diff --git a/composer.json b/composer.json index 7cacab0286e2..f17a7d464179 100644 --- a/composer.json +++ b/composer.json @@ -24,6 +24,7 @@ "laravel/serializable-closure": "^1.0", "league/commonmark": "^2.2", "league/flysystem": "^3.0", + "fruitcake/php-cors": "^1.2", "monolog/monolog": "^2.0", "nesbot/carbon": "^2.53.1", "psr/container": "^1.1.1|^2.0.1", diff --git a/src/Illuminate/Http/Middleware/HandleCors.php b/src/Illuminate/Http/Middleware/HandleCors.php new file mode 100644 index 000000000000..eee030511e39 --- /dev/null +++ b/src/Illuminate/Http/Middleware/HandleCors.php @@ -0,0 +1,112 @@ +container = $container; + $this->cors = $cors; + } + + /** + * Handle the incoming request. + * + * @param \Illuminate\Http\Request $request + * @param \Closure $next + * @return \Illuminate\Http\Response + */ + public function handle($request, Closure $next) + { + if (! $this->hasMatchingPath($request)) { + return $next($request); + } + + $this->cors->setOptions($this->container['config']->get('cors', [])); + + if ($this->cors->isPreflightRequest($request)) { + $response = $this->cors->handlePreflightRequest($request); + + $this->cors->varyHeader($response, 'Access-Control-Request-Method'); + + return $response; + } + + $response = $next($request); + + if ($request->getMethod() === 'OPTIONS') { + $this->cors->varyHeader($response, 'Access-Control-Request-Method'); + } + + return $this->cors->addActualRequestHeaders($response, $request); + } + + /** + * Get the path from the configuration to determine if the CORS service should run. + * + * @param \Illuminate\Http\Request $request + * @return bool + */ + protected function hasMatchingPath(Request $request): bool + { + $paths = $this->getPathsByHost($request->getHost()); + + foreach ($paths as $path) { + if ($path !== '/') { + $path = trim($path, '/'); + } + + if ($request->fullUrlIs($path) || $request->is($path)) { + return true; + } + } + + return false; + } + + /** + * Get the CORS paths for the given host. + * + * @param string $host + * @return array + */ + protected function getPathsByHost(string $host) + { + $paths = $this->container['config']->get('cors.paths', []); + + if (isset($paths[$host])) { + return $paths[$host]; + } + + return array_filter($paths, function ($path) { + return is_string($path); + }); + } +} diff --git a/src/Illuminate/Http/Middleware/TrustHosts.php b/src/Illuminate/Http/Middleware/TrustHosts.php index fd7e601518f0..00a5a44c2e92 100644 --- a/src/Illuminate/Http/Middleware/TrustHosts.php +++ b/src/Illuminate/Http/Middleware/TrustHosts.php @@ -36,7 +36,7 @@ abstract public function hosts(); * Handle the incoming request. * * @param \Illuminate\Http\Request $request - * @param callable $next + * @param \Closure $next * @return \Illuminate\Http\Response */ public function handle(Request $request, $next) diff --git a/src/Illuminate/Http/composer.json b/src/Illuminate/Http/composer.json index 6d0f3d634cf5..a5ad5da9a79d 100755 --- a/src/Illuminate/Http/composer.json +++ b/src/Illuminate/Http/composer.json @@ -16,6 +16,7 @@ "require": { "php": "^8.0.2", "ext-json": "*", + "fruitcake/php-cors": "^1.2", "illuminate/collections": "^9.0", "illuminate/macroable": "^9.0", "illuminate/session": "^9.0", diff --git a/tests/Integration/Http/Middleware/HandleCorsTest.php b/tests/Integration/Http/Middleware/HandleCorsTest.php new file mode 100644 index 000000000000..65eae0ee7e18 --- /dev/null +++ b/tests/Integration/Http/Middleware/HandleCorsTest.php @@ -0,0 +1,293 @@ +make(Kernel::class); + $kernel->prependMiddleware(HandleCors::class); + + $router = $app['router']; + + $this->addWebRoutes($router); + $this->addApiRoutes($router); + + parent::getEnvironmentSetUp($app); + } + + protected function resolveApplicationConfiguration($app) + { + parent::resolveApplicationConfiguration($app); + + $app['config']['cors'] = [ + 'paths' => ['api/*'], + 'supports_credentials' => false, + 'allowed_origins' => ['http://localhost'], + 'allowed_headers' => ['X-Custom-1', 'X-Custom-2'], + 'allowed_methods' => ['GET', 'POST'], + 'exposed_headers' => [], + 'max_age' => 0, + ]; + } + + public function