Controller Filters

Controller Filters allow you to perform actions either before or after the controllers execute. Unlike events, you can choose the specific URIs in which the filters will be applied to. Incoming filters may modify the Request while after filters can act on and even modify the Response, allowing for a lot of flexibility and power. Some common examples of tasks that might be performed with filters are:

  • Performing CSRF protection on the incoming requests

  • Restricting areas of your site based upon their Role

  • Perform rate limiting on certain endpoints

  • Display a “Down for Maintenance” page

  • Perform automatic content negotiation

  • and more…

Creating a Filter

Filters are simple classes that implement CodeIgniter\Filters\FilterInterface. They contain two methods: before() and after() which hold the code that will run before and after the controller respectively. Your class must contain both methods but may leave the methods empty if they are not needed. A skeleton filter class looks like:

<?php

namespace App\Filters;

use CodeIgniter\HTTP\RequestInterface;
use CodeIgniter\HTTP\ResponseInterface;
use CodeIgniter\Filters\FilterInterface;

class MyFilter implements FilterInterface
{
    public function before(RequestInterface $request, $arguments = null)
    {
        // Do something here
    }

    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
    {
        // Do something here
    }
}

Before Filters

From any filter, you can return the $request object and it will replace the current Request, allowing you to make changes that will still be present when the controller executes.

Since before filters are executed prior to your controller being executed, you may at times want to stop the actions in the controller from happening. Also, when you have a series of filters you may also want to stop the execution of the later filters after a certain filter. You can easily do this by returning any non-empty result. If the before filter returns an empty result, the controller actions or the later filters will still be executed. An exception to the non-empty result rule is the Request instance. Returning it in the before filter will not stop the execution but only replace the current $request object.

This is typically used to perform redirects, like in this example:

public function before(RequestInterface $request, $arguments = null)
{
    $auth = service('auth');

    if (! $auth->isLoggedIn()) {
        return redirect()->to(site_url('login'));
    }
}

If a Response instance is returned, the Response will be sent back to the client and script execution will stop. This can be useful for implementing rate limiting for APIs. See Throttler for an example.

After Filters

After filters are nearly identical to before filters, except that you can only return the $response object, and you cannot stop script execution. This does allow you to modify the final output, or simply do something with the final output. This could be used to ensure certain security headers were set the correct way, or to cache the final output, or even to filter the final output with a bad words filter.

Configuring Filters

Once you’ve created your filters, you need to configure when they get run. This is done in app/Config/Filters.php. This file contains four properties that allow you to configure exactly when the filters run.

Note

The safest way to apply filters is to disable auto-routing, and set filters to routes.

Warning

It is recommended that you should always add * at the end of a URI in the filter settings. Because a controller method might be accessible by different URLs than you think. For example, when auto-routing is enabled, if you have Blog::index, it can be accessible with blog, blog/index, and blog/index/1, etc.

$aliases

The $aliases array is used to associate a simple name with one or more fully-qualified class names that are the filters to run:

public $aliases = [
    'csrf' => \CodeIgniter\Filters\CSRF::class,
];

Aliases are mandatory and if you try to use a full class name later, the system will throw an error. Defining them in this way makes it simple to switch out the class used. Great for when you decided you need to change to a different authentication system since you only change the filter’s class and you’re done.

You can combine multiple filters into one alias, making complex sets of filters simple to apply:

public $aliases = [
    'apiPrep' => [
        \App\Filters\Negotiate::class,
        \App\Filters\ApiAuth::class,
    ]
];

You should define as many aliases as you need.

$globals

The second section allows you to define any filters that should be applied to every request made by the framework. You should take care with how many you use here, since it could have performance implications to have too many run on every request. Filters can be specified by adding their alias to either the before or after array:

public $globals = [
    'before' => [
        'csrf',
    ],
    'after' => [],
];

There are times where you want to apply a filter to almost every request, but have a few that should be left alone. One common example is if you need to exclude a few URI’s from the CSRF protection filter to allow requests from third-party websites to hit one or two specific URI’s, while keeping the rest of them protected. To do this, add an array with the ‘except’ key and a URI to match as the value alongside the alias:

public $globals = [
    'before' => [
        'csrf' => ['except' => 'api/*'],
    ],
    'after' => [],
];

Any place you can use a URI in the filter settings, you can use a regular expression or, like in this example, use an asterisk for a wildcard that will match all characters after that. In this example, any URL’s starting with api/ would be exempted from CSRF protection, but the site’s forms would all be protected. If you need to specify multiple URI’s you can use an array of URI patterns:

public $globals = [
    'before' => [
        'csrf' => ['except' => ['foo/*', 'bar/*']],
    ],
    'after' => [],
];

$methods

You can apply filters to all requests of a certain HTTP method, like POST, GET, PUT, etc. In this array, you would specify the method name in lowercase. It’s value would be an array of filters to run. Unlike the $globals or the $filters properties, these will only run as before filters:

public $methods = [
    'post' => ['foo', 'bar'],
    'get'  => ['baz'],
]

In addition to the standard HTTP methods, this also supports one special case: ‘cli’. The ‘cli’ method would apply to all requests that were run from the command line.

$filters

This property is an array of filter aliases. For each alias, you can specify before and after arrays that contain a list of URI patterns that filter should apply to:

public filters = [
    'foo' => ['before' => ['admin/*'], 'after' => ['users/*']],
    'bar' => ['before' => ['api/*', 'admin/*']],
];

Filter arguments

When configuring filters, additional arguments may be passed to a filter when setting up the route:

$routes->add('users/delete/(:segment)', 'AdminController::index', ['filter' => 'admin-auth:dual,noreturn']);

In this example, the array ['dual', 'noreturn'] will be passed in $arguments to the filter’s before() and after() implementation methods.

Provided Filters

The filters bundled with CodeIgniter4 are: Honeypot, CSRF, InvalidChars, SecureHeaders, and DebugToolbar.

Note

The filters are executed in the order defined in the config file. However, if enabled, DebugToolbar is always executed last because it should be able to capture everything that happens in the other filters.

SecureHeaders

This filter adds HTTP response headers that your application can use to increase the security of your application.

If you want to customize the headers, extend CodeIgniter\Filters\SecureHeaders and override the $headers property. And change the $aliases property in app/Config/Filters.php:

public $aliases = [
    ...
    'secureheaders' => \App\Filters\SecureHeaders::class,
];

If you want to know about secure headers, see OWASP Secure Headers Project.