Merge pull request #318 from binaryfire/fix-cors-vary-header-bug

albertcht · web-flow · commit 6b0ff18b55c3 · 2026-01-02T20:00:45.000+09:00
fix: `Cors::varyHeader` bug with multiple Vary headers
diff --git a/src/http/src/Cors.php b/src/http/src/Cors.php
@@ -290,11 +290,7 @@ public function varyHeader(ResponseInterface $response, string $header): Respons
         } else {
             $varyHeaders = $response->getHeader('Vary');
             if (! in_array($header, $varyHeaders, true)) {
-                if (count($varyHeaders) === 1) {
-                    $response = $response->withHeader('Vary', ((string) $varyHeaders[0]) . ', ' . $header);
-                } else {
-                    $response->withHeader($header, false);
-                }
+                $response = $response->withHeader('Vary', implode(', ', $varyHeaders) . ', ' . $header);
             }
         }
 
diff --git a/tests/Http/CorsTest.php b/tests/Http/CorsTest.php
@@ -4,6 +4,7 @@
 
 namespace Hypervel\Tests\Http;
 
+use Hyperf\HttpMessage\Base\Response;
 use Hypervel\Http\Cors;
 use PHPUnit\Framework\TestCase;
 use ReflectionClass;
@@ -247,4 +248,60 @@ private function getOptionsFromService(Cors $service): array
         /** @var CorsNormalizedOptions $options */
         return $options;
     }
+
+    public function testVaryHeaderAddsHeaderWhenNoneExists(): void
+    {
+        $cors = new Cors();
+        $response = new Response();
+
+        $result = $cors->varyHeader($response, 'Origin');
+
+        $this->assertSame(['Origin'], $result->getHeader('Vary'));
+    }
+
+    public function testVaryHeaderAppendsToExistingSingleHeader(): void
+    {
+        $cors = new Cors();
+        $response = (new Response())->withHeader('Vary', 'Accept-Encoding');
+
+        $result = $cors->varyHeader($response, 'Origin');
+
+        $this->assertSame(['Accept-Encoding, Origin'], $result->getHeader('Vary'));
+    }
+
+    public function testVaryHeaderDoesNotDuplicateExistingHeader(): void
+    {
+        $cors = new Cors();
+        $response = (new Response())->withHeader('Vary', 'Origin');
+
+        $result = $cors->varyHeader($response, 'Origin');
+
+        $this->assertSame(['Origin'], $result->getHeader('Vary'));
+    }
+
+    public function testVaryHeaderHandlesMultipleExistingHeaders(): void
+    {
+        $cors = new Cors();
+        // PSR-7 allows multiple header values as array elements
+        $response = (new Response())
+            ->withHeader('Vary', 'Accept-Encoding')
+            ->withAddedHeader('Vary', 'Accept-Language');
+
+        $result = $cors->varyHeader($response, 'Origin');
+
+        $this->assertSame(['Accept-Encoding, Accept-Language, Origin'], $result->getHeader('Vary'));
+    }
+
+    public function testVaryHeaderDoesNotDuplicateWhenInMultipleHeaders(): void
+    {
+        $cors = new Cors();
+        $response = (new Response())
+            ->withHeader('Vary', 'Accept-Encoding')
+            ->withAddedHeader('Vary', 'Origin');
+
+        $result = $cors->varyHeader($response, 'Origin');
+
+        // Should not add Origin again since it's already present
+        $this->assertSame(['Accept-Encoding', 'Origin'], $result->getHeader('Vary'));
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -290,11 +290,7 @@ public function varyHeader(ResponseInterface $response, string $header): Respons`
`290`	`290`	`} else {`
`291`	`291`	`$varyHeaders = $response->getHeader('Vary');`
`292`	`292`	`if (! in_array($header, $varyHeaders, true)) {`
`293`		`- if (count($varyHeaders) === 1) {`
`294`		`- $response = $response->withHeader('Vary', ((string) $varyHeaders[0]) . ', ' . $header);`
`295`		`- } else {`
`296`		`- $response->withHeader($header, false);`
`297`		`- }`
	`293`	`+ $response = $response->withHeader('Vary', implode(', ', $varyHeaders) . ', ' . $header);`
`298`	`294`	`}`
`299`	`295`	`}`
`300`	`296`