],
         ];
@@ -63,4 +50,22 @@ class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterfa
         // Options requests should always be empty and have a 204 status code
         return EmptyResponse::withHeaders(array_merge($response->getHeaders(), $corsHeaders));
     }
+
+    private function resolveCorsAllowedMethods(ResponseInterface $response): string
+    {
+        // ImplicitOptionsMiddleware resolves allowed methods using the RouteResult request's attribute and sets them
+        // in the "Allow" header.
+        // If the header is there, we can re-use the value as it is.
+        if ($response->hasHeader('Allow')) {
+            return $response->getHeaderLine('Allow');
+        }
+
+        return implode(',', [
+            self::METHOD_GET,
+            self::METHOD_POST,
+            self::METHOD_PUT,
+            self::METHOD_PATCH,
+            self::METHOD_DELETE,
+        ]);
+    }
 }

module/Rest/test-api/Action/CreateShortUrlTest.php

@@ -12,7 +12,7 @@ use function Functional\map;
 use function range;
 use function sprintf;
 
-class CreateShortUrlActionTest extends ApiTestCase
+class CreateShortUrlTest extends ApiTestCase
 {
     /** @test */
     public function createsNewShortUrlWhenOnlyLongUrlIsProvided(): void

module/Rest/test-api/Action/DeleteShortUrlTest.php

@@ -7,7 +7,7 @@ namespace ShlinkioApiTest\Shlink\Rest\Action;
 use Shlinkio\Shlink\TestUtils\ApiTest\ApiTestCase;
 use ShlinkioApiTest\Shlink\Rest\Utils\NotFoundUrlHelpersTrait;
 
-class DeleteShortUrlActionTest extends ApiTestCase
+class DeleteShortUrlTest extends ApiTestCase
 {
     use NotFoundUrlHelpersTrait;
 

module/Rest/test-api/Action/EditShortUrlTagsTest.php

@@ -8,7 +8,7 @@ use GuzzleHttp\RequestOptions;
 use Shlinkio\Shlink\TestUtils\ApiTest\ApiTestCase;
 use ShlinkioApiTest\Shlink\Rest\Utils\NotFoundUrlHelpersTrait;
 
-class EditShortUrlTagsActionTest extends ApiTestCase
+class EditShortUrlTagsTest extends ApiTestCase
 {
     use NotFoundUrlHelpersTrait;
 

module/Rest/test-api/Action/EditShortUrlTest.php

@@ -14,7 +14,7 @@ use ShlinkioApiTest\Shlink\Rest\Utils\NotFoundUrlHelpersTrait;
 use function GuzzleHttp\Psr7\build_query;
 use function sprintf;
 
-class EditShortUrlActionTest extends ApiTestCase
+class EditShortUrlTest extends ApiTestCase
 {
     use ArraySubsetAsserts;
     use NotFoundUrlHelpersTrait;

module/Rest/test-api/Action/GlobalVisitsTest.php

@@ -6,7 +6,7 @@ namespace ShlinkioApiTest\Shlink\Rest\Action;
 
 use Shlinkio\Shlink\TestUtils\ApiTest\ApiTestCase;
 
-class GlobalVisitsActionTest extends ApiTestCase
+class GlobalVisitsTest extends ApiTestCase
 {
     /**
      * @test

module/Rest/test-api/Action/ListTagsTest.php

@@ -7,7 +7,7 @@ namespace ShlinkioApiTest\Shlink\Rest\Action;
 use GuzzleHttp\RequestOptions;
 use Shlinkio\Shlink\TestUtils\ApiTest\ApiTestCase;
 
-class ListTagsActionTest extends ApiTestCase
+class ListTagsTest extends ApiTestCase
 {
     /**
      * @test

module/Rest/test-api/Action/ResolveShortUrlTest.php

@@ -11,7 +11,7 @@ use ShlinkioApiTest\Shlink\Rest\Utils\NotFoundUrlHelpersTrait;
 
 use function sprintf;
 
-class ResolveShortUrlActionTest extends ApiTestCase
+class ResolveShortUrlTest extends ApiTestCase
 {
     use NotFoundUrlHelpersTrait;
 

module/Rest/test-api/Action/ShortUrlVisitsTest.php

@@ -11,7 +11,7 @@ use ShlinkioApiTest\Shlink\Rest\Utils\NotFoundUrlHelpersTrait;
 use function GuzzleHttp\Psr7\build_query;
 use function sprintf;
 
