Added ROUTE::OPTIONAL_SECURED

[vjirovsky]

This option for route allows to access route via both HTTP&HTTPS without
redirection.
Href URLs will be generated in currently used protocol.

[Majkl578]

Wrong coding style, should be in upper case.

[stepansvoboda]

...FALSE should be in uppercase for clarification

[Majkl578]

👍 for the idea, 👎 for the implementation.

I currently do the following in my routes factory to achieve this behavior:

if ($request->isSecured()) {
    Route::$defaultFlags |= Route::SECURED;
}

[vjirovsky]

I think this implementation is worse, it has unwanted behavior - it will set to every route this property. In my implementation you can select which routes have this property.

[milo]

OPTIONALLY_SECURED is gramatically right

[vjirovsky]

i will commit grammatical fix later

[milo]

I like the idea too. I'm using it often in private applications. @Majkl578 solution is often used as:

$optionallySecured = $request->isSecured() ? Route::SECURED : 0;

new Route(..., ..., Route::FLAG | $optionallySecured);

[Majkl578]

I think this implementation is worse, it has unwanted behavior - it will set to every route this property.

You can't generalize it like this. It may or may not be an intended behavior. Since I make apps using Facebook, it's intended. Otherwise I use more-or-less what @milo mentioned:

new Route(..., ..., Route::$defaultFlags | $optionallySecured);

[vjirovsky]

You can't generalize it like this. It may or may not be an intended behavior.

It may be inteded behavior (depends on project), but as default I would like to keep existing state.
In fact this behavior is BC - because if somebody will have routes in this order:

1. HTTP route index.php ("Go over https!")
2. HTTPS route index.php ("Hi man!")
   => first route will match even https version of index.php

Solution of @milo is fine, but I think is less userfriendly for beginners (why to explain bit OR to beginner during routing).

[fprochazka]

Please do not save the state here, it's not neccessary and makes it harder to test router.

[fprochazka]

@vjirovsky great idea 👍

[f3l1x]

I use same code as @Majkl578

if ($request->isSecured()) {
    Route::$defaultFlags |= Route::SECURED;
}

[hrach]

This issue is mostly problematic because developers realize it quite late - after deploying application into a production. Till then, they expect routing will work as same as it ignores domain names. The route doesn't force any protocol, so this behavior should be the default one.

[f3l1x]

@hrach I force it at Nginx mainly.

[hrach]

@f3l1x please follow the text, so do I, so does everyone.

[JanTvrdik]

The route doesn't force any protocol, so this behavior should be the default one.

👍 Can anyone think of some negative impact?

Current default behavior (correct me please if I'm wrong) is to accept (match) both HTTP and HTTPS requests but generate always HTTP unless SECURED flag is set.

Behavior matrix to summarize

Accept	Generates	Note
HTTP only	HTTP	now impossible
HTTP and HTTPS	HTTP	current default behavior
HTTP and HTTPS	HTTPS	behavior with SECURED flag
HTTP and HTTPS	COPY	proposed behavior
HTTPS only	HTTPS	now impossible

[Majkl578]

I'm not sure whether running both HTTP & HTTPS is still an issue nowadays...
Web is moving towards TLS only -- we have HTTP/2 that requires TLS, we also have free certificates provided by Let's Encrypt.

[milo]

Idea: What about not to update Route, but:
a) add example code to sandbox's bootstrap commented out, or
b) adjust router factory in sandbox to control this functionality

It will warn people that there is something to configure.

[dg]

IMHO default behavior can be changed to copy protocol when route mask doesn't contain domain or when generated domain is the same as current domain (+subdomain).

[JanTvrdik]

IMHO default behavior can be changed to copy protocol

Can this be done in Nette 2.4?