From 834bc4ae20a2803dc503bbfc248398cede9748e4 Mon Sep 17 00:00:00 2001 From: Alejandro Celaya Date: Tue, 8 Jul 2025 10:36:12 +0200 Subject: [PATCH] Allow credentials to be enabled in CORS --- module/Core/src/Config/Options/CorsOptions.php | 8 +++++--- module/Rest/src/Middleware/CrossDomainMiddleware.php | 4 ++++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/module/Core/src/Config/Options/CorsOptions.php b/module/Core/src/Config/Options/CorsOptions.php index 041503b6..efc6ae1c 100644 --- a/module/Core/src/Config/Options/CorsOptions.php +++ b/module/Core/src/Config/Options/CorsOptions.php @@ -8,6 +8,7 @@ use Shlinkio\Shlink\Core\Config\EnvVars; use function Shlinkio\Shlink\Core\ArrayUtils\contains; use function Shlinkio\Shlink\Core\splitByComma; +use function strtolower; final readonly class CorsOptions { @@ -21,9 +22,10 @@ final readonly class CorsOptions public bool $allowCredentials = false, public int $maxAge = 3600, ) { - $this->allowOrigins = $allowOrigins !== '*' && $allowOrigins !== self::ORIGIN_PATTERN - ? splitByComma($allowOrigins) - : $allowOrigins; + $lowerCaseAllowOrigins = strtolower($allowOrigins); + $this->allowOrigins = contains($lowerCaseAllowOrigins, ['*', self::ORIGIN_PATTERN]) + ? $lowerCaseAllowOrigins + : splitByComma($lowerCaseAllowOrigins); } public static function fromEnv(): self diff --git a/module/Rest/src/Middleware/CrossDomainMiddleware.php b/module/Rest/src/Middleware/CrossDomainMiddleware.php index 4e3409d2..37360e2e 100644 --- a/module/Rest/src/Middleware/CrossDomainMiddleware.php +++ b/module/Rest/src/Middleware/CrossDomainMiddleware.php @@ -44,6 +44,10 @@ readonly class CrossDomainMiddleware implements MiddlewareInterface, RequestMeth 'Access-Control-Max-Age' => $this->options->maxAge, ]; + if ($this->options->allowCredentials) { + $corsHeaders['Access-Control-Allow-Credentials'] = 'true'; + } + // Options requests should always be empty and have a 204 status code return EmptyResponse::withHeaders([...$response->getHeaders(), ...$corsHeaders]); }