Handle OPTIONS cacheable (#74)

* Handle OPTIONS cacheable

* Refactor options

* Avoid duplicate headers

Author: barryvdh

src/Cors.php

@@ -45,8 +45,16 @@ public function __construct(HttpKernelInterface $app, array $options = array())
 
     public function handle(Request $request, $type = HttpKernelInterface::MASTER_REQUEST, $catch = true)
     {
-        if ($this->cors->isPreflightRequest($request)) {
-            return $this->cors->handlePreflightRequest($request);
+        if ($request->getMethod() === 'OPTIONS') {
+            if ($this->cors->isPreflightRequest($request)) {
+                $response = $this->cors->handlePreflightRequest($request);
+            } else {
+                $response = $this->app->handle($request, $type, $catch);
+            }
+
+            $this->cors->varyHeader($response, 'Access-Control-Request-Method');
+
+            return $response;
         }
 
         $response = $this->app->handle($request, $type, $catch);

src/CorsService.php

@@ -69,9 +69,7 @@ public function isCorsRequest(Request $request)
 
     public function isPreflightRequest(Request $request)
     {
-        return $this->isCorsRequest($request)
-            && $request->getMethod() === 'OPTIONS'
-            && $request->headers->has('Access-Control-Request-Method');
+        return $request->getMethod() === 'OPTIONS' && $request->headers->has('Access-Control-Request-Method');
     }
 
     public function handlePreflightRequest(Request $request)
@@ -213,11 +211,11 @@ private function configureMaxAge(Response $response, Request $request)
         }
     }
 
-    private function varyHeader(Response $response, $header)
+    public function varyHeader(Response $response, $header)
     {
         if (!$response->headers->has('Vary')) {
             $response->headers->set('Vary', $header);
-        } else {
+        } elseif (!in_array($header, explode(', ', $response->headers->get('Vary')))) {
             $response->headers->set('Vary', $response->headers->get('Vary') . ', ' . $header);
         }
     }

tests/CorsTest.php

@@ -105,7 +105,7 @@ public function it_returns_allow_headers_header_on_allow_all_headers_request_cre
 
         $this->assertEquals(204, $response->getStatusCode());
         $this->assertEquals('Foo, BAR', $response->headers->get('Access-Control-Allow-Headers'));
-        $this->assertEquals('Access-Control-Request-Headers', $response->headers->get('Vary'));
+        $this->assertStringContainsString('Access-Control-Request-Headers', $response->headers->get('Vary'));
     }
 
     /**
@@ -304,6 +304,20 @@ public function it_returns_access_control_headers_on_cors_request_with_pattern_o
         $this->assertEquals('Origin', $response->headers->get('Vary'));
     }
 
+    /**
+     * @test
+     */
+    public function it_adds_vary_headers_on_preflight_non_preflight_options()
+    {
+        $app      = $this->createStackedApp();
+        $request  = new Request();
+        $request->setMethod('OPTIONS');
+
+        $response = $app->handle($request);
+
+        $this->assertEquals('Access-Control-Request-Method', $response->headers->get('Vary'));
+    }
+
     /**
      * @test
      */
@@ -316,6 +330,7 @@ public function it_returns_access_control_headers_on_valid_preflight_request()
 
         $this->assertTrue($response->headers->has('Access-Control-Allow-Origin'));
         $this->assertEquals('http://localhost', $response->headers->get('Access-Control-Allow-Origin'));
+        $this->assertEquals('Access-Control-Request-Method', $response->headers->get('Vary'));
     }
 
     /**