Merge pull request #8649 from kenjis/feat-cors

feat: add CORS filter

Author: kenjis

.github/workflows/test-phpcpd.yml

@@ -58,4 +58,5 @@ jobs:
             --exclude system/HTTP/SiteURI.php
             --exclude system/Validation/Rules.php
             --exclude system/Autoloader/Autoloader.php
+            --exclude system/Config/Filters.php
             -- app/ public/ system/

app/Config/Cors.php

@@ -0,0 +1,105 @@
+<?php
+
+namespace Config;
+
+use CodeIgniter\Config\BaseConfig;
+
+/**
+ * Cross-Origin Resource Sharing (CORS) Configuration
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
+ */
+class Cors extends BaseConfig
+{
+    /**
+     * The default CORS configuration.
+     *
+     * @var array{
+     *      allowedOrigins: list<string>,
+     *      allowedOriginsPatterns: list<string>,
+     *      supportsCredentials: bool,
+     *      allowedHeaders: list<string>,
+     *      exposedHeaders: list<string>,
+     *      allowedMethods: list<string>,
+     *      maxAge: int,
+     *  }
+     */
+    public array $default = [
+        /**
+         * Origins for the `Access-Control-Allow-Origin` header.
+         *
+         * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
+         *
+         * E.g.:
+         *   - ['http://localhost:8080']
+         *   - ['https://www.example.com']
+         */
+        'allowedOrigins' => [],
+
+        /**
+         * Origin regex patterns for the `Access-Control-Allow-Origin` header.
+         *
+         * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
+         *
+         * NOTE: A pattern specified here is part of a regular expression. It will
+         *       be actually `#\A<pattern>\z#`.
+         *
+         * E.g.:
+         *   - ['https://\w+\.example\.com']
+         */
+        'allowedOriginsPatterns' => [],
+
+        /**
+         * Weather to send the `Access-Control-Allow-Credentials` header.
+         *
+         * The Access-Control-Allow-Credentials response header tells browsers whether
+         * the server allows cross-origin HTTP requests to include credentials.
+         *
+         * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
+         */
+        'supportsCredentials' => false,
+
+        /**
+         * Set headers to allow.
+         *
+         * The Access-Control-Allow-Headers response header is used in response to
+         * a preflight request which includes the Access-Control-Request-Headers to
+         * indicate which HTTP headers can be used during the actual request.
+         *
+         * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
+         */
+        'allowedHeaders' => [],
+
+        /**
+         * Set headers to expose.
+         *
+         * The Access-Control-Expose-Headers response header allows a server to
+         * indicate which response headers should be made available to scripts running
+         * in the browser, in response to a cross-origin request.
+         *
+         * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers
+         */
+        'exposedHeaders' => [],
+
+        /**
+         * Set methods to allow.
+         *
+         * The Access-Control-Allow-Methods response header specifies one or more
+         * methods allowed when accessing a resource in response to a preflight
+         * request.
+         *
+         * E.g.:
+         *   - ['GET', 'POST', 'PUT', 'DELETE']
+         *
+         * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
+         */
+        'allowedMethods' => [],
+
+        /**
+         * Set how many seconds the results of a preflight request can be cached.
+         *
+         * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
+         */
+        'maxAge' => 7200,
+    ];
+}

app/Config/Filters.php

@@ -3,6 +3,7 @@
 namespace Config;
 
 use CodeIgniter\Config\Filters as BaseFilters;
+use CodeIgniter\Filters\Cors;
 use CodeIgniter\Filters\CSRF;
 use CodeIgniter\Filters\DebugToolbar;
 use CodeIgniter\Filters\ForceHTTPS;
@@ -29,6 +30,7 @@ class Filters extends BaseFilters
         'honeypot'      => Honeypot::class,
         'invalidchars'  => InvalidChars::class,
         'secureheaders' => SecureHeaders::class,
+        'cors'          => Cors::class,
         'forcehttps'    => ForceHTTPS::class,
         'pagecache'     => PageCache::class,
         'performance'   => PerformanceMetrics::class,

system/CodeIgniter.php

@@ -460,6 +460,7 @@ protected function handleRequest(?RouteCollectionInterface $routes, Cache $cache
         $uri = $this->request->getPath();
 
         if ($this->enableFilters) {
+            /** @var Filters $filters */
             $filters = service('filters');
 
