Always include Access-Control-Allow-Origin header in authn related endpoint responses

Author: cicnavi

src/Controllers/AccessTokenController.php

@@ -61,9 +61,16 @@ public function token(Request $request): Response
              * @psalm-suppress DeprecatedMethod Until we drop support for old public/*.php routes, we need to bridge
              * between PSR and Symfony HTTP messages.
              */
-            return $this->psrHttpBridge->getHttpFoundationFactory()->createResponse(
+            $response = $this->psrHttpBridge->getHttpFoundationFactory()->createResponse(
                 $this->__invoke($this->psrHttpBridge->getPsrHttpFactory()->createRequest($request)),
             );
+
+            // If not already handled, allow CORS (for JS clients).
+            if (!$response->headers->has('Access-Control-Allow-Origin')) {
+                $response->headers->set('Access-Control-Allow-Origin', '*');
+            }
+
+            return $response;
         } catch (OAuthServerException $exception) {
             return $this->errorResponder->forException($exception);
         }

src/Controllers/AuthorizationController.php

@@ -106,9 +106,16 @@ public function authorization(Request $request): Response
              * @psalm-suppress DeprecatedMethod Until we drop support for old public/*.php routes, we need to bridge
              * between PSR and Symfony HTTP messages.
              */
-            return $this->psrHttpBridge->getHttpFoundationFactory()->createResponse(
+            $response = $this->psrHttpBridge->getHttpFoundationFactory()->createResponse(
                 $this->__invoke($this->psrHttpBridge->getPsrHttpFactory()->createRequest($request)),
             );
+
+            // If not already handled, allow CORS (for JS clients).
+            if (!$response->headers->has('Access-Control-Allow-Origin')) {
+                $response->headers->set('Access-Control-Allow-Origin', '*');
+            }
+
+            return $response;
         } catch (OAuthServerException $exception) {
             return $this->errorResponder->forException($exception);
         }

src/Controllers/ConfigurationDiscoveryController.php

@@ -27,6 +27,9 @@ public function __construct(private readonly OpMetadataService $opMetadataServic
 
     public function __invoke(): JsonResponse
     {
-        return new JsonResponse($this->opMetadataService->getMetadata());
+        return new JsonResponse(
+            $this->opMetadataService->getMetadata(),
+            headers: ['Access-Control-Allow-Origin' => '*'],
+        );
     }
 }

src/Controllers/Federation/EntityStatementController.php

@@ -310,7 +310,10 @@ protected function prepareEntityStatementResponse(string $entityStatementToken):
         return $this->routes->newResponse(
             $entityStatementToken,
             200,
-            [HttpHeadersEnum::ContentType->value => ContentTypesEnum::ApplicationEntityStatementJwt->value,],
+            [
+                HttpHeadersEnum::ContentType->value => ContentTypesEnum::ApplicationEntityStatementJwt->value,
+                'Access-Control-Allow-Origin' => '*',
+            ],
         );
     }
 }

src/Controllers/Federation/SubordinateListingsController.php

@@ -63,6 +63,7 @@ function (ClientEntityInterface $clientEntity): ?string {
 
         return $this->routes->newJsonResponse(
             $subordinateEntityIdList,
+            headers: ['Access-Control-Allow-Origin' => '*'],
         );
     }
 }

src/Controllers/JwksController.php

@@ -38,6 +38,8 @@ public function __invoke(): JsonResponse
 
     public function jwks(): Response
     {
-        return $this->psrHttpBridge->getHttpFoundationFactory()->createResponse($this->__invoke());
+        $response = $this->psrHttpBridge->getHttpFoundationFactory()->createResponse($this->__invoke());
+        $response->headers->set('Access-Control-Allow-Origin', '*');
+        return $response;
     }
 }

src/Controllers/UserInfoController.php

@@ -92,9 +92,16 @@ public function userInfo(Request $request): Response
              * @psalm-suppress DeprecatedMethod Until we drop support for old public/*.php routes, we need to bridge
              * between PSR and Symfony HTTP messages.
              */
-            return $this->psrHttpBridge->getHttpFoundationFactory()->createResponse(
+            $response = $this->psrHttpBridge->getHttpFoundationFactory()->createResponse(
                 $this->__invoke($this->psrHttpBridge->getPsrHttpFactory()->createRequest($request)),
             );
+
+            // If not already handled, allow CORS (for JS clients).
+            if (!$response->headers->has('Access-Control-Allow-Origin')) {
+                $response->headers->set('Access-Control-Allow-Origin', '*');
+            }
+
+            return $response;
         } catch (OAuthServerException $exception) {
             return $this->errorResponder->forException($exception);
         }

tests/unit/src/Controllers/AccessTokenControllerTest.php

@@ -16,6 +16,9 @@
 use SimpleSAML\Module\oidc\Repositories\AllowedOriginRepository;
 use SimpleSAML\Module\oidc\Server\AuthorizationServer;
 use SimpleSAML\Module\oidc\Services\ErrorResponder;
+use Symfony\Bridge\PsrHttpMessage\Factory\HttpFoundationFactory;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\ResponseHeaderBag;
 
