[Solved] Can URL hooks return a 403 status code if I handle them myself?

[netcarver]

@ryan

I've got a situation where I want to have my URL hook return a 403 in some circumstances (basically, I want to have a particular URL hook act as a webhook destination for Pusher's authentication callback.)  I've been trying to return a 403 by setting the header in the URL hook function and returning bool true from the hook.  However, this always seems to send a 200 response to the caller, despite me trying to set the header myself.

Is there a way to set the status code returned to the caller?   If not, would it be possible to allow integer return values to be taken as the status code to send back to the caller?

[flydev]

Steve, I just tested pusher webhook with a URL Hook, I can get the 403 error code, and the $event->return as true from a chained hook. 

The 403 code is thrown with header('HTTP/1.1 403 Forbidden', true, 403);  

I am forcing params as it could be interpreted differently on web-server basis. Tested on pw 3.0.199-dev.

[netcarver]

@flydev Thanks for jumping in - can you post your URL hook for me to take a look at?

[flydev]

// init.php
$wire->addHook('/webhook', function ($event) {
  // http_response_code(403);
  // or
  header('HTTP/1.1 403 Forbidden', true, 403);
  // no exit, apply server logic
  $event->return = true;
});

// ready.php
$wire->addHook('/webhook', function ($event) {
  $this->log->save('webhook', $event->return);
  // exit();
});

C:\Users\flydev>curl -I -L --insecure https://xx-xx-xx-xx.ngrok.app/webhook 
HTTP/1.1 403 Forbidden
Alt-Svc: h3=":443"; ma=2592000
Cache-Control: no-store, no-cache, must-revalidate
Cache-Status: Souin; fwd=uri-miss; key=https-/webhook--; detail=UNCACHEABLE-STATUS-CODE
Content-Length: 0
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Apr 2023 14:59:36 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Ngrok-Trace-Id: b2213e4460d4a73821ac2041f312d8d9
Pragma: no-cache
Server: Caddy
Set-Cookie: wires=s106arh77i4f9ot1jeh7bvged6; path=/; secure; HttpOnly; SameSite=Lax
Status: 403 Forbidden
X-Powered-By: ProcessWire CMS

Reverse output:

Connections                   ttl     opn     rt1     rt5     p50     p90                                                                                   
                              15      0       0.01    0.02    90.35   151.65                                                                                                                                       
HTTP Requests                                                                                           
-------------                                                                                                                                               
HEAD /webhook                  403 Forbidden
GET  /webhook                  403 Forbidden        

Tracy dump:

ProcessWire\HookEvent
  data: array
    'object' => ProcessWire\ProcessPageView 
    'method' => 'pathHooks'
    'arguments' => array
      0 => '/webhook'
      1 => true
      'path' => '/webhook'
      'return' => true   <=== $event->return
      'replace' => false
      'options' => array
      'id' => 'ProcessPageView:100.0:pathHooks'
      'cancelHooks' => false
      'when' => 'after'

 

[netcarver]

Yup, I missed the full return value in my header(''); call. Just glancing at your code allowed me to spot the issue - thank you.