├── .github
    ├── CODEOWNERS
    ├── FUNDING.yml
    ├── ISSUE_TEMPLATE
    │   ├── bug_report.md
    │   ├── documentation.md
    │   ├── feature_request.md
    │   ├── other.md
    │   └── performance_issue.md
    ├── PULL_REQUEST_TEMPLATE.md
    └── workflows
    │   ├── install.yaml
    │   ├── integration.yaml
    │   ├── release-please.yml
    │   └── unit.yaml
├── .gitignore
├── .release-please-manifest.json
├── .versionrc.json
├── CHANGELOG.md
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── Configuration
    ├── ConfigurationCleaner.php
    ├── CorsConfigurationInterface.php
    ├── GraphQl
    │   └── CorsConfiguration.php
    └── Rest
    │   └── CorsConfiguration.php
├── Controller
    └── NoopController.php
├── LICENSE
├── Plugin
    └── FastLauncher.php
├── README.md
├── Request
    └── RestRequest.php
├── Response
    ├── HeaderManager.php
    ├── HeaderProvider
    │   ├── CorsAllowCredentialsHeaderProvider.php
    │   ├── CorsAllowHeadersHeaderProvider.php
    │   ├── CorsAllowMethodsHeaderProvider.php
    │   ├── CorsAllowOriginHeaderProvider.php
    │   ├── CorsExposeHeadersProvider.php
    │   ├── CorsMaxAgeHeaderProvider.php
    │   └── CorsVaryHeaderProvider.php
    └── Preflight
    │   ├── GraphQl
    │       └── PreflightRequestHandler.php
    │   └── Rest
    │       └── PreflightRequestHandler.php
├── Test
    ├── Integration
    │   ├── CorsConfigurationDiTest.php
    │   ├── CorsValidatorDiTest.php
    │   ├── HeaderManagerConfigurationTest.php
    │   ├── Preflight
    │   │   ├── GraphQlResponseTest.php
    │   │   └── WebApiResponseTest.php
    │   ├── RegistrationTest.php
    │   └── Response
    │   │   ├── GraphQlResponseTest.php
    │   │   └── WebApiResponseTest.php
    └── Unit
    │   ├── Configuration
    │       ├── ConfigurationCleanerTest.php
    │       ├── GraphQlCorsConfigurationTest.php
    │       └── RestCorsConfigurationTest.php
    │   ├── HeaderProvider
    │       ├── CorsAllowCredentialsHeaderProviderTest.php
    │       ├── CorsAllowHeadersHeaderProviderTest.php
    │       ├── CorsAllowMethodsHeaderProviderTest.php
    │       ├── CorsAllowOriginHeaderProviderTest.php
    │       ├── CorsMaxAgeHeaderProviderTest.php
    │       └── CorsVaryHeaderProviderTest.php
    │   └── Validator
    │       └── CorsValidatorTest.php
├── Validator
    ├── CorsValidator.php
    └── CorsValidatorInterface.php
├── composer.json
├── docs
    ├── DEVELOPER.md
    ├── build
    │   └── README.md
    ├── faq
    │   └── faqs.md
    ├── stories
    │   ├── configuring-the-headers.md
    │   ├── examples
    │   │   ├── cors_allowed_methods-in-cloud.jpg
    │   │   └── pwa-configuration.php
    │   ├── no-wild-card.md
    │   ├── security.md
    │   └── varnish.md
    └── upgrading
    │   └── guide.md
├── etc
    ├── config.xml
    ├── di.xml
    ├── graphql
    │   └── di.xml
    ├── module.xml
    └── webapi_rest
    │   └── di.xml
├── package-lock.json
├── package.json
├── registration.php
└── release-please-config.json


/.github/CODEOWNERS:
--------------------------------------------------------------------------------
 1 | # $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
 2 | # $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
 3 | # $$               Magento 2 Cors Code Owners           $$
 4 | # $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
 5 | # $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
 6 | #  
 7 | # The configuration for Code Owners for graycoreio/magento2-cors.
 8 | #
 9 | #  For more info see: https://help.github.com/articles/about-codeowners/
10 | #
11 | 
12 | 
13 | # ================================================
14 | #  Concepts
15 | # ================================================
16 | #
17 | # 1. A CodeOwner should only review what they are comfortable reviewing. If you're not comfortable, say something.
18 | # 2. It is a CodeOwners responsibility to only accept the changes that they understand and deem necessary.
19 | # 3. The CodeOwners have final say on whether or not code is accepted.
20 | # 4. If multiple CodeOwners are listed, ALL code owners must approve the PR prior to merge.
21 | # 5. CodeOwners work in conjunction with Github's "Number of Required Approvals (1)" requirement.
22 | 
23 | 
24 | # ================================================
25 | #  GitHub username registry
26 | # ================================================
27 | 
28 | #  damienwebdev - Damien Retzinger
29 | #  Nolan-Arnold - Nolan Arnold
30 | 
31 | 
32 | 
33 | ######################################################################################################
34 | #
35 | #  Team structure and memberships
36 | #  ------------------------------
37 | #
38 | #
39 | #  Any changes to team structure or memberships must first be made in this file and only then
40 | #  implemented in the GitHub UI.
41 | #######################################################################################################
42 | 
43 | 
44 | ######################################################################################################
45 | #
46 | # CODEOWNERS rules
47 | # -----------------
48 | #
49 | # All the following rules are applied in the order specified in this file.
50 | # The last rule that matches wins!
51 | #
52 | # See https://git-scm.com/docs/gitignore#_pattern_format for pattern syntax docs.
53 | #
54 | ######################################################################################################
55 | 
56 | 
57 | # ================================================
58 | #  Default Owners
59 | # ================================================
60 | 
61 | * @damienwebdev
62 | 
63 | # ================================================
64 | #  CODEOWNERS Owners owners ...
65 | # ================================================
66 | 
67 | /.github/CODEOWNERS                                             @damienwebdev
68 | 