 /**
  * @covers \SimpleSAML\Module\oidc\Controllers\AccessTokenController
@@ -31,6 +34,14 @@ class AccessTokenControllerTest extends TestCase
     protected MockObject $requestFactoryMock;
     protected MockObject $responseFactoryMock;
 
+    protected MockObject $symfonyRequestMock;
+
+    protected MockObject $symfonyResponseMock;
+
+    protected MockObject $httpFoundationFactoryMock;
+
+    protected MockObject $responseHeaderBagMock;
+
 
     /**
      * @throws \Exception
@@ -47,6 +58,15 @@ protected function setUp(): void
         $this->responseFactoryMock = $this->createMock(ResponseFactoryInterface::class);
         $this->responseFactoryMock->method('createResponse')->willReturn($this->responseMock);
         $this->psrHttpBridgeMock->method('getResponseFactory')->willReturn($this->responseFactoryMock);
+
+        $this->symfonyRequestMock = $this->createMock(Request::class);
+        $this->symfonyResponseMock = $this->createMock(\Symfony\Component\HttpFoundation\Response::class);
+        $this->responseHeaderBagMock = $this->createMock(ResponseHeaderBag::class);
+        $this->symfonyResponseMock->headers = $this->responseHeaderBagMock;
+
+        $this->httpFoundationFactoryMock = $this->createMock(HttpFoundationFactory::class);
+        $this->httpFoundationFactoryMock->method('createResponse')->willReturn($this->symfonyResponseMock);
+        $this->psrHttpBridgeMock->method('getHttpFoundationFactory')->willReturn($this->httpFoundationFactoryMock);
     }
 
     protected function mock(): AccessTokenController
@@ -100,6 +120,20 @@ public function testItHandlesCorsRequest(): void
         $this->mock()->__invoke($this->serverRequestMock);
     }
 
+    public function testItAlwaysReturnsAccessControlAllowOrigin(): void
+    {
+        $this->authorizationServerMock
+            ->expects($this->once())
+            ->method('respondToAccessTokenRequest')
+            ->willReturn($this->responseMock);
+
+        $this->responseHeaderBagMock->expects($this->once())
+            ->method('set')
+            ->with('Access-Control-Allow-Origin', '*');
+
+        $this->mock()->token($this->symfonyRequestMock);
+    }
+
     public function testItUsesRequestTrait(): void
     {
         $this->assertContains(RequestTrait::class, class_uses(AccessTokenController::class));

tests/unit/src/Controllers/AuthorizationControllerTest.php

@@ -21,6 +21,9 @@
 use SimpleSAML\Module\oidc\Services\AuthenticationService;
 use SimpleSAML\Module\oidc\Services\ErrorResponder;
 use SimpleSAML\Module\oidc\Services\LoggerService;
+use Symfony\Bridge\PsrHttpMessage\Factory\HttpFoundationFactory;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\ResponseHeaderBag;
 
 /**
  * @covers \SimpleSAML\Module\oidc\Controllers\AuthorizationController
@@ -57,6 +60,11 @@ class AuthorizationControllerTest extends TestCase
 
     protected static array $sampleRequestedAcrs = ['values' => ['1', '0'], 'essential' => false];
 
+    protected MockObject $symfonyRequestMock;
+    protected MockObject $symfonyResponseMock;
+    protected MockObject $responseHeaderBagMock;
+    protected MockObject $httpFoundationFactoryMock;
+
     /**
      * @throws \Exception
      */
@@ -84,6 +92,15 @@ public function setUp(): void
             ],
             'authorizationRequest' => $this->authorizationRequestMock,
         ];
+
+        $this->symfonyRequestMock = $this->createMock(Request::class);
+        $this->symfonyResponseMock = $this->createMock(\Symfony\Component\HttpFoundation\Response::class);
+        $this->responseHeaderBagMock = $this->createMock(ResponseHeaderBag::class);
+        $this->symfonyResponseMock->headers = $this->responseHeaderBagMock;
+
+        $this->httpFoundationFactoryMock = $this->createMock(HttpFoundationFactory::class);
+        $this->httpFoundationFactoryMock->method('createResponse')->willReturn($this->symfonyResponseMock);
+        $this->psrHttpBridgeMock->method('getHttpFoundationFactory')->willReturn($this->httpFoundationFactoryMock);
     }
 
     public static function queryParameterValues(): array
@@ -98,6 +115,31 @@ public static function queryParameterValues(): array
         ];
     }
 
