Ensured accepted methods on CORS requests are dynamically fetched from route match when possible

2026-03-09 16:53:11 +08:00 · 2019-05-05 09:45:35 +02:00
parent 988de0b96e
commit 320c8e2d6b
2 changed files with 80 additions and 30 deletions
--- a/module/Rest/src/Middleware/CrossDomainMiddleware.php
+++ b/module/Rest/src/Middleware/CrossDomainMiddleware.php
@@ -4,29 +4,19 @@ declare(strict_types=1);
 namespace Shlinkio\Shlink\Rest\Middleware;

 use Fig\Http\Message\RequestMethodInterface;
-use Psr\Http\Message\ResponseInterface as Response;
-use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
 use Psr\Http\Server\RequestHandlerInterface;
 use Shlinkio\Shlink\Rest\Authentication;
+use Zend\Expressive\Router\RouteResult;

 use function implode;

 class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterface
 {
-    /**
-     * Process an incoming server request and return a response, optionally delegating
-     * to the next middleware component to create the response.
-     *
-     * @param Request $request
-     * @param RequestHandlerInterface $handler
-     *
-     * @return Response
-     * @throws \InvalidArgumentException
-     */
-    public function process(Request $request, RequestHandlerInterface $handler): Response
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
-        /** @var Response $response */
        $response = $handler->handle($request);
        if (! $request->hasHeader('Origin')) {
            return $response;
@@ -42,13 +32,28 @@ class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterfa
            return $response;
        }

-        // Add OPTIONS-specific headers
-        foreach ([
-            'Access-Control-Allow-Methods' => 'GET,POST,PUT,PATCH,DELETE,OPTIONS', // TODO Should be dynamic
-//            'Access-Control-Allow-Methods' => $response->getHeaderLine('Allow'),
+        return $this->addOptionsHeaders($request, $response);
+    }
+
+    private function addOptionsHeaders(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
+    {
+        /** @var RouteResult $matchedRoute */
+        $matchedRoute = $request->getAttribute(RouteResult::class);
+        $matchedMethods = $matchedRoute !== null ? $matchedRoute->getAllowedMethods() : [
+            self::METHOD_GET,
+            self::METHOD_POST,
+            self::METHOD_PUT,
+            self::METHOD_PATCH,
+            self::METHOD_DELETE,
+            self::METHOD_OPTIONS,
+        ];
+        $corsHeaders = [
+            'Access-Control-Allow-Methods' => implode(',', $matchedMethods),
            'Access-Control-Max-Age' => '1000',
            'Access-Control-Allow-Headers' => $request->getHeaderLine('Access-Control-Request-Headers'),
-        ] as $key => $value) {
+        ];
+
+        foreach ($corsHeaders as $key => $value) {
            $response = $response->withHeader($key, $value);
        }