-class ShortUrlVisitsActionTest extends ApiTestCase
+class ShortUrlVisitsTest extends ApiTestCase
 {
     use NotFoundUrlHelpersTrait;
 

module/Rest/test-api/Action/SingleStepCreateShortUrlTest.php

@@ -0,0 +1,56 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ShlinkioApiTest\Shlink\Rest\Action;
+
+use GuzzleHttp\RequestOptions;
+use Psr\Http\Message\ResponseInterface;
+use Shlinkio\Shlink\TestUtils\ApiTest\ApiTestCase;
+
+class SingleStepCreateShortUrlTest extends ApiTestCase
+{
+    /**
+     * @test
+     * @dataProvider provideFormats
+     */
+    public function createsNewShortUrlWithExpectedResponse(?string $format, string $expectedContentType): void
+    {
+        $resp = $this->createShortUrl($format, 'valid_api_key');
+
+        self::assertEquals(self::STATUS_OK, $resp->getStatusCode());
+        self::assertEquals($expectedContentType, $resp->getHeaderLine('Content-Type'));
+    }
+
+    public function provideFormats(): iterable
+    {
+        yield 'txt format' => ['txt', 'text/plain'];
+        yield 'json format' => ['json', 'application/json'];
+        yield '<empty> format' => [null, 'application/json'];
+    }
+
+    /** @test */
+    public function authorizationErrorIsReturnedIfNoApiKeyIsSent(): void
+    {
+        $expectedDetail = 'Expected authentication to be provided in "apiKey" query param';
+
+        $resp = $this->createShortUrl();
+        $payload = $this->getJsonResponsePayload($resp);
+
+        self::assertEquals(self::STATUS_UNAUTHORIZED, $resp->getStatusCode());
+        self::assertEquals(self::STATUS_UNAUTHORIZED, $payload['status']);
+        self::assertEquals('INVALID_AUTHORIZATION', $payload['type']);
+        self::assertEquals($expectedDetail, $payload['detail']);
+        self::assertEquals('Invalid authorization', $payload['title']);
+    }
+
+    private function createShortUrl(?string $format = 'json', ?string $apiKey = null): ResponseInterface
+    {
+        $query = [
+            'longUrl' => 'https://app.shlink.io',
+            'apiKey' => $apiKey,
+            'format' => $format,
+        ];
+        return $this->callApi(self::METHOD_GET, '/short-urls/shorten', [RequestOptions::QUERY => $query]);
+    }
+}

module/Rest/test-api/Action/TagVisitsTest.php

@@ -8,7 +8,7 @@ use Shlinkio\Shlink\TestUtils\ApiTest\ApiTestCase;
 
 use function sprintf;
 
-class TagVisitsActionTest extends ApiTestCase
+class TagVisitsTest extends ApiTestCase
 {
     /**
      * @test

module/Rest/test-api/Action/UpdateTagTest.php

@@ -7,7 +7,7 @@ namespace ShlinkioApiTest\Shlink\Rest\Action;
 use GuzzleHttp\RequestOptions;
 use Shlinkio\Shlink\TestUtils\ApiTest\ApiTestCase;
 
-class UpdateTagActionTest extends ApiTestCase
+class UpdateTagTest extends ApiTestCase
 {
     /**
      * @test

module/Rest/test-api/Middleware/CorsTest.php

@@ -35,7 +35,7 @@ class CorsTest extends ApiTestCase
         ]);
 
         self::assertEquals($expectedStatusCode, $resp->getStatusCode());
-        self::assertEquals($origin, $resp->getHeaderLine('Access-Control-Allow-Origin'));
+        self::assertEquals('*', $resp->getHeaderLine('Access-Control-Allow-Origin'));
         self::assertFalse($resp->hasHeader('Access-Control-Allow-Methods'));
         self::assertFalse($resp->hasHeader('Access-Control-Max-Age'));
         self::assertFalse($resp->hasHeader('Access-Control-Allow-Headers'));
@@ -71,10 +71,9 @@ class CorsTest extends ApiTestCase
 
     public function providePreflightEndpoints(): iterable
     {
-        yield 'invalid route' => ['/foo/bar', 'GET,POST,PUT,PATCH,DELETE,OPTIONS'];
-        yield 'short URLs routes' => ['/short-urls', 'GET,POST,PUT,PATCH,DELETE,OPTIONS'];
-//        yield 'short URLs routes' => ['/short-urls', 'GET,POST']; // TODO This should be the good one
-        yield 'tags routes' => ['/tags', 'GET,POST,PUT,PATCH,DELETE,OPTIONS'];
-//        yield 'tags routes' => ['/short-urls', 'GET,POST,PUT,DELETE']; // TODO This should be the good one
+        yield 'invalid route' => ['/foo/bar', 'GET,POST,PUT,PATCH,DELETE'];
+        yield 'short URLs route' => ['/short-urls', 'GET,POST'];
+        yield 'tags route' => ['/tags', 'GET,POST,PUT,DELETE'];
+        yield 'health route' => ['/health', 'GET'];
     }
 }