--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 | 
3 | github: graycoreio


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Bug report or Regression
 3 | about: Create a report to help us fix an issue or regression
 4 | title: '[BUG]'
 5 | labels: 'bug'
 6 | assignees: 'damienwebdev'
 7 | ---
 8 | 
 9 | <!--
10 | PLEASE HELP US PROCESS GITHUB ISSUES FASTER BY PROVIDING THE FOLLOWING INFORMATION.
11 | 
12 | ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION.
13 | -->
14 | 
15 | # :bug: Bug report
16 | 
17 | ## Current Behavior
18 | <!-- Describe how the issue manifests. -->
19 | 
20 | 
21 | ## Expected Behavior
22 | <!-- Describe what the expected behavior is. -->
23 | 
24 | 
25 | ## Minimal reproduction of the problem with instructions
26 | <!-- Please provide the *STEPS TO REPRODUCE* and if possible a *MINIMAL DEMO* of the problem -->
27 | 
28 | 
29 | ## What is the motivation / use case for changing the behavior?
30 | <!-- Describe the motivation or the concrete use case. -->
31 | 
32 | 
33 | ## Environment
34 | 
35 | <pre><code>
36 | magento2-cors version: X.Y.Z
37 | Magento version: X.Y.Z 
38 | PHP Version version: X.Y.Z 
39 | <!-- Check whether this is still an issue in the most recent magento2-cors version -->
40 | 
41 | Others:
42 | <!-- Anything else relevant?  Operating system version, IDE, package manager, HTTP server, ... -->
43 | </code></pre>


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/documentation.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Documentation Request
 3 | about: Request additional documentation or clarification on a feature.
 4 | title: '[DOCS]'
 5 | labels: 'docs'
 6 | assignees: 'damienwebdev'
 7 | ---
 8 | 
 9 | <!--
10 | PLEASE HELP US PROCESS GITHUB ISSUES FASTER BY PROVIDING THE FOLLOWING INFORMATION.
11 | 
12 | ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION.
13 | -->
14 | 
15 | # :page_facing_up: Documentation Request
16 | 
17 | ## What were you doing?
18 | <!-- Describe how you came to need the documentation. -->
19 | 
20 | 
21 | ## Expected behavior
22 | <!-- Describe not only **what** you would like to see documented, but also **where** you'd like to see it. -->
23 | 
24 | 
25 | ## Existing Documentation
26 | <!-- Describe any existing documentation that would potentially require change. -->
27 | 
28 | ## Environment
29 | 
30 | <pre><code>
31 | magento2-cors version: X.Y.Z
32 | Magento version: X.Y.Z 
33 | PHP Version version: X.Y.Z 
34 | <!-- Check whether this is still an issue in the most recent magento2-cors version -->
35 | 
36 | Others:
37 | <!-- Anything else relevant?  Operating system version, IDE, package manager, HTTP server, ... -->
38 | </code></pre>


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Feature Request
 3 | about: Ask for a new feature, or something that you'd like to see changed.
 4 | title: '[FEAT]'
 5 | labels: 'feat'
 6 | assignees: 'damienwebdev'
 7 | ---
 8 | 
 9 | <!--
10 | PLEASE HELP US PROCESS GITHUB ISSUES FASTER BY PROVIDING THE FOLLOWING INFORMATION.
11 | 
12 | ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION.
13 | -->
14 | 
15 | # :bulb: Feature request
16 | 
17 | ## Feature Name
18 | <!-- Naming is hard, what do YOU call this feature? -->
19 | 
20 | 
21 | ## The Desired Behavior
22 | <!-- Please describe, in as much detail as you can, what you'd like to see happen. -->
23 | 
24 | 
25 | ## Your Use Case
26 | <!-- Please try to format as "As a {role}, I'd like to be able to do {x}. -->
27 | 
28 | 
29 | ## Prior Work
30 | <!-- If you got this idea from somewhere, please indicate where you got it from. -->
31 | 
32 | 
33 | ## Environment
34 | 
35 | <pre><code>
36 | magento2-cors version: X.Y.Z
37 | Magento version: X.Y.Z 
38 | PHP Version version: X.Y.Z 
39 | <!-- Check whether this is still an issue in the most recent magento2-cors version -->
40 | 
41 | Others:
42 | <!-- Anything else relevant?  Operating system version, IDE, package manager, HTTP server, ... -->
43 | </code></pre>