+    protected function mock(
+        ?AuthenticationService $authenticationService = null,
+        ?AuthorizationServer $authorizationServer = null,
+        ?ModuleConfig $moduleConfig = null,
+        ?LoggerService $loggerService = null,
+        ?PsrHttpBridge $psrHttpBridge = null,
+        ?ErrorResponder $errorResponder = null,
+    ): AuthorizationController {
+        $authenticationService ??= $this->authenticationServiceStub;
+        $authorizationServer ??= $this->authorizationServerStub;
+        $moduleConfig ??= $this->moduleConfigStub;
+        $loggerService ??= $this->loggerServiceMock;
+        $psrHttpBridge ??= $this->psrHttpBridgeMock;
+        $errorResponder ??= $this->errorResponderMock;
+
+        return new AuthorizationController(
+            $authenticationService,
+            $authorizationServer,
+            $moduleConfig,
+            $loggerService,
+            $psrHttpBridge,
+            $errorResponder,
+        );
+    }
+
     /**
      * @throws \SimpleSAML\Error\AuthSource
      * @throws \SimpleSAML\Error\BadRequest
@@ -128,6 +170,7 @@ public function testReturnsResponseWhenInvoked(array $queryParameters): void
             ->method('getAuthorizationRequestFromState')
             ->willReturn($this->authorizationRequestMock);
 
+        // TODO mivanci Move to mock() method.
         $controller = new AuthorizationController(
             $this->authenticationServiceStub,
             $this->authorizationServerStub,
@@ -486,4 +529,17 @@ public function testValidateAcrLogsWarningIfNoAcrsConfigured(): void
             $this->errorResponderMock,
         ))($this->serverRequestStub);
     }
+
+    public function testItAlwaysReturnsAccessControlAllowOrigin(): void
+    {
+        $this->authorizationServerStub
+            ->method('completeAuthorizationRequest')
+            ->willReturn($this->responseStub);
+
+        $this->responseHeaderBagMock->expects($this->once())
+            ->method('set')
+            ->with('Access-Control-Allow-Origin', '*');
+
+        $this->mock()->authorization($this->symfonyRequestMock);
+    }
 }

tests/unit/src/Controllers/ConfigurationDiscoveryControllerTest.php

@@ -30,38 +30,46 @@ class ConfigurationDiscoveryControllerTest extends TestCase
         'end_session_endpoint' => 'http://localhost/end-session',
     ];
 
-    protected MockObject $oidcOpenIdProviderMetadataServiceMock;
+    protected MockObject $opMetadataServiceMock;
     protected MockObject $serverRequestMock;
 
     /**
      * @throws \Exception
      */
     protected function setUp(): void
     {
-        $this->oidcOpenIdProviderMetadataServiceMock  = $this->createMock(OpMetadataService::class);
-        $this->oidcOpenIdProviderMetadataServiceMock->method('getMetadata')->willReturn(self::OIDC_OP_METADATA);
+        $this->opMetadataServiceMock  = $this->createMock(OpMetadataService::class);
+        $this->opMetadataServiceMock->method('getMetadata')->willReturn(self::OIDC_OP_METADATA);
 
         $this->serverRequestMock = $this->createMock(ServerRequest::class);
     }
 
+    protected function mock(
+        ?OpMetadataService $opMetadataService = null,
+    ): ConfigurationDiscoveryController {
+        $opMetadataService ??= $this->opMetadataServiceMock;
+
+        return new ConfigurationDiscoveryController($opMetadataService);
+    }
+
     public function testItIsInitializable(): void
     {
         $this->assertInstanceOf(
             ConfigurationDiscoveryController::class,
-            new ConfigurationDiscoveryController($this->oidcOpenIdProviderMetadataServiceMock),
+            $this->mock(),
         );
     }
 
-    protected function getStubbedInstance(): ConfigurationDiscoveryController
-    {
-        return new ConfigurationDiscoveryController($this->oidcOpenIdProviderMetadataServiceMock);
-    }
-
     public function testItReturnsOpenIdConnectConfiguration(): void
     {
         $this->assertSame(
-            json_decode($this->getStubbedInstance()->__invoke()->getContent(), true),
+            json_decode($this->mock()->__invoke()->getContent(), true),
             self::OIDC_OP_METADATA,
         );
     }
+
+    public function testItAlwaysReturnsAccessControlAllowOrigin(): void
+    {
+        $this->assertTrue($this->mock()->__invoke()->headers->has('Access-Control-Allow-Origin'),);
+    }
 }