Allow CORS

[barbosaigor]

Hey there, could anyone tell me how to allow cors in my app? I am using the water pipe, but I have not found how to address it.

[na2axl]

Hi @barbosaigor , and thank you for using WaterPipe.

There is many way for you to achieve this. But the best way for me is to use a middleware-route to fill CORS HTTP headers when executing your request.

To achieve this you have to:

1. Update WP to the latest release (I've just published an upgrade today)
2. In your pipes, locate the one you want to allow CORS, transform it in a Route like this:

// Our Route class handling access to CORS-enabled public ressources
// Note that this Route implements IRouteMiddleware
class ResourceRoute extends Route implements IRouteMiddleware
{
    public function __construct()
    {
        // Here we define the route URI
        parent::__construct("/public-data/:domain/:id");
    }

    // We implement this method from IRouteMiddleware interface
    public function beforeExecute()
    {
        // Here we fill all required HTTP headers to enable CORS on this route.
        // It's to you to define exactly what you want here, this is only for illustration.
        $header = $this->_response->getHeader();
        $header->setField("Access-Control-Allow-Origin", "http://{$this->_request->uri['domain']}");
        $header->setField("Access-Control-Allow-Credentials", "true");
        $header->setField("Access-Control-Max-Age", "86400");
        $this->_response->setHeader($header);
        // Note that here we send ONLY headers
        $this->_response->sendHeaders();
    }

    // We implement this method from IRouteMiddleware interface
    public function beforeSend()
    {
        // For this example, there is nothing to do here...
    }

    // We implement this method from Route class
    public function get()
    {
        // Just send a text as the response
        $this->_response->sendText("Resource " . $this->_request->uri['id']);
    }

    // We implement this method from Route class
    public function post()
    {
        $this->_response->sendJson([
            "success" => true
        ]);
    }

    // We implement this method from Route class
    public function options()
    {
        // Here you can send to the client required headers for a CORS preflighted request:
        $header = $this->_response->getHeader();
        $header->setField("Access-Control-Allow-Methods", "GET, POST, DELETE");
        $header->setField("Access-Control-Allow-Headers", "Content-Type, X-Resource-Signature, X-Access-Timestamp");
        $header->setContentType("text/plain");
        $header->setContentLength(0);
        $header->setContentEncoding("gzip");
        $this->_response->setHeader($header);
        // Again, just send headers here, OPTIONS HTTP method don't want a body
        $this->_response->sendHeaders();
    }
}

$wp = new \ElementaryFramework\WaterPipe\WaterPipe();

$wp->use(new ResourceRoute());

// You can define other pipes and sub-pipes

$wp->run();

With this example, access to an URI like http://yourdomain.com/public-data/domain1.net/resource-423 will only be allowed for requests with origin http://domain1.net. The same rule apply for an URI like http://yourdomain.com/public-data/another-domain.io/resource-423. Even if these two domains share the same resource (resource-423), domain1.net can't access this through http://yourdomain.com/public-data/another-domain.io/resource-423.

Feel free to close this issue if this comment solves your problem.

Please consider that WaterPipe is a low-level library, so high-level things like CORS, Oauth and more must be implemented by the user.

[barbosaigor]

Solved, thank you !!