Make responses cacheable by only using dynamic origins when required (#70)

barryvdh · web-flow · commit 561a5ee2a9b6 · 2020-04-18T14:48:48.000+02:00
Refactor Vary headers, don't throw an error in the application, let CORS handle it. Use static headers when possible
diff --git a/src/Asm89/Stack/Cors.php b/src/Asm89/Stack/Cors.php
@@ -53,10 +53,6 @@ public function handle(Request $request, $type = HttpKernelInterface::MASTER_REQ
             return $this->cors->handlePreflightRequest($request);
         }
 
-        if (!$this->cors->isActualRequestAllowed($request)) {
-            return new Response('Not allowed.', 403);
-        }
-
         $response = $this->app->handle($request, $type, $catch);
 
         return $this->cors->addActualRequestHeaders($response, $request);
diff --git a/src/Asm89/Stack/CorsService.php b/src/Asm89/Stack/CorsService.php
@@ -11,7 +11,6 @@
 
 namespace Asm89\Stack;
 
-use Symfony\Component\HttpKernel\HttpKernelInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -55,9 +54,12 @@ private function normalizeOptions(array $options = array())
         return $options;
     }
 
+    /**
+     * @deprecated use isOriginAllowed
+     */
     public function isActualRequestAllowed(Request $request)
     {
-        return $this->checkOrigin($request);
+        return $this->isOriginAllowed($request);
     }
 
     public function isCorsRequest(Request $request)
@@ -72,134 +74,156 @@ public function isPreflightRequest(Request $request)
             && $request->headers->has('Access-Control-Request-Method');
     }
 
-    public function addActualRequestHeaders(Response $response, Request $request)
+    public function handlePreflightRequest(Request $request)
     {
-        if (!$this->checkOrigin($request)) {
-            return $response;
-        }
+        $response = new Response();
 
-        $response->headers->set('Access-Control-Allow-Origin', $request->headers->get('Origin'));
+        $response->setStatusCode(204);
 
-        if (!$response->headers->has('Vary')) {
-            $response->headers->set('Vary', 'Origin');
-        } else {
-            $response->headers->set('Vary', $response->headers->get('Vary') . ', Origin');
-        }
+        return $this->addPreflightRequestHeaders($response, $request);
+    }
 
-        if ($this->options['supportsCredentials']) {
-            $response->headers->set('Access-Control-Allow-Credentials', 'true');
-        }
+    public function addPreflightRequestHeaders(Response $response, Request $request)
+    {
+        $this->configureAllowedOrigin($response, $request);
 
-        if ($this->options['exposedHeaders']) {
-            $response->headers->set('Access-Control-Expose-Headers', implode(', ', $this->options['exposedHeaders']));
-        }
+        $this->configureAllowCredentials($response, $request);
+
+        $this->configureAllowedMethods($response, $request);
+
+        $this->configureAllowedHeaders($response, $request);
+
+        $this->configureMaxAge($response, $request);
 
         return $response;
     }
 
-    public function handlePreflightRequest(Request $request)
+    public function isOriginAllowed(Request $request)
     {
-        if (true !== $check = $this->checkPreflightRequestConditions($request)) {
-            return $check;
+        if ($this->options['allowedOrigins'] === true) {
+            return true;
         }
 
-        return $this->buildPreflightCheckResponse($request);
-    }
+        if (!$request->headers->has('Origin')) {
+            return false;
+        }
 
-    private function buildPreflightCheckResponse(Request $request)
-    {
-        $response = new Response();
+        $origin = $request->headers->get('Origin');
 
-        if ($this->options['supportsCredentials']) {
-            $response->headers->set('Access-Control-Allow-Credentials', 'true');
+        if (in_array($origin, $this->options['allowedOrigins'])) {
+            return true;
         }
 
-        $response->headers->set('Access-Control-Allow-Origin', $request->headers->get('Origin'));
-
-        if ($this->options['maxAge'] !== null) {
-            $response->headers->set('Access-Control-Max-Age', $this->options['maxAge']);
+        foreach ($this->options['allowedOriginsPatterns'] as $pattern) {
+            if (preg_match($pattern, $origin)) {
+                return true;
+            }
         }
 
-        $allowMethods = $this->options['allowedMethods'] === true
-            ? strtoupper($request->headers->get('Access-Control-Request-Method'))
-            : implode(', ', $this->options['allowedMethods']);
-        $response->headers->set('Access-Control-Allow-Methods', $allowMethods);
+        return false;
+    }
 
-        $allowHeaders = $this->options['allowedHeaders'] === true
-            ? strtoupper($request->headers->get('Access-Control-Request-Headers'))
-            : implode(', ', $this->options['allowedHeaders']);
-        $response->headers->set('Access-Control-Allow-Headers', $allowHeaders);
+    public function addActualRequestHeaders(Response $response, Request $request)
+    {
+        $this->configureAllowedOrigin($response, $request);
 
-        $response->setStatusCode(204);
+        $this->configureAllowCredentials($response, $request);
+
+        $this->configureExposedHeaders($response, $request);
 
         return $response;
     }
 
-    private function checkPreflightRequestConditions(Request $request)
+    private function configureAllowedOrigin(Response $response, Request $request)
     {
-        if (!$this->checkOrigin($request)) {
-            return $this->createBadRequestResponse(403, 'Origin not allowed');
+        if ($this->options['allowedOrigins'] === true && !$this->options['supportsCredentials']) {
+            // Safe+cacheable, allow everything
+            $response->headers->set('Access-Control-Allow-Origin', '*');
+        } elseif ($this->isSingleOriginAllowed()) {
+            // Single origins can be safely set
+            $response->headers->set('Access-Control-Allow-Origin', array_values($this->options['allowedOrigins'])[0]);
+        } else {
+            // For dynamic headers, check the origin first
+            if ($this->isOriginAllowed($request)) {
+                $response->headers->set('Access-Control-Allow-Origin', $request->headers->get('Origin'));
+            }
+
+            $this->varyHeader($response, 'Origin');
         }
+    }
 
