Add a generic and simple CORS preflight options handler

Controller/GraphController.php

@@ -14,21 +14,48 @@
 use Symfony\Bundle\FrameworkBundle\Controller\Controller;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 
 class GraphController extends Controller
 {
     public function endpointAction(Request $request, $schemaName = null)
     {
-        $payload = $this->processNormalQuery($request, $schemaName);
-
-        return new JsonResponse($payload, 200);
+        return $this->createResponse($request, $schemaName, false);
     }
 
     public function batchEndpointAction(Request $request, $schemaName = null)
     {
-        $payloads = $this->processBatchQuery($request, $schemaName);
+        return $this->createResponse($request, $schemaName, true);
+    }
+
+    private function createResponse(Request $request, $schemaName, $batched)
+    {
+        if (
+            $this->container->getParameter('overblog_graphql.handle_cors_preflight_options')
+            && $request->headers->has('Origin')
+            && 'OPTIONS' === $request->getMethod()
+        ) {
+            $response = new Response('', 200);
+            $response->headers->set('Access-Control-Allow-Origin', $request->headers->get('Origin'));
+            $response->headers->set('Access-Control-Allow-Credentials', 'true');
+            $response->headers->set('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+            $response->headers->set('Access-Control-Allow-Methods', 'OPTIONS, GET, POST');
+            $response->headers->set('Access-Control-Max-Age', 3600);
+
+            return $response;
+        }
+
+        if (!in_array($request->getMethod(), ['POST', 'GET'])) {
+            return new Response('', 405);
+        }
 
-        return new JsonResponse($payloads, 200);
+        if ($batched) {
+            $payload = $this->processBatchQuery($request, $schemaName);
+        } else {
+            $payload = $this->processNormalQuery($request, $schemaName);
+        }
+
+        return new JsonResponse($payload, 200);
     }
 
     private function processBatchQuery(Request $request, $schemaName = null)

DependencyInjection/Configuration.php

@@ -160,6 +160,7 @@ public function getConfigTreeBuilder()
                     ->children()
                         ->append($this->addSecurityQuerySection('query_max_depth', QueryDepth::DISABLED))
                         ->append($this->addSecurityQuerySection('query_max_complexity', QueryComplexity::DISABLED))
+                        ->booleanNode('handle_cors_preflight_options')->defaultFalse()->end()
                     ->end()
                 ->end()
                 ->arrayNode('versions')

DependencyInjection/OverblogGraphQLExtension.php

@@ -115,8 +115,9 @@ private function treatConfigs(array $configs, ContainerBuilder $container, $forc
 
     private function setSecurity(array $config, ContainerBuilder $container)
     {
-        $container->setParameter($this->getAlias().'.query_max_depth', $config['security']['query_max_depth']);
-        $container->setParameter($this->getAlias().'.query_max_complexity', $config['security']['query_max_complexity']);
+        foreach ($config['security'] as $key => $value) {
+            $container->setParameter($this->getAlias().'.'.$key, $value);
+        }
     }
 
     private function setGraphiQLTemplate(array $config, ContainerBuilder $container)

Resources/doc/security/handle-cors-preflight-option.md

@@ -0,0 +1,24 @@
+Handle CORS preflight options
+=============================
+
+The bundle comes out of the box with a generic and simple CORS (Cross-Origin Resource Sharing) preflight options handler 
+but we recommends using [NelmioCorsBundle](https://github.com/nelmio/NelmioCorsBundle) for more flexibility... 
+
+The handler is disabled by default. To enabled it:
+
+```yaml
+overblog_graphql:
+    # ...
+    security:
+        handle_cors_preflight_options: true
+```
+
+Here the values of the headers that will be returns on preflight request:
+
+Headers                          | Value
+-------------------------------- | ---------------------------------------
+Access-Control-Allow-Origin      | the value of the request Origin header
+Access-Control-Allow-Credentials | 'true'
+Access-Control-Allow-Headers     | 'Content-Type, Authorization'
+Access-Control-Allow-Methods     | 'OPTIONS, GET, POST'
+Access-Control-Max-Age           | 3600

Resources/doc/security/index.md

@@ -1,6 +1,7 @@
 Security
 ========
 
+* [Handle CORS preflight options](handle-cors-preflight-option.md)
 * [Fields access control](fields-access-control.md)
 * [Fields public control](fields-public-control.md)
 * [Limiting query depth](limiting-query-depth.md)

Tests/Functional/App/config/connectionWithCORSPreflightOptions/config.yml

@@ -0,0 +1,9 @@
+imports:
+    - { resource: ../connection/config.yml }
+
+parameters:
+    overblog_graphql.type_class_namespace: "Overblog\\GraphQLBundle\\ConnectionWithCORSPreflightOptions\\__DEFINITIONS__"
+
+overblog_graphql:
+    security:
+        handle_cors_preflight_options: true

Tests/Functional/Controller/GraphControllerTest.php

@@ -69,7 +69,7 @@ class GraphControllerTest extends TestCase
      */
     public function testEndpointAction($uri)
     {
-        $client = static::createClient(['test_case' => 'connection']);
+        $client = static::createClient(['test_case' => 'connectionWithCORSPreflightOptions']);
 
         $client->request('GET', $uri, ['query' => $this->friendsQuery], [], ['CONTENT_TYPE' => 'application/graphql']);
         $result = $client->getResponse()->getContent();
@@ -265,4 +265,24 @@ public function testBatchEndpointWithInvalidQuery()
         $client->request('GET', '/batch', [], [], ['CONTENT_TYPE' => 'application/json'], '{"test" : {"query": 1}}');
         $client->getResponse()->getContent();
     }
+
+    public function testPreflightedRequestWhenDisabled()
+    {
+        $client = static::createClient(['test_case' => 'connection']);
+        $client->request('OPTIONS', '/', [], [], ['HTTP_Origin' => 'http://example.com']);
+        $this->assertEquals(405, $client->getResponse()->getStatusCode());
+    }
+
+    public function testPreflightedRequestWhenEnabled()
+    {
+        $client = static::createClient(['test_case' => 'connectionWithCORSPreflightOptions']);
+        $client->request('OPTIONS', '/', [], [], ['HTTP_Origin' => 'http://example.com']);
+        $response = $client->getResponse();
+        $this->assertEquals(200, $response->getStatusCode());
+        $this->assertEquals('http://example.com', $response->headers->get('Access-Control-Allow-Origin'));
+        $this->assertEquals('OPTIONS, GET, POST', $response->headers->get('Access-Control-Allow-Methods'));
+        $this->assertEquals('true', $response->headers->get('Access-Control-Allow-Credentials'));
+        $this->assertEquals('Content-Type, Authorization', $response->headers->get('Access-Control-Allow-Headers'));
+        $this->assertEquals(3600, $response->headers->get('Access-Control-Max-Age'));
+    }
 }

composer.json

@@ -40,6 +40,7 @@
         "webonyx/graphql-php": "^0.9.4"
     },
     "suggest": {
+        "nelmio/cors-bundle": "For more flexibility when using CORS prefight",
         "twig/twig": "If you want to use graphiQL.",
         "react/promise": "To use ReactPHP promise adapter"
     },