Add option to match origin with regex patterns

asm89 · Sep 13, 2017 · 919ebd1 · 919ebd1
1 parent 65ccbd4
commit 919ebd1
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -26,12 +26,13 @@ This package can be used as a library or as [stack middleware].
 use Asm89\Stack\CorsService;
 
 $cors = new CorsService(array(
-    'allowedHeaders'      => array('x-allowed-header', 'x-other-allowed-header'),
-    'allowedMethods'      => array('DELETE', 'GET', 'POST', 'PUT'),
-    'allowedOrigins'      => array('localhost'),
-    'exposedHeaders'      => false,
-    'maxAge'              => false,
-    'supportsCredentials' => false,
+    'allowedHeaders'         => array('x-allowed-header', 'x-other-allowed-header'),
+    'allowedMethods'         => array('DELETE', 'GET', 'POST', 'PUT'),
+    'allowedOrigins'         => array('localhost'),
+    'allowedOriginsPatterns' => array('/localhost:\d/'),
+    'exposedHeaders'         => false,
+    'maxAge'                 => false,
+    'supportsCredentials'    => false,
 ));
 
 $cors->addActualRequestHeaders(Response $response, $origin);
@@ -55,6 +56,8 @@ $app = new Cors($app, array(
     'allowedMethods'      => array('DELETE', 'GET', 'POST', 'PUT'),
     // you can use array('*') to allow requests from any origin
     'allowedOrigins'      => array('localhost'),
+    // you can enter regexes that are matched to the origin request header
+    'allowedOriginsPatterns' => array('/localhost:\d/'),
     'exposedHeaders'      => false,
     'maxAge'              => false,
     'supportsCredentials' => false,

diff --git a/src/Asm89/Stack/Cors.php b/src/Asm89/Stack/Cors.php
@@ -28,12 +28,13 @@ class Cors implements HttpKernelInterface
     private $cors;
 
     private $defaultOptions = array(
-        'allowedHeaders'      => array(),
-        'allowedMethods'      => array(),
-        'allowedOrigins'      => array(),
-        'exposedHeaders'      => false,
-        'maxAge'              => false,
-        'supportsCredentials' => false,
+        'allowedHeaders'         => array(),
+        'allowedMethods'         => array(),
+        'allowedOrigins'         => array(),
+        'allowedOriginsPatterns' => array(),
+        'exposedHeaders'         => false,
+        'maxAge'                 => false,
+        'supportsCredentials'    => false,
     );
 
     public function __construct(HttpKernelInterface $app, array $options = array())

diff --git a/src/Asm89/Stack/CorsService.php b/src/Asm89/Stack/CorsService.php
@@ -28,6 +28,7 @@ private function normalizeOptions(array $options = array())
     {
         $options += array(
             'allowedOrigins' => array(),
+            'allowedOriginsPatterns' => array(),
             'supportsCredentials' => false,
             'allowedHeaders' => array(),
             'exposedHeaders' => array(),
@@ -176,7 +177,17 @@ private function checkOrigin(Request $request)
         }
         $origin = $request->headers->get('Origin');
 
-        return in_array($origin, $this->options['allowedOrigins']);
+        if (in_array($origin, $this->options['allowedOrigins'])) {
+            return true;
+        }
+
+        foreach ($this->options['allowedOriginsPatterns'] as $pattern) {
+            if (preg_match($pattern, $origin)) {
+                return true;
+            }
+        }
+
+        return false;
     }
 
     private function checkMethod(Request $request)

diff --git a/test/Asm89/Stack/CorsTest.php b/test/Asm89/Stack/CorsTest.php
@@ -206,6 +206,23 @@ public function it_returns_access_control_headers_on_cors_request()
         $this->assertEquals('localhost', $response->headers->get('Access-Control-Allow-Origin'));
     }
 
+    /**
+     * @test
+     */
+    public function it_returns_access_control_headers_on_cors_request_with_pattern_origin()
+    {
+        $app = $this->createStackedApp(array(
+          'allowedOrigins' => array(),
+          'allowedOriginsPatterns' => array('/l(o|0)calh(o|0)st/')
+        ));
+        $request  = $this->createValidActualRequest();
+
+        $response = $app->handle($request);
+
+        $this->assertTrue($response->headers->has('Access-Control-Allow-Origin'));
+        $this->assertEquals('localhost', $response->headers->get('Access-Control-Allow-Origin'));
+    }
+
     /**
      * @test
      */
@@ -250,6 +267,24 @@ public function it_does_not_modify_request_with_origin_not_allowed()
         $this->assertEquals($response, new Response());
     }
 
+    /**
+     * @test
+     */
+    public function it_does_not_modify_request_with_pattern_origin_not_allowed()
+    {
+        $passedOptions = array(
+            'allowedOrigins' => array(),
+            'allowedOriginsPatterns' => array('/l\dcalh\dst/')
+        );
+
+        $service  = new CorsService($passedOptions);
+        $request  = $this->createValidActualRequest();
+        $response = new Response();
+        $service->addActualRequestHeaders($response, $request);
+
+        $this->assertEquals($response, new Response());
+    }
+
     /**
      * @test
      */