module/Rest/test/Action/ShortUrl/SingleStepCreateShortUrlActionTest.php

@@ -16,8 +16,6 @@ use Shlinkio\Shlink\Core\Model\ShortUrlMeta;
 use Shlinkio\Shlink\Core\Service\UrlShortenerInterface;
 use Shlinkio\Shlink\Rest\Action\ShortUrl\SingleStepCreateShortUrlAction;
 use Shlinkio\Shlink\Rest\Entity\ApiKey;
-use Shlinkio\Shlink\Rest\Service\ApiKeyCheckResult;
-use Shlinkio\Shlink\Rest\Service\ApiKeyServiceInterface;
 
 class SingleStepCreateShortUrlActionTest extends TestCase
 {
@@ -30,11 +28,9 @@ class SingleStepCreateShortUrlActionTest extends TestCase
     public function setUp(): void
     {
         $this->urlShortener = $this->prophesize(UrlShortenerInterface::class);
-        $this->apiKeyService = $this->prophesize(ApiKeyServiceInterface::class);
 
         $this->action = new SingleStepCreateShortUrlAction(
             $this->urlShortener->reveal(),
-            $this->apiKeyService->reveal(),
             [
                 'schema' => 'http',
                 'hostname' => 'foo.com',
@@ -42,26 +38,12 @@ class SingleStepCreateShortUrlActionTest extends TestCase
         );
     }
 
-    /** @test */
-    public function errorResponseIsReturnedIfInvalidApiKeyIsProvided(): void
-    {
-        $request = (new ServerRequest())->withQueryParams(['apiKey' => 'abc123']);
-        $findApiKey = $this->apiKeyService->check('abc123')->willReturn(new ApiKeyCheckResult());
-
-        $this->expectException(ValidationException::class);
-        $findApiKey->shouldBeCalledOnce();
-
-        $this->action->handle($request);
-    }
-
     /** @test */
     public function errorResponseIsReturnedIfNoUrlIsProvided(): void
     {
-        $request = (new ServerRequest())->withQueryParams(['apiKey' => 'abc123']);
-        $findApiKey = $this->apiKeyService->check('abc123')->willReturn(new ApiKeyCheckResult(new ApiKey()));
+        $request = new ServerRequest();
 
         $this->expectException(ValidationException::class);
-        $findApiKey->shouldBeCalledOnce();
 
         $this->action->handle($request);
     }
@@ -70,13 +52,10 @@ class SingleStepCreateShortUrlActionTest extends TestCase
     public function properDataIsPassedWhenGeneratingShortCode(): void
     {
         $apiKey = new ApiKey();
-        $key = $apiKey->toString();
 
         $request = (new ServerRequest())->withQueryParams([
-            'apiKey' => $key,
             'longUrl' => 'http://foobar.com',
-        ]);
-        $findApiKey = $this->apiKeyService->check($key)->willReturn(new ApiKeyCheckResult($apiKey));
+        ])->withAttribute(ApiKey::class, $apiKey);
         $generateShortCode = $this->urlShortener->shorten(
             Argument::that(function (string $argument): bool {
                 Assert::assertEquals('http://foobar.com', $argument);
@@ -89,7 +68,6 @@ class SingleStepCreateShortUrlActionTest extends TestCase
         $resp = $this->action->handle($request);
 
         self::assertEquals(200, $resp->getStatusCode());
-        $findApiKey->shouldHaveBeenCalled();
         $generateShortCode->shouldHaveBeenCalled();
     }
 }

module/Rest/test/Exception/MissingAuthenticationExceptionTest.php

@@ -16,21 +16,22 @@ class MissingAuthenticationExceptionTest extends TestCase
      * @test
      * @dataProvider provideExpectedTypes
      */
-    public function exceptionIsProperlyCreatedFromExpectedTypes(array $expectedTypes): void
+    public function exceptionIsProperlyCreatedFromExpectedHeaders(array $expectedHeaders): void
     {
         $expectedMessage = sprintf(
             'Expected one of the following authentication headers, ["%s"], but none were provided',
-            implode('", "', $expectedTypes),
+            implode('", "', $expectedHeaders),
         );
 
