Merge pull request #293 from binaryfire/coroutine-safe-cors

improve: make `Cors` service overridable in HandleCors middleware

Author: albertcht

src/http/src/Middleware/HandleCors.php

@@ -26,9 +26,7 @@ public function __construct(
         protected RequestContract $request,
         protected Cors $cors,
     ) {
-        $this->cors->setOptions(
-            $this->config = $container->get(ConfigInterface::class)->get('cors', [])
-        );
+        $this->config = $container->get(ConfigInterface::class)->get('cors', []);
     }
 
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
@@ -37,9 +35,11 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
             return $handler->handle($request);
         }
 
-        if ($this->cors->isPreflightRequest($this->request)) {
-            $response = $this->cors->handlePreflightRequest($this->request);
-            return $this->cors->varyHeader($response, 'Access-Control-Request-Method');
+        $cors = $this->getCors();
+
+        if ($cors->isPreflightRequest($this->request)) {
+            $response = $cors->handlePreflightRequest($this->request);
+            return $cors->varyHeader($response, 'Access-Control-Request-Method');
         }
 
         try {
@@ -60,11 +60,13 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
      */
     protected function addRequestHeaders(ResponseInterface $response): ResponseInterface
     {
+        $cors = $this->getCors();
+
         if ($this->request->getMethod() === 'OPTIONS') {
-            $response = $this->cors->varyHeader($response, 'Access-Control-Request-Method');
+            $response = $cors->varyHeader($response, 'Access-Control-Request-Method');
         }
 
-        return $this->cors->addActualRequestHeaders($response, $this->request);
+        return $cors->addActualRequestHeaders($response, $this->request);
     }
 
     /**
@@ -101,4 +103,20 @@ protected function getPathsByHost(string $host): array
             return is_string($path);
         });
     }
+
+    /**
+     * Get the Cors service instance.
+     */
+    protected function getCors(): Cors
+    {
+        return new Cors($this->getCorsConfig());
+    }
+
+    /**
+     * Get the CORS configuration.
+     */
+    protected function getCorsConfig(): array
+    {
+        return $this->config;
+    }
 }

tests/Http/Middleware/HandleCorsTest.php

@@ -252,6 +252,24 @@ public function testValidationException()
         $this->assertEquals(422, $crawler->getStatusCode());
     }
 
+    public function testSubclassCanOverrideCorsConfig(): void
+    {
+        // Replace middleware with custom subclass that allows a different origin
+        $this->setGlobalMiddleware([
+            CustomHandleCors::class,
+        ]);
+
+        // Request with the custom origin (not in the base config)
+        $crawler = $this->options('api/ping', [], [
+            'Origin' => 'http://custom.example.com',
+            'Access-Control-Request-Method' => 'POST',
+        ]);
+
+        // The custom origin should be allowed because CustomHandleCors adds it
+        $this->assertSame('http://custom.example.com', $crawler->getHeaderLine('Access-Control-Allow-Origin'));
+        $this->assertEquals(204, $crawler->getStatusCode());
+    }
+
     protected function registerRoutes()
     {
         $router = $this->app->get(Router::class);
@@ -281,3 +299,19 @@ protected function registerRoutes()
         });
     }
 }
+
+/**
+ * Custom HandleCors subclass for testing the extension pattern.
+ */
+class CustomHandleCors extends HandleCors
+{
+    protected function getCorsConfig(): array
+    {
+        $config = parent::getCorsConfig();
+
+        // Add a custom allowed origin
+        $config['allowed_origins'][] = 'http://custom.example.com';
+
+        return $config;
+    }
+}