/
Cors.php
83 lines (70 loc) · 2.72 KB
/
Cors.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
<?php
namespace atsilex\module\swagger;
use Silex\Application;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
class Cors
{
private $app;
public function __construct(Application $app)
{
$this->app = $app;
}
public function __invoke(Request $request, Response $response)
{
if ($headers = $this->corsHeaders($request, $response->headers->get('Allow'))) {
$response->headers->add($headers);
}
}
private function corsHeaders(Request $request, $allow)
{
$headers = [];
if (!$this->isCorsRequest($request)) {
return array();
}
if ($this->isPreflightRequest($request)) {
$allowedMethods = $this->allowedMethods($request, $allow);
if (!in_array($request->headers->get("Access-Control-Request-Method"), $allowedMethods)) {
return array();
}
// TODO: Allow cors.allowHeaders to be set and use it to validate the request
$headers["Access-Control-Allow-Headers"] = $request->headers->get("Access-Control-Request-Headers");
$headers["Access-Control-Allow-Methods"] = $allowedMethods;
$headers["Access-Control-Max-Age"] = $this->app["cors.maxAge"];
}
else {
$headers["Access-Control-Expose-Headers"] = $this->app["cors.exposeHeaders"];
}
$headers["Access-Control-Allow-Origin"] = $this->allowOrigin($request);
$headers["Access-Control-Allow-Credentials"] = $this->allowCredentials($request);
return array_filter($headers);
}
private function isCorsRequest(Request $request)
{
return $request->headers->has("Origin");
}
private function isPreflightRequest(Request $request)
{
return $request->getMethod() === "OPTIONS" && $request->headers->has("Access-Control-Request-Method");
}
private function allowedMethods(Request $request, $allow)
{
$allowMethods = !is_null($this->app["cors.allowMethods"]) ? $this->app["cors.allowMethods"] : $allow;
return preg_split("/\s*,\s*/", $allowMethods);
}
private function allowOrigin(Request $request)
{
if ($this->app["cors.allowOrigin"] === '*') {
$this->app["cors.allowOrigin"] = null;
}
$origin = $request->headers->get("Origin");
if (is_null($this->app["cors.allowOrigin"])) {
$this->app["cors.allowOrigin"] = $origin;
}
return in_array($origin, preg_split('/\s+/', $this->app["cors.allowOrigin"])) ? $origin : "null";
}
private function allowCredentials(Request $request)
{
return $this->app["cors.allowCredentials"] === true ? "true" : null;
}
}