-        $e = MissingAuthenticationException::fromExpectedTypes($expectedTypes);
+        $e = MissingAuthenticationException::forHeaders($expectedHeaders);
 
+        $this->assertCommonExceptionShape($e);
         self::assertEquals($expectedMessage, $e->getMessage());
         self::assertEquals($expectedMessage, $e->getDetail());
-        self::assertEquals('Invalid authorization', $e->getTitle());
-        self::assertEquals('INVALID_AUTHORIZATION', $e->getType());
-        self::assertEquals(401, $e->getStatus());
-        self::assertEquals(['expectedTypes' => $expectedTypes], $e->getAdditionalData());
+        self::assertEquals([
+            'expectedTypes' => $expectedHeaders,
+            'expectedHeaders' => $expectedHeaders,
+        ], $e->getAdditionalData());
     }
 
     public function provideExpectedTypes(): iterable
@@ -40,4 +41,34 @@ class MissingAuthenticationExceptionTest extends TestCase
         yield [[]];
         yield [['foo', 'bar', 'baz']];
     }
+
+    /**
+     * @test
+     * @dataProvider provideExpectedParam
+     */
+    public function exceptionIsProperlyCreatedFromExpectedQueryParam(string $param): void
+    {
+        $expectedMessage = sprintf('Expected authentication to be provided in "%s" query param', $param);
+
+        $e = MissingAuthenticationException::forQueryParam($param);
+
+        $this->assertCommonExceptionShape($e);
+        self::assertEquals($expectedMessage, $e->getMessage());
+        self::assertEquals($expectedMessage, $e->getDetail());
+        self::assertEquals(['param' => $param], $e->getAdditionalData());
+    }
+
+    public function provideExpectedParam(): iterable
+    {
+        yield ['foo'];
+        yield ['bar'];
+        yield ['something'];
+    }
+
+    private function assertCommonExceptionShape(MissingAuthenticationException $e): void
+    {
+        self::assertEquals('Invalid authorization', $e->getTitle());
+        self::assertEquals('INVALID_AUTHORIZATION', $e->getType());
+        self::assertEquals(401, $e->getStatus());
+    }
 }

module/Rest/test/Middleware/AuthenticationMiddlewareTest.php

@@ -38,7 +38,11 @@ class AuthenticationMiddlewareTest extends TestCase
     public function setUp(): void
     {
         $this->apiKeyService = $this->prophesize(ApiKeyServiceInterface::class);
-        $this->middleware = new AuthenticationMiddleware($this->apiKeyService->reveal(), [HealthAction::class]);
+        $this->middleware = new AuthenticationMiddleware(
+            $this->apiKeyService->reveal(),
+            [HealthAction::class],
+            ['with_query_api_key'],
+        );
         $this->handler = $this->prophesize(RequestHandlerInterface::class);
     }
 
@@ -82,27 +86,34 @@ class AuthenticationMiddlewareTest extends TestCase
      * @test
      * @dataProvider provideRequestsWithoutApiKey
      */
-    public function throwsExceptionWhenNoApiKeyIsProvided(ServerRequestInterface $request): void
-    {
+    public function throwsExceptionWhenNoApiKeyIsProvided(
+        ServerRequestInterface $request,
+        string $expectedMessage
+    ): void {
         $this->apiKeyService->check(Argument::any())->shouldNotBeCalled();
         $this->handler->handle($request)->shouldNotBeCalled();
         $this->expectException(MissingAuthenticationException::class);
-        $this->expectExceptionMessage(
-            'Expected one of the following authentication headers, ["X-Api-Key"], but none were provided',
-        );
+        $this->expectExceptionMessage($expectedMessage);
 
         $this->middleware->process($request, $this->handler->reveal());
     }
 
     public function provideRequestsWithoutApiKey(): iterable
     {
-        $baseRequest = ServerRequestFactory::fromGlobals()->withAttribute(
+        $baseRequest = fn (string $routeName) => ServerRequestFactory::fromGlobals()->withAttribute(
             RouteResult::class,
-            RouteResult::fromRoute(new Route('bar', $this->getDummyMiddleware()), []),
+            RouteResult::fromRoute(new Route($routeName, $this->getDummyMiddleware()), []),
         );
+        $apiKeyMessage = 'Expected one of the following authentication headers, ["X-Api-Key"], but none were provided';
+        $queryMessage = 'Expected authentication to be provided in "apiKey" query param';
 