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/other.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Other
 3 | about: Report a general issue that isn't covered by other issue templates.
 4 | title: '[OTHER]'
 5 | labels: ''
 6 | assignees: ''
 7 | ---
 8 | 
 9 | <!--
10 | PLEASE HELP US PROCESS GITHUB ISSUES FASTER BY PROVIDING THE FOLLOWING INFORMATION.
11 | 
12 | ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION.
13 | -->
14 | 
15 | # :question: Other
16 | <!-- If you're asking a question, have you searched through Github first? -->
17 | 
18 | 
19 | ## Environment
20 | 
21 | <pre><code>
22 | magento2-cors version: X.Y.Z
23 | Magento version: X.Y.Z 
24 | PHP Version version: X.Y.Z 
25 | <!-- Check whether this is still an issue in the most recent magento2-cors version -->
26 | 
27 | Others:
28 | <!-- Anything else relevant?  Operating system version, IDE, package manager, HTTP server, ... -->
29 | </code></pre>


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/performance_issue.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Performance Issue
 3 | about: Create a report about a performance problem.
 4 | title: '[PERF]'
 5 | labels: 'perf'
 6 | assignees: 'damienwebdev'
 7 | ---
 8 | 
 9 | <!--
10 | PLEASE HELP US PROCESS GITHUB ISSUES FASTER BY PROVIDING THE FOLLOWING INFORMATION.
11 | 
12 | ISSUES MISSING IMPORTANT INFORMATION MAY BE CLOSED WITHOUT INVESTIGATION.
13 | -->
14 | 
15 | # :turtle: Performance Issue
16 | 
17 | ## Current behavior
18 | <!-- Describe how the issue manifests. -->
19 | 
20 | 
21 | ## Expected behavior
22 | <!-- Describe what the expected behavior is. -->
23 | 
24 | 
25 | ## Minimal reproduction of the problem with instructions
26 | <!-- Please provide the *STEPS TO REPRODUCE* and if possible a *MINIMAL DEMO* of the problem -->
27 | 
28 | 
29 | ## What is the motivation / use case for changing the behavior?
30 | <!-- Describe the motivation or the concrete use case. -->
31 | 
32 | 
33 | ## Environment
34 | 
35 | <pre><code>
36 | magento2-cors version: X.Y.Z
37 | Magento version: X.Y.Z 
38 | PHP Version version: X.Y.Z 
39 | <!-- Check whether this is still an issue in the most recent magento2-cors version -->
40 | 
41 | Others:
42 | <!-- Anything else relevant?  Operating system version, IDE, package manager, HTTP server, ... -->
43 | </code></pre>


--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
 1 | ## PR Checklist
 2 | Please check if your PR fulfills the following requirements:
 3 | 
 4 | - [ ] The commit message follows our guidelines: https://github.com/graycoreio/magento2-cors/blob/master/CONTRIBUTING.md#commit
 5 | - [ ] Tests for the changes have been added (for bug fixes / features)
 6 | - [ ] Docs have been added / updated (for bug fixes / features)
 7 | 
 8 | 
 9 | ## PR Type
10 | What kind of change does this PR introduce?
11 | 
12 | <!-- Please check the one that applies to this PR using "x". -->
13 | ```
14 | [ ] Bugfix
15 | [ ] Feature
16 | [ ] Code style update (formatting, local variables)
17 | [ ] Refactoring (no functional changes, no api changes)
18 | [ ] Build related changes
19 | [ ] CI related changes
20 | [ ] Documentation content changes
21 | [ ] Other... Please describe:
22 | ```
23 | 
24 | ## What is the current behavior?
25 | <!-- Please describe the current behavior that you are modifying, or link to a relevant issue. -->
26 | 
27 | Fixes: N/A
28 | 
29 | 
30 | ## What is the new behavior?
31 | 
32 | 
33 | ## Does this PR introduce a breaking change?
34 | ```
35 | [ ] Yes
36 | [ ] No
37 | ```
38 | 
39 | <!-- If this PR contains a breaking change, please describe the impact and migration path for existing applications below. -->
40 | 
41 | 
42 | ## Other information


--------------------------------------------------------------------------------
/.github/workflows/install.yaml:
--------------------------------------------------------------------------------
 1 | name: Installation Test
 2 | 
 3 | on:
 4 |   workflow_dispatch: {