---
Name: requestprocessors
---
SilverStripe\Core\Injector\Injector:
  SilverStripe\Control\Director:
    # Note: Don't add 'class' config here, as it will affect ErrorDirector as well
    properties:
      Middlewares:
        TrustedProxyMiddleware: '%$SilverStripe\Control\Middleware\TrustedProxyMiddleware'
        AllowedHostsMiddleware: '%$SilverStripe\Control\Middleware\AllowedHostsMiddleware'
        SessionMiddleware: '%$SilverStripe\Control\Middleware\SessionMiddleware'
        RequestProcessorMiddleware: '%$SilverStripe\Control\RequestProcessor'
        FlushMiddleware: '%$SilverStripe\Control\Middleware\FlushMiddleware'
        ChangeDetectionMiddleware: '%$SilverStripe\Control\Middleware\ChangeDetectionMiddleware'
        HTTPCacheControleMiddleware: '%$SilverStripe\Control\Middleware\HTTPCacheControlMiddleware'
        CanonicalURLMiddleware: '%$SilverStripe\Control\Middleware\CanonicalURLMiddleware'
  SilverStripe\Control\Middleware\AllowedHostsMiddleware:
    properties:
      AllowedHosts: '`SS_ALLOWED_HOSTS`'
  SilverStripe\Control\Middleware\TrustedProxyMiddleware:
    properties:
      TrustedProxyIPs: '`SS_TRUSTED_PROXY_IPS`'
  SecurityRateLimitMiddleware:
    class: SilverStripe\Control\Middleware\RateLimitMiddleware
    properties:
      ExtraKey: 'Security'
      MaxAttempts: 10
      Decay: 1
  RateLimitedSecurityController:
    class: SilverStripe\Control\Middleware\RequestHandlerMiddlewareAdapter
    properties:
      RequestHandler: '%$SilverStripe\Security\Security'
      Middlewares:
        - '%$SecurityRateLimitMiddleware'

---
Name: errorrequestprocessors
After:
  - '#requestprocessors'
---
SilverStripe\Core\Injector\Injector:
  # Note: If Director config changes, take note it will affect this config too
  SilverStripe\Core\Startup\ErrorDirector: '%$SilverStripe\Control\Director'


---
Name: canonicalurls
---
SilverStripe\Core\Injector\Injector:
  SilverStripe\Control\Middleware\CanonicalURLMiddleware:
    properties:
      ForceSSL: false
      ForceWWW: false


---
Name: url_specials-middleware
After:
  - 'requestprocessors'
  - 'coresecurity'
---
SilverStripe\Core\Injector\Injector:
  SilverStripe\Control\Director:
    properties:
      Middlewares:
        URLSpecialsMiddleware: '%$SilverStripe\Control\Middleware\URLSpecialsMiddleware'

  SilverStripe\Control\Middleware\URLSpecialsMiddleware:
    class: SilverStripe\Control\Middleware\URLSpecialsMiddleware
    properties:
      ConfirmationStorageId: 'url-specials'
      ConfirmationFormUrl: '/dev/confirm'
      Bypasses:
        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\CliBypass'
        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\EnvironmentBypass("dev")'
        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/confirm")'
      EnforceAuthentication: true
      AffectedPermissions:
        - ADMIN


---
Name: dev_urls-confirmation-middleware
After:
  - 'url_specials-middleware'
---
# This middleware enforces confirmation (CSRF protection) for all URLs
# that start with "dev/*", with the exception for "dev/build" which is handled
# by url_specials-middleware

# If you want to make exceptions for some URLs,
# see "dev_urls-confirmation-exceptions" config

SilverStripe\Core\Injector\Injector:
  SilverStripe\Control\Director:
    properties:
      Middlewares:
        DevUrlsConfirmationMiddleware: '%$DevUrlsConfirmationMiddleware'

  DevUrlsConfirmationMiddleware:
    class: SilverStripe\Control\Middleware\PermissionAwareConfirmationMiddleware
    constructor:
      - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev")'
    properties:
      ConfirmationStorageId: 'dev-urls'
      ConfirmationFormUrl: '/dev/confirm'
      Bypasses:
        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\CliBypass'
        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\EnvironmentBypass("dev")'
      EnforceAuthentication: false
      AffectedPermissions:
        - ADMIN

---
Name: dev_urls-confirmation-exceptions
After:
  - 'dev_urls-confirmation-middleware'
---
# This config is the place to add custom bypasses for modules providing UIs
# on top of DevelopmentAdmin (dev/*)

# If the module has its own CSRF protection, the easiest way would be to
# simply add UrlPathStartswith with the path to the mount point.
# Example:
#  # This will prevent confirmation for all URLs starting with "dev/custom-module-endpoint/"
#  # WARNING: this won't prevent confirmation for "dev/custom-module-endpoint-suffix/"
#  - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/custom-module-endpoint")'

# If the module does not implement its own CSRF protection but exposes all
# dangerous effects through POST, then you could simply exclude GET and HEAD requests
# by using HttpMethodBypass("GET", "HEAD"). In that case GET/HEAD requests will not
# trigger confirmation redirects.
SilverStripe\Core\Injector\Injector:
  DevUrlsConfirmationMiddleware:
    properties:
      Bypasses:
        # dev/build is covered by URLSpecialsMiddleware
        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/build")'

        # The confirmation form is where people will be redirected for confirmation. We don't want to block it.
        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/confirm")'

        # Allows GET requests to the dev index page
        - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\Url("dev", ["GET", "HEAD"])'