             // If any filters were specified within the routes file,
@@ -517,6 +518,7 @@ protected function handleRequest(?RouteCollectionInterface $routes, Cache $cache
         $this->gatherOutput($cacheConfig, $returned);
 
         if ($this->enableFilters) {
+            /** @var Filters $filters */
             $filters = service('filters');
             $filters->setResponse($this->response);
 

system/Config/Filters.php

@@ -13,6 +13,7 @@
 
 namespace CodeIgniter\Config;
 
+use CodeIgniter\Filters\Cors;
 use CodeIgniter\Filters\CSRF;
 use CodeIgniter\Filters\DebugToolbar;
 use CodeIgniter\Filters\ForceHTTPS;
@@ -42,6 +43,7 @@ class Filters extends BaseConfig
         'honeypot'      => Honeypot::class,
         'invalidchars'  => InvalidChars::class,
         'secureheaders' => SecureHeaders::class,
+        'cors'          => Cors::class,
         'forcehttps'    => ForceHTTPS::class,
         'pagecache'     => PageCache::class,
         'performance'   => PerformanceMetrics::class,
@@ -95,7 +97,7 @@ class Filters extends BaseConfig
      * particular HTTP method (GET, POST, etc.).
      *
      * Example:
-     * 'post' => ['foo', 'bar']
+     * 'POST' => ['foo', 'bar']
      *
      * If you use this, you should disable auto-routing because auto-routing
      * permits any HTTP method to access a controller. Accessing the controller

system/Filters/Cors.php

@@ -0,0 +1,111 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) CodeIgniter Foundation <[email protected]>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace CodeIgniter\Filters;
+
+use CodeIgniter\HTTP\Cors as CorsService;
+use CodeIgniter\HTTP\IncomingRequest;
+use CodeIgniter\HTTP\RequestInterface;
+use CodeIgniter\HTTP\ResponseInterface;
+
+/**
+ * @see \CodeIgniter\Filters\CorsTest
+ */
+class Cors implements FilterInterface
+{
+    private ?CorsService $cors = null;
+
+    /**
+     * @testTag $config is used for testing purposes only.
+     *
+     * @param array{
+     *      allowedOrigins?: list<string>,
+     *      allowedOriginsPatterns?: list<string>,
+     *      supportsCredentials?: bool,
+     *      allowedHeaders?: list<string>,
+     *      exposedHeaders?: list<string>,
+     *      allowedMethods?: list<string>,
+     *      maxAge?: int,
+     *  } $config
+     */
+    public function __construct(array $config = [])
+    {
+        if ($config !== []) {
+            $this->cors = new CorsService($config);
+        }
+    }
+
+    /**
+     * @param list<string>|null $arguments
+     *
+     * @return ResponseInterface|string|void
+     */
+    public function before(RequestInterface $request, $arguments = null)
+    {
+        if (! $request instanceof IncomingRequest) {
+            return;
+        }
+
+        $this->createCorsService($arguments);
+
+        if (! $this->cors->isPreflightRequest($request)) {
+            return;
+        }
+
+        /** @var ResponseInterface $response */
+        $response = service('response');
+
+        $response = $this->cors->handlePreflightRequest($request, $response);
+
+        // Always adds `Vary: Access-Control-Request-Method` header for cacheability.
+        // If there is an intermediate cache server such as a CDN, if a plain
+        // OPTIONS request is sent, it may be cached. But valid preflight requests
+        // have this header, so it will be cached separately.
+        $response->appendHeader('Vary', 'Access-Control-Request-Method');
+
+        return $response;
+    }
+
+    /**
+     * @param list<string>|null $arguments
+     */
+    private function createCorsService(?array $arguments): void
+    {
+        $this->cors ??= ($arguments === null) ? CorsService::factory()
+            : CorsService::factory($arguments[0]);
+    }
+
+    /**
+     * @param list<string>|null $arguments
+     *
+     * @return ResponseInterface|void
+     */
+    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
+    {
+        if (! $request instanceof IncomingRequest) {
+            return;
+        }
+
+        $this->createCorsService($arguments);
+
+        // Always adds `Vary: Access-Control-Request-Method` header for cacheability.
+        // If there is an intermediate cache server such as a CDN, if a plain
+        // OPTIONS request is sent, it may be cached. But valid preflight requests
+        // have this header, so it will be cached separately.
+        if ($request->is('OPTIONS')) {
+            $response->appendHeader('Vary', 'Access-Control-Request-Method');
+        }
+
+        return $this->cors->addResponseHeaders($request, $response);
+    }
+}