testShouldReturnHeaderAssessControlAllowOriginWhenDontHaveHttpOriginOnRequest() + { + $crawler = $this->call('OPTIONS', 'api/ping', [], [], [], [ + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'POST', + ]); + + $this->assertEquals('http://localhost', $crawler->headers->get('Access-Control-Allow-Origin')); + $this->assertEquals(204, $crawler->getStatusCode()); + } + + public function testOptionsAllowOriginAllowed() + { + $crawler = $this->call('OPTIONS', 'api/ping', [], [], [], [ + 'HTTP_ORIGIN' => 'http://localhost', + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'POST', + ]); + + $this->assertEquals('http://localhost', $crawler->headers->get('Access-Control-Allow-Origin')); + $this->assertEquals(204, $crawler->getStatusCode()); + } + + public function testAllowAllOrigins() + { + $this->app['config']->set('cors.allowed_origins', ['*']); + + $crawler = $this->call('OPTIONS', 'api/ping', [], [], [], [ + 'HTTP_ORIGIN' => 'http://laravel.com', + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'POST', + ]); + + $this->assertEquals('*', $crawler->headers->get('Access-Control-Allow-Origin')); + $this->assertEquals(204, $crawler->getStatusCode()); + } + + public function testAllowAllOriginsWildcard() + { + $this->app['config']->set('cors.allowed_origins', ['*.laravel.com']); + + $crawler = $this->call('OPTIONS', 'api/ping', [], [], [], [ + 'HTTP_ORIGIN' => 'http://test.laravel.com', + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'POST', + ]); + + $this->assertEquals('http://test.laravel.com', $crawler->headers->get('Access-Control-Allow-Origin')); + $this->assertEquals(204, $crawler->getStatusCode()); + } + + public function testOriginsWildcardIncludesNestedSubdomains() + { + $this->app['config']->set('cors.allowed_origins', ['*.laravel.com']); + + $crawler = $this->call('OPTIONS', 'api/ping', [], [], [], [ + 'HTTP_ORIGIN' => 'http://api.service.test.laravel.com', + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'POST', + ]); + + $this->assertEquals('http://api.service.test.laravel.com', $crawler->headers->get('Access-Control-Allow-Origin')); + $this->assertEquals(204, $crawler->getStatusCode()); + } + + public function testAllowAllOriginsWildcardNoMatch() + { + $this->app['config']->set('cors.allowed_origins', ['*.laravel.com']); + + $crawler = $this->call('OPTIONS', 'api/ping', [], [], [], [ + 'HTTP_ORIGIN' => 'http://test.symfony.com', + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'POST', + ]); + + $this->assertEquals(null, $crawler->headers->get('Access-Control-Allow-Origin')); + } + + public function testOptionsAllowOriginAllowedNonExistingRoute() + { + $crawler = $this->call('OPTIONS', 'api/pang', [], [], [], [ + 'HTTP_ORIGIN' => 'http://localhost', + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'POST', + ]); + + $this->assertEquals('http://localhost', $crawler->headers->get('Access-Control-Allow-Origin')); + $this->assertEquals(204, $crawler->getStatusCode()); + } + + public function testOptionsAllowOriginNotAllowed() + { + $crawler = $this->call('OPTIONS', 'api/ping', [], [], [], [ + 'HTTP_ORIGIN' => 'http://otherhost', + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'POST', + ]); + + $this->assertEquals('http://localhost', $crawler->headers->get('Access-Control-Allow-Origin')); + } + + public function testAllowMethodAllowed() + { + $crawler = $this->call('POST', 'web/ping', [], [], [], [ + 'HTTP_ORIGIN' => 'http://localhost', + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'POST', + ]); + $this->assertEquals(null, $crawler->headers->get('Access-Control-Allow-Methods')); + $this->assertEquals(200, $crawler->getStatusCode()); + + $this->assertEquals('PONG', $crawler->getContent()); + } + + public function testAllowMethodNotAllowed() + { + $crawler = $this->call('POST', 'web/ping', [], [], [], [ + 'HTTP_ORIGIN' => 'http://localhost', + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'PUT', + ]); + $this->assertEquals(null, $crawler->headers->get('Access-Control-Allow-Methods')); + $this->assertEquals(200, $crawler->getStatusCode()); + } + + public function testAllowHeaderAllowedOptions() + { + $crawler = $this->call('OPTIONS', 'api/ping', [], [], [], [ + 'HTTP_ORIGIN' => 'http://localhost', + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'POST', + 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS' => 'x-custom-1, x-custom-2', + ]); + $this->assertEquals('x-custom-1, x-custom-2', $crawler->headers->get('Access-Control-Allow-Headers')); + $this->assertEquals(204, $crawler->getStatusCode()); + + $this->assertEquals('', $crawler->getContent()); + } + + public function testAllowHeaderAllowedWildcardOptions() + { + $this->app['config']->set('cors.allowed_headers', ['*']); + + $crawler = $this->call('OPTIONS', 'api/ping', [], [], [], [ + 'HTTP_ORIGIN' => 'http://localhost', + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'POST', + 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS' => 'x-custom-3', + ]); + $this->assertEquals('x-custom-3', $crawler->headers->get('Access-Control-Allow-Headers')); + $this->assertEquals(204, $crawler->getStatusCode()); + + $this->assertEquals('', $crawler->getContent()); + } + + public function testAllowHeaderNotAllowedOptions() + { + $crawler = $this->call('OPTIONS', 'api/ping', [], [], [], [ + 'HTTP_ORIGIN' => 'http://localhost', + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'POST', + 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS' => 'x-custom-3', + ]); + $this->assertEquals('x-custom-1, x-custom-2', $crawler->headers->get('Access-Control-Allow-Headers')); + } + + public function testAllowHeaderAllowed() + { + $crawler = $this->call('POST', 'web/ping', [], [], [], [ + 'HTTP_ORIGIN' => 'http://localhost', + 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS' => 'x-custom-1, x-custom-2', + ]); + $this->assertEquals(null, $crawler->headers->get('Access-Control-Allow-Headers')); + $this->assertEquals(200, $crawler->getStatusCode()); + + $this->assertEquals('PONG', $crawler->getContent()); + } + + public function testAllowHeaderAllowedWildcard() + { + $this->app['config']->set('cors.allowed_headers', ['*']); + + $crawler = $this->call('POST', 'web/ping', [], [], [], [ + 'HTTP_ORIGIN' => 'http://localhost', + 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS' => 'x-custom-3', + ]); + $this->assertEquals(null, $crawler->headers->get('Access-Control-Allow-Headers')); + $this->assertEquals(200, $crawler->getStatusCode()); + + $this->assertEquals('PONG', $crawler->getContent()); + } + + public function testAllowHeaderNotAllowed() + { + $crawler = $this->call('POST', 'web/ping', [], [], [], [ + 'HTTP_ORIGIN' => 'http://localhost', + 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS' => 'x-custom-3', + ]); + $this->assertEquals(null, $crawler->headers->get('Access-Control-Allow-Headers')); + $this->assertEquals(200, $crawler->getStatusCode()); + } + + public function testError() + { + $crawler = $this->call('POST', 'api/error', [], [], [], [ + 'HTTP_ORIGIN' => 'http://localhost', + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'POST', + ]); + + $this->assertEquals('http://localhost', $crawler->headers->get('Access-Control-Allow-Origin')); + $this->assertEquals(500, $crawler->getStatusCode()); + } + + public function testValidationException() + { + $crawler = $this->call('POST', 'api/validation', [], [], [], [ + 'HTTP_ORIGIN' => 'http://localhost', + 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'POST', + ]); + $this->assertEquals('http://localhost', $crawler->headers->get('Access-Control-Allow-Origin')); + $this->assertEquals(302, $crawler->getStatusCode()); + } + + protected function addWebRoutes(Router $router) + { + $router->post('web/ping', [ + 'uses' => function () { + return 'PONG'; + }, + ]); + } + + protected function addApiRoutes(Router $router) + { + $router->post('api/ping', [ + 'uses' => function () { + return 'PONG'; + }, + ]); + + $router->put('api/ping', [ + 'uses' => function () { + return 'PONG'; + }, + ]); + + $router->post('api/error', [ + 'uses' => function () { + abort(500); + }, + ]); + + $router->post('api/validation', [ + 'uses' => function (Request $request) { + $this->validate($request, [ + 'name' => 'required', + ]); + + return 'ok'; + }, + ]); + } +}