RequireScopeMiddleware
The PSR-15 guard that decides whether a request may proceed, reading the {@see AuthContext} that {@see AuthenticateMiddleware} (or {@see StartSession}) attached under {@see AuthenticateMiddleware::ATTRIBUTE}. It is the fail-closed gate the whole pipeline exists for, and it distinguishes three refusals so the caller learns exactly what to fix: - no context on the request at all → 401 {@see AuthContextMissingException::notAttached()} (the pipeline is misconfigured — this guard ran before anything produced a context); - a context, but anonymous or invalid → 401 {@see AuthContextMissingException::unauthenticated()} (the request never authenticated); - authenticated, but holding none of the required scopes → 403 {@see ScopeDeniedException}. It passes through only when the actor holds at least one required scope. An instance built with no scopes therefore denies every request — a deliberately fail-closed footgun, not a pass-all.
RequireScopeMiddleware::__construct()
public function __construct(string ...$scopes):Parameters
| Name | Type | Description |
|---|---|---|
| $scopes | string | the scopes any one of which admits the request |
RequireScopeMiddleware::process()
public function process(Psr\Http\Message\ServerRequestInterface $request, Psr\Http\Server\RequestHandlerInterface $handler): Psr\Http\Message\ResponseInterfaceAuthorizes the request against the attached {@see AuthContext}, or throws a typed, learnable denial ({@see AuthContextMissingException} for 401, {@see ScopeDeniedException} for 403). Passes the request on untouched when a required scope is held.
Parameters
| Name | Type | Description |
|---|---|---|
| $request | Psr\Http\Message\ServerRequestInterface | |
| $handler | Psr\Http\Server\RequestHandlerInterface |