symfony
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
Lines changed: 4 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
Lines changed: 7 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Attribute/IsSignatureValid.php
Lines changed: 42 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/Attribute/IsSignatureValid.php
Lines changed: 42 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/CHANGELOG.md
Lines changed: 5 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/CHANGELOG.md
Lines changed: 5 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/EventListener/IsSignatureValidAttributeListener.php
Lines changed: 61 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/EventListener/IsSignatureValidAttributeListener.php
Lines changed: 61 additions & 0 deletions
@@ -59,6 +59,7 @@
 use Symfony\Component\Security\Core\User\ChainUserProvider;
 use Symfony\Component\Security\Core\User\UserCheckerInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Http\Attribute\IsSignatureValid;
 use Symfony\Component\Security\Http\Authentication\ExposeSecurityLevel;
 use Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticator;
 use Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticatorManagerListener;
@@ -133,6 +134,9 @@ public function load(array $configs, ContainerBuilder $container): void
             $container->removeDefinition('form.type_extension.form.password_hasher');
             $container->removeDefinition('form.type_extension.password.password_hasher');
         }
+        if (!class_exists(IsSignatureValid::class)) {
+            $container->removeDefinition('controller.is_signature_valid_attribute_listener');
+        }
 
         // set some global scalars
         $container->setParameter('security.access.denied_url', $config['access_denied_url']);
 
@@ -48,6 +48,7 @@
 use Symfony\Component\Security\Http\Controller\SecurityTokenValueResolver;
 use Symfony\Component\Security\Http\Controller\UserValueResolver;
 use Symfony\Component\Security\Http\EventListener\IsGrantedAttributeListener;
+use Symfony\Component\Security\Http\EventListener\IsSignatureValidAttributeListener;
 use Symfony\Component\Security\Http\Firewall;
 use Symfony\Component\Security\Http\FirewallMapInterface;
 use Symfony\Component\Security\Http\HttpUtils;
@@ -323,5 +324,11 @@
         ->set('cache.security_is_csrf_token_valid_attribute_expression_language')
             ->parent('cache.system')
             ->tag('cache.pool')
+
+        ->set('controller.is_signature_valid_attribute_listener', IsSignatureValidAttributeListener::class)
+            ->args([
+                service('uri_signer'),
+            ])
+            ->tag('kernel.event_subscriber')
     ;
 };
@@ -0,0 +1,42 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Attribute;
+
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\UriSigner;
+
+/**
+ * Attribute to ensure the request URI contains a valid signature before allowing controller execution.
+ *
+ * When applied, this attribute verifies that the request is signed and the signature is still valid (e.g., not expired).
+ * Behavior can be customized to either return a specific HTTP status code or throw an exception to be handled globally.
+ *
+ * @author Santiago San Martin <sanmartindev@gmail.com>
+ */
+#[\Attribute(\Attribute::IS_REPEATABLE | \Attribute::TARGET_CLASS | \Attribute::TARGET_METHOD | \Attribute::TARGET_FUNCTION)]
+final class IsSignatureValid
+{
+    /**
+     * @param int|null     $validationFailedStatusCode The HTTP status code to return if the signature is invalid
+     * @param bool|null    $throw                      If true, a {@see \Symfony\Component\HttpFoundation\Exception\SignedUriException} is thrown on signature failure instead of returning a response
+     * @param array|string $methods                    HTTP methods that require signature validation
+     */
+    public function __construct(
+        public ?int $validationFailedStatusCode = Response::HTTP_NOT_FOUND,
+        public ?bool $throw = null,
+        public array|string $methods = [],
+    ) {
+        if ($this->throw && !method_exists(UriSigner::class, 'verify')) {
+            throw new \LogicException('The method UriSigner::verify is required. Please upgrade symfony/http-foundation to 7.4 version or ensure it is correctly installed.');
+        }
+    }
+}
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+7.4
+---
+
+ * Add `#[IsSignatureValid]` attribute to validate URI signatures
+
 7.3
 ---
 
 
@@ -0,0 +1,61 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\EventListener;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\UriSigner;
+use Symfony\Component\HttpKernel\Event\ControllerArgumentsEvent;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\Security\Http\Attribute\IsSignatureValid;
+
+/**
+ * Handles the IsSignatureValid attribute.
+ *
+ * @author Santiago San Martin <sanmartindev@gmail.com>
+ */
+class IsSignatureValidAttributeListener implements EventSubscriberInterface
+{
+    public function __construct(
+        private readonly UriSigner $uriSigner,
+    ) {
+    }
+
+    public function onKernelControllerArguments(ControllerArgumentsEvent $event): void
+    {
+        /** @var IsSignatureValid[] $attributes */
+        if (!\is_array($attributes = $event->getAttributes()[IsSignatureValid::class] ?? null)) {
+            return;
+        }
+
+        $request = $event->getRequest();
+        foreach ($attributes as $attribute) {
+            $methods = \array_map('strtoupper', (array) $attribute->methods);
+            if ($methods && !\in_array($request->getMethod(), $methods, true)) {
+                continue;
+            }
+
+            if ($attribute->throw) {
+                $this->uriSigner->verify($request);
+                continue;
+            }
+            if (!$this->uriSigner->checkRequest($request)) {
+                throw new HttpException($attribute->validationFailedStatusCode, 'The URI signature is invalid.');
+            }
+        }
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [KernelEvents::CONTROLLER_ARGUMENTS => ['onKernelControllerArguments', 30]];
+    }
+}