Add new CORS configuration options

2026-02-28 04:03:12 +08:00 · 2025-07-05 10:34:50 +02:00
parent c8e3b3df0a
commit 92d7a44cee
7 changed files with 74 additions and 17 deletions
--- a/module/Rest/config/dependencies.config.php
+++ b/module/Rest/config/dependencies.config.php
@@ -115,7 +115,7 @@ return [
            RedirectRule\ShortUrlRedirectRuleService::class,
        ],

-        Middleware\CrossDomainMiddleware::class => ['config.cors'],
+        Middleware\CrossDomainMiddleware::class => [Config\Options\CorsOptions::class],
        Middleware\ShortUrl\DropDefaultDomainFromRequestMiddleware::class => [
            Config\Options\UrlShortenerOptions::class,
        ],
--- a/module/Rest/src/Middleware/CrossDomainMiddleware.php
+++ b/module/Rest/src/Middleware/CrossDomainMiddleware.php
@@ -10,12 +10,13 @@ use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
 use Psr\Http\Server\RequestHandlerInterface;
+use Shlinkio\Shlink\Core\Config\Options\CorsOptions;

 use function implode;

-class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterface
+readonly class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterface
 {
-    public function __construct(private array $config)
+    public function __construct(private CorsOptions $options)
    {
    }

@@ -27,7 +28,7 @@ class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterfa
        }

        // Add Allow-Origin header
-        $response = $response->withHeader('Access-Control-Allow-Origin', '*');
+        $response = $this->options->responseWithAllowOrigin($request, $response);
        if ($request->getMethod() !== self::METHOD_OPTIONS) {
            return $response;
        }
@@ -40,7 +41,7 @@ class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterfa
        $corsHeaders = [
            'Access-Control-Allow-Methods' => $this->resolveCorsAllowedMethods($response),
            'Access-Control-Allow-Headers' => $request->getHeaderLine('Access-Control-Request-Headers'),
-            'Access-Control-Max-Age' => $this->config['max_age'],
+            'Access-Control-Max-Age' => $this->options->maxAge,
        ];

        // Options requests should always be empty and have a 204 status code
--- a/module/Rest/test/Middleware/CrossDomainMiddlewareTest.php
+++ b/module/Rest/test/Middleware/CrossDomainMiddlewareTest.php
@@ -11,6 +11,7 @@ use PHPUnit\Framework\Attributes\Test;
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 use Psr\Http\Server\RequestHandlerInterface;
+use Shlinkio\Shlink\Core\Config\Options\CorsOptions;
 use Shlinkio\Shlink\Rest\Middleware\CrossDomainMiddleware;

 class CrossDomainMiddlewareTest extends TestCase
@@ -20,7 +21,7 @@ class CrossDomainMiddlewareTest extends TestCase

    protected function setUp(): void
    {
-        $this->middleware = new CrossDomainMiddleware(['max_age' => 1000]);
+        $this->middleware = new CrossDomainMiddleware(new CorsOptions(maxAge: 1000));
        $this->handler = $this->createMock(RequestHandlerInterface::class);
    }