vendor/can/rest/src/Can/RestBundle/EventListener/PreFlightRequestListener.php line 50

Open in your IDE?
  1. <?php
  3. namespace Can\RestBundle\EventListener;
  5. use Can\RestBundle\CanRestBundle;
  6. use Can\RestBundle\Cors\CorsConfiguration;
  7. use Can\RestBundle\Cors\CorsConfigurationFactory;
  8. use Can\RestBundle\Cors\CorsHeader;
  9. use Can\RestBundle\Cors\CorsUtil;
  10. use Can\RestBundle\Cors\Matcher\ChainMatcher;
  11. use Can\RestBundle\Cors\OriginMatcherInterface;
  13. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  14. use Symfony\Component\HttpFoundation\Request;
  15. use Symfony\Component\HttpFoundation\Response;
  16. use Symfony\Component\HttpKernel\Event\RequestEvent;
  18. /**
  19.  * Handles pre-flighted requests.
  20.  *
  21.  * @group cors
  22.  *
  23.  * @package can/rest-bundle
  24.  * @author lechecacharro <lechecacharro@gmail.com>
  25.  */
  26. class PreFlightRequestListener extends CorsListener
  27. {
  29.     /**
  30.      * @var EventDispatcherInterface
  31.      */
  32.     private $dispatcher;
  34.     /**
  35.      * PreFlightRequestListener constructor.
  36.      *
  37.      * @param CorsConfigurationFactory       $factory
  38.      * @param EventDispatcherInterface $dispatcher
  39.      */
  40.     public function __construct(CorsConfigurationFactory $factoryEventDispatcherInterface $dispatcher)
  41.     {
  42.         parent::__construct($factory);
  44.         $this->dispatcher $dispatcher;
  45.     }
  47.     /**
  48.      * @param RequestEvent $event
  49.      */
  50.     public function onRequest(RequestEvent $event): void
  51.     {
  52.         if (! $event->isMasterRequest()) {
  53.             return;
  54.         }
  56.         $request $event->getRequest();
  57.         $configuration $this->getConfiguration($request);
  59.         if (! $configuration->isEnabled()) {
  60.             return;
  61.         }
  63.         // Skip if not a CORS request -- this includes requests not
  64.         // specifying an "Origin" header
  65.         if (! CorsUtil::isCrossOrigin($request)) {
  66.             return;
  67.         }
  69.         $request->attributes->set(CanRestBundle::ATTR_CORS_ALLOWEDtrue);
  70.         $request->attributes->set(CanRestBundle::ATTR_CORS_XORIGINtrue);
  72.         // If the "force_allow_origin" option is set, then add a listener
  73.         // which will set or override the "Access-Control-Allow-Origin" header
  74.         if (! empty($configuration->getForceAllowOrigin())) {
  75.             $this->dispatcher->addListener('kernel.response', [CorsForceAllowOriginListener::class, 'onResponse'], -1);
  76.         }
  78.         // Pre-flight checks
  79.         if (CorsUtil::isPreFlight($request)) {
  80.             $preflightResponse $this->getPreFlightResponse($request$configuration);
  81.             $event->setResponse($preflightResponse);
  83.             return;
  84.         }
  86.         if (! $this->isAllowedOrigin($request$configuration)) {
  87.             $request->attributes->set(CanRestBundle::ATTR_CORS_ALLOWEDfalse);
  89.             return;
  90.         }
  91.     }
  94.     /**
  95.      * @param CorsConfiguration $configuration
  96.      *
  97.      * @return OriginMatcherInterface
  98.      */
  99.     private function createOriginMatcher(CorsConfiguration $configuration): OriginMatcherInterface
  100.     {
  101.         return ChainMatcher::create($configuration->getAllowOrigins());
  102.     }
  104.     /**
  105.      * @param Request     $request
  106.      * @param CorsConfiguration $configuration
  107.      *
  108.      * @return bool
  109.      */
  110.     private function isAllowedOrigin(Request $requestCorsConfiguration $configuration): bool
  111.     {
  112.         $origin $request->headers->get('Origin');
  114.         return $this->createOriginMatcher($configuration)->matches($origin);
  115.     }
  117.     /**
  118.      * @param Request     $request
  119.      * @param CorsConfiguration $configuration
  120.      *
  121.      * @return Response
  122.      */
  123.     private function getPreFlightResponse(Request $requestCorsConfiguration $configuration): Response
  124.     {
  125.         $response = new Response();
  127.         if ($configuration->isAllowCredentials()) {
  128.             $response->headers->set(CorsHeader::ACCESS_CONTROL_ALLOW_CREDENTIALS'true');
  129.         }
  131.         if ($configuration->getAllowMethods()) {
  132.             $response->headers->set(CorsHeader::ACCESS_CONTROL_ALLOW_METHODSimplode(', '$configuration->getAllowMethods()));
  133.         }
  135.         if (count($configuration->getAllowHeaders())) {
  136.             if ($configuration->isAllHeadersAllowed()) {
  137.                 $headers $request->headers->get(CorsHeader::ACCESS_CONTROL_REQUEST_HEADERS);
  138.             } else {
  139.                 $headers implode(', '$configuration->getAllowHeaders());
  140.             }
  142.             if ($headers) {
  143.                 $response->headers->set(CorsHeader::ACCESS_CONTROL_ALLOW_HEADERS$headers);
  144.             }
  145.         }
  147.         if ($configuration->getMaxAge()) {
  148.             $response->headers->set(CorsHeader::ACCESS_CONTROL_MAX_AGE$configuration->getMaxAge());
  149.         }
  151.         if (! $this->isAllowedOrigin($request$configuration)) {
  152.             $response->headers->set(CorsHeader::ACCESS_CONTROL_ALLOW_ORIGIN'null');
  154.             return $response;
  155.         }
  157.         $response->headers->set(CorsHeader::ACCESS_CONTROL_ALLOW_ORIGIN$request->headers->get('Origin'));
  158.         $method $request->headers->get(CorsHeader::ACCESS_CONTROL_REQUEST_METHOD);
  160.         // If the method is not allowed, then use the HTTP response code
  161.         // 405 ("Method Not Allowed")
  162.         if (! $configuration->isMethodAllowed($method)) {
  163.             $response->setStatusCode(405);
  165.             return $response;
  166.         }
  168.         // We have to allow the header in the case-set as we received it by
  169.         // the client. Firefox e.g. sends the LINK method as "Link", and we
  170.         // have to allow it like this or the browser will deny the request
  171.         if (! in_array($method$configuration->getAllowMethods(), true)) {
  172.             $configuration->allowMethod($method);
  173.             $response->headers->set(CorsHeader::ACCESS_CONTROL_ALLOW_METHODSimplode(', '$configuration->getAllowMethods()));
  174.         }
  176.         // Check request headers
  177.         $headers $request->headers->get(CorsHeader::ACCESS_CONTROL_REQUEST_HEADERS);
  179.         if ($configuration->isAllHeadersAllowed() && $headers) {
  180.             $headers trim(strtolower($headers));
  182.             foreach (preg_split('/, */'$headers) as $header) {
  183.                 if (CorsUtil::isSimpleRequestHeader($header)) {
  184.                     continue;
  185.                 }
  187.                 // If the header is not allowed, then use the HTTP response
  188.                 // code 400 ("Bad Request")
  189.                 if (! $configuration->isHeaderAllowed($header)) {
  190.                     $response->setStatusCode(400);
  191.                     $response->setContent('Unauthorized header '$header);
  193.                     break;
  194.                 }
  195.             }
  196.         }
  198.         return $response;
  199.     }
  200. }