-        yield 'no api key' => [$baseRequest];
-        yield 'empty api key' => [$baseRequest->withHeader('X-Api-Key', '')];
+        yield 'no api key in header' => [$baseRequest('bar'), $apiKeyMessage];
+        yield 'empty api key in header' => [$baseRequest('bar')->withHeader('X-Api-Key', ''), $apiKeyMessage];
+        yield 'no api key in query' => [$baseRequest('with_query_api_key'), $queryMessage];
+        yield 'empty api key in query' => [
+            $baseRequest('with_query_api_key')->withQueryParams(['apiKey' => '']),
+            $queryMessage,
+        ];
     }
 
     /** @test */

module/Rest/test/Middleware/CrossDomainMiddlewareTest.php

@@ -6,8 +6,6 @@ namespace ShlinkioTest\Shlink\Rest\Middleware;
 
 use Laminas\Diactoros\Response;
 use Laminas\Diactoros\ServerRequest;
-use Mezzio\Router\Route;
-use Mezzio\Router\RouteResult;
 use PHPUnit\Framework\TestCase;
 use Prophecy\Argument;
 use Prophecy\PhpUnit\ProphecyTrait;
@@ -15,8 +13,6 @@ use Prophecy\Prophecy\ObjectProphecy;
 use Psr\Http\Server\RequestHandlerInterface;
 use Shlinkio\Shlink\Rest\Middleware\CrossDomainMiddleware;
 
-use function Laminas\Stratigility\middleware;
-
 class CrossDomainMiddlewareTest extends TestCase
 {
     use ProphecyTrait;
@@ -61,7 +57,7 @@ class CrossDomainMiddlewareTest extends TestCase
 
         $headers = $response->getHeaders();
 
-        self::assertEquals('local', $response->getHeaderLine('Access-Control-Allow-Origin'));
+        self::assertEquals('*', $response->getHeaderLine('Access-Control-Allow-Origin'));
         self::assertArrayNotHasKey('Access-Control-Allow-Methods', $headers);
         self::assertArrayNotHasKey('Access-Control-Max-Age', $headers);
         self::assertArrayNotHasKey('Access-Control-Allow-Headers', $headers);
@@ -82,7 +78,7 @@ class CrossDomainMiddlewareTest extends TestCase
 
         $headers = $response->getHeaders();
 
-        self::assertEquals('local', $response->getHeaderLine('Access-Control-Allow-Origin'));
+        self::assertEquals('*', $response->getHeaderLine('Access-Control-Allow-Origin'));
         self::assertArrayHasKey('Access-Control-Allow-Methods', $headers);
         self::assertEquals('1000', $response->getHeaderLine('Access-Control-Max-Age'));
         self::assertEquals('foo, bar, baz', $response->getHeaderLine('Access-Control-Allow-Headers'));
@@ -94,13 +90,15 @@ class CrossDomainMiddlewareTest extends TestCase
      * @dataProvider provideRouteResults
      */
     public function optionsRequestParsesRouteMatchToDetermineAllowedMethods(
-        ?RouteResult $result,
+        ?string $allowHeader,
         string $expectedAllowedMethods
     ): void {
         $originalResponse = new Response();
-        $request = (new ServerRequest())->withAttribute(RouteResult::class, $result)
-                                        ->withMethod('OPTIONS')
-                                        ->withHeader('Origin', 'local');
+        if ($allowHeader !== null) {
+            $originalResponse = $originalResponse->withHeader('Allow', $allowHeader);
+        }
+        $request = (new ServerRequest())->withHeader('Origin', 'local')
+                                        ->withMethod('OPTIONS');
         $this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();
 
         $response = $this->middleware->process($request, $this->handler->reveal());
@@ -111,15 +109,9 @@ class CrossDomainMiddlewareTest extends TestCase
 
     public function provideRouteResults(): iterable
     {
-        yield 'with no route result' => [null, 'GET,POST,PUT,PATCH,DELETE,OPTIONS'];
-        yield 'with failed route result' => [RouteResult::fromRouteFailure(['POST', 'GET']), 'POST,GET'];
-        yield 'with success route result' => [
-            RouteResult::fromRoute(
-                new Route('/', middleware(function (): void {
-                }), ['DELETE', 'PATCH', 'PUT']),
-            ),
-            'DELETE,PATCH,PUT',
-        ];
+        yield 'no allow header in response' => [null, 'GET,POST,PUT,PATCH,DELETE'];
+        yield 'allow header in response' => ['POST,GET', 'POST,GET'];
+        yield 'also allow header in response' => ['DELETE,PATCH,PUT', 'DELETE,PATCH,PUT'];
     }
 
     /**