-        if (!$this->checkMethod($request)) {
-            return $this->createBadRequestResponse(405, 'Method not allowed');
+    private function isSingleOriginAllowed()
+    {
+        if ($this->options['allowedOrigins'] === true || !empty($this->options['allowedOriginsPatterns'])) {
+            return false;
         }
 
-        $requestHeaders = array();
-        // if allowedHeaders has been set to true ('*' allow all flag) just skip this check
-        if ($this->options['allowedHeaders'] !== true && $request->headers->has('Access-Control-Request-Headers')) {
-            $headers        = strtolower($request->headers->get('Access-Control-Request-Headers'));
-            $requestHeaders = array_filter(explode(',', $headers));
+        return count($this->options['allowedOrigins']) === 1;
+    }
 
-            foreach ($requestHeaders as $header) {
-                if (!in_array(trim($header), $this->options['allowedHeaders'])) {
-                    return $this->createBadRequestResponse(403, 'Header not allowed');
-                }
+    private function configureAllowedMethods(Response $response, Request $request)
+    {
+        if ($this->options['allowedMethods'] === true) {
+            if ($this->options['supportsCredentials']) {
+                $allowMethods = strtoupper($request->headers->get('Access-Control-Request-Method'));
+                $this->varyHeader($response, 'Access-Control-Request-Method');
+            } else {
+                $allowMethods = '*';
             }
+        } else {
+            $allowMethods = implode(', ', $this->options['allowedMethods']);
         }
 
-        return true;
+        $response->headers->set('Access-Control-Allow-Methods', $allowMethods);
     }
 
-    private function createBadRequestResponse($code, $reason = '')
+    private function configureAllowedHeaders(Response $response, Request $request)
     {
-        return new Response($reason, $code);
+        if ($this->options['allowedHeaders'] === true) {
+            if ($this->options['supportsCredentials']) {
+                $allowHeaders = strtoupper($request->headers->get('Access-Control-Request-Headers'));
+                $this->varyHeader($response, 'Access-Control-Request-Headers');
+            } else {
+                $allowHeaders = '*';
+            }
+        } else {
+            $allowHeaders = implode(', ', $this->options['allowedHeaders']);
+        }
+        $response->headers->set('Access-Control-Allow-Headers', $allowHeaders);
     }
 
-    private function isSameHost(Request $request)
+    private function configureAllowCredentials(Response $response, Request $request)
     {
-        return $request->headers->get('Origin') === $request->getSchemeAndHttpHost();
+        if ($this->options['supportsCredentials']) {
+            $response->headers->set('Access-Control-Allow-Credentials', 'true');
+        }
     }
 
-    private function checkOrigin(Request $request)
+    private function configureExposedHeaders(Response $response, Request $request)
     {
-        if ($this->options['allowedOrigins'] === true) {
-            // allow all '*' flag
-            return true;
-        }
-        $origin = $request->headers->get('Origin');
-
-        if (in_array($origin, $this->options['allowedOrigins'])) {
-            return true;
+        if ($this->options['exposedHeaders']) {
+            $response->headers->set('Access-Control-Expose-Headers', implode(', ', $this->options['exposedHeaders']));
         }
+    }
 
-        foreach ($this->options['allowedOriginsPatterns'] as $pattern) {
-            if (preg_match($pattern, $origin)) {
-                return true;
-            }
+    private function configureMaxAge(Response $response, Request $request)
+    {
+        if ($this->options['maxAge'] !== null) {
+            $response->headers->set('Access-Control-Max-Age', (int) $this->options['maxAge']);
         }
-
-        return false;
     }
 
-    private function checkMethod(Request $request)
+    private function varyHeader(Response $response, $header)
     {
-        if ($this->options['allowedMethods'] === true) {
-            // allow all '*' flag
-            return true;
+        if (!$response->headers->has('Vary')) {
+            $response->headers->set('Vary', $header);
+        } else {
+            $response->headers->set('Vary', $response->headers->get('Vary') . ', ' . $header);
         }
+    }
 
-        $requestMethod = strtoupper($request->headers->get('Access-Control-Request-Method'));
-        return in_array($requestMethod, $this->options['allowedMethods']);
+    private function isSameHost(Request $request)
+    {
+        return $request->headers->get('Origin') === $request->getSchemeAndHttpHost();
     }
 }
diff --git a/test/Asm89/Stack/CorsTest.php b/test/Asm89/Stack/CorsTest.php

Original file line number	Diff line number	Diff line change
`@@ -53,10 +53,6 @@ public function handle(Request $request, $type = HttpKernelInterface::MASTER_REQ`
`53`	`53`	`return $this->cors->handlePreflightRequest($request);`
`54`	`54`	`}`
`55`	`55`
`56`		`- if (!$this->cors->isActualRequestAllowed($request)) {`
`57`		`- return new Response('Not allowed.', 403);`
`58`		`- }`
`59`		`-`
`60`	`56`	`$response = $this->app->handle($request, $type, $catch);`
`61`	`57`
`62`	`58`	`return $this->cors->addActualRequestHeaders($response, $request);`