Ensured accepted methods on CORS requests are dynamically fetched from route match when possible

This commit is contained in:
Alejandro Celaya 2019-05-05 09:45:35 +02:00
parent 988de0b96e
commit 320c8e2d6b
2 changed files with 80 additions and 30 deletions

View File

@ -4,29 +4,19 @@ declare(strict_types=1);
namespace Shlinkio\Shlink\Rest\Middleware; namespace Shlinkio\Shlink\Rest\Middleware;
use Fig\Http\Message\RequestMethodInterface; use Fig\Http\Message\RequestMethodInterface;
use Psr\Http\Message\ResponseInterface as Response; use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface as Request; use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface; use Psr\Http\Server\RequestHandlerInterface;
use Shlinkio\Shlink\Rest\Authentication; use Shlinkio\Shlink\Rest\Authentication;
use Zend\Expressive\Router\RouteResult;
use function implode; use function implode;
class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterface class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterface
{ {
/** public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
* Process an incoming server request and return a response, optionally delegating
* to the next middleware component to create the response.
*
* @param Request $request
* @param RequestHandlerInterface $handler
*
* @return Response
* @throws \InvalidArgumentException
*/
public function process(Request $request, RequestHandlerInterface $handler): Response
{ {
/** @var Response $response */
$response = $handler->handle($request); $response = $handler->handle($request);
if (! $request->hasHeader('Origin')) { if (! $request->hasHeader('Origin')) {
return $response; return $response;
@ -42,13 +32,28 @@ class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterfa
return $response; return $response;
} }
// Add OPTIONS-specific headers return $this->addOptionsHeaders($request, $response);
foreach ([ }
'Access-Control-Allow-Methods' => 'GET,POST,PUT,PATCH,DELETE,OPTIONS', // TODO Should be dynamic
// 'Access-Control-Allow-Methods' => $response->getHeaderLine('Allow'), private function addOptionsHeaders(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
{
/** @var RouteResult $matchedRoute */
$matchedRoute = $request->getAttribute(RouteResult::class);
$matchedMethods = $matchedRoute !== null ? $matchedRoute->getAllowedMethods() : [
self::METHOD_GET,
self::METHOD_POST,
self::METHOD_PUT,
self::METHOD_PATCH,
self::METHOD_DELETE,
self::METHOD_OPTIONS,
];
$corsHeaders = [
'Access-Control-Allow-Methods' => implode(',', $matchedMethods),
'Access-Control-Max-Age' => '1000', 'Access-Control-Max-Age' => '1000',
'Access-Control-Allow-Headers' => $request->getHeaderLine('Access-Control-Request-Headers'), 'Access-Control-Allow-Headers' => $request->getHeaderLine('Access-Control-Request-Headers'),
] as $key => $value) { ];
foreach ($corsHeaders as $key => $value) {
$response = $response->withHeader($key, $value); $response = $response->withHeader($key, $value);
} }

View File

@ -10,63 +10,108 @@ use Psr\Http\Server\RequestHandlerInterface;
use Shlinkio\Shlink\Rest\Middleware\CrossDomainMiddleware; use Shlinkio\Shlink\Rest\Middleware\CrossDomainMiddleware;
use Zend\Diactoros\Response; use Zend\Diactoros\Response;
use Zend\Diactoros\ServerRequest; use Zend\Diactoros\ServerRequest;
use Zend\Expressive\Router\Route;
use Zend\Expressive\Router\RouteResult;
use function Zend\Stratigility\middleware;
class CrossDomainMiddlewareTest extends TestCase class CrossDomainMiddlewareTest extends TestCase
{ {
/** @var CrossDomainMiddleware */ /** @var CrossDomainMiddleware */
private $middleware; private $middleware;
/** @var ObjectProphecy */ /** @var ObjectProphecy */
private $delegate; private $handler;
public function setUp(): void public function setUp(): void
{ {
$this->middleware = new CrossDomainMiddleware(); $this->middleware = new CrossDomainMiddleware();
$this->delegate = $this->prophesize(RequestHandlerInterface::class); $this->handler = $this->prophesize(RequestHandlerInterface::class);
} }
/** @test */ /** @test */
public function nonCrossDomainRequestsAreNotAffected() public function nonCrossDomainRequestsAreNotAffected(): void
{ {
$originalResponse = new Response(); $originalResponse = new Response();
$this->delegate->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce(); $this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();
$response = $this->middleware->process(new ServerRequest(), $this->delegate->reveal()); $response = $this->middleware->process(new ServerRequest(), $this->handler->reveal());
$this->assertSame($originalResponse, $response); $this->assertSame($originalResponse, $response);
$headers = $response->getHeaders(); $headers = $response->getHeaders();
$this->assertArrayNotHasKey('Access-Control-Allow-Origin', $headers); $this->assertArrayNotHasKey('Access-Control-Allow-Origin', $headers);
$this->assertArrayNotHasKey('Access-Control-Expose-Headers', $headers);
$this->assertArrayNotHasKey('Access-Control-Allow-Methods', $headers);
$this->assertArrayNotHasKey('Access-Control-Max-Age', $headers);
$this->assertArrayNotHasKey('Access-Control-Allow-Headers', $headers); $this->assertArrayNotHasKey('Access-Control-Allow-Headers', $headers);
} }
/** @test */ /** @test */
public function anyRequestIncludesTheAllowAccessHeader() public function anyRequestIncludesTheAllowAccessHeader(): void
{ {
$originalResponse = new Response(); $originalResponse = new Response();
$this->delegate->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce(); $this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();
$response = $this->middleware->process( $response = $this->middleware->process(
(new ServerRequest())->withHeader('Origin', 'local'), (new ServerRequest())->withHeader('Origin', 'local'),
$this->delegate->reveal() $this->handler->reveal()
); );
$this->assertNotSame($originalResponse, $response); $this->assertNotSame($originalResponse, $response);
$headers = $response->getHeaders(); $headers = $response->getHeaders();
$this->assertArrayHasKey('Access-Control-Allow-Origin', $headers); $this->assertArrayHasKey('Access-Control-Allow-Origin', $headers);
$this->assertArrayHasKey('Access-Control-Expose-Headers', $headers);
$this->assertArrayNotHasKey('Access-Control-Allow-Methods', $headers);
$this->assertArrayNotHasKey('Access-Control-Max-Age', $headers);
$this->assertArrayNotHasKey('Access-Control-Allow-Headers', $headers); $this->assertArrayNotHasKey('Access-Control-Allow-Headers', $headers);
} }
/** @test */ /** @test */
public function optionsRequestIncludesMoreHeaders() public function optionsRequestIncludesMoreHeaders(): void
{ {
$originalResponse = new Response(); $originalResponse = new Response();
$request = (new ServerRequest())->withMethod('OPTIONS')->withHeader('Origin', 'local'); $request = (new ServerRequest())->withMethod('OPTIONS')->withHeader('Origin', 'local');
$this->delegate->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce(); $this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();
$response = $this->middleware->process($request, $this->delegate->reveal()); $response = $this->middleware->process($request, $this->handler->reveal());
$this->assertNotSame($originalResponse, $response); $this->assertNotSame($originalResponse, $response);
$headers = $response->getHeaders(); $headers = $response->getHeaders();
$this->assertArrayHasKey('Access-Control-Allow-Origin', $headers); $this->assertArrayHasKey('Access-Control-Allow-Origin', $headers);
$this->assertArrayHasKey('Access-Control-Expose-Headers', $headers);
$this->assertArrayHasKey('Access-Control-Allow-Methods', $headers);
$this->assertArrayHasKey('Access-Control-Max-Age', $headers);
$this->assertArrayHasKey('Access-Control-Allow-Headers', $headers); $this->assertArrayHasKey('Access-Control-Allow-Headers', $headers);
} }
/**
* @test
* @dataProvider provideRouteResults
*/
public function optionsRequestParsesRouteMatchToDetermineAllowedMethods(
?RouteResult $result,
string $expectedAllowedMethods
): void {
$originalResponse = new Response();
$request = (new ServerRequest())->withAttribute(RouteResult::class, $result)
->withMethod('OPTIONS')
->withHeader('Origin', 'local');
$this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();
$response = $this->middleware->process($request, $this->handler->reveal());
$this->assertEquals($response->getHeaderLine('Access-Control-Allow-Methods'), $expectedAllowedMethods);
}
public function provideRouteResults(): iterable
{
yield 'with no route result' => [null, 'GET,POST,PUT,PATCH,DELETE,OPTIONS'];
yield 'with failed route result' => [RouteResult::fromRouteFailure(['POST', 'GET']), 'POST,GET'];
yield 'with success route result' => [
RouteResult::fromRoute(
new Route('/', middleware(function () {
}), ['DELETE', 'PATCH', 'PUT'])
),
'DELETE,PATCH,PUT',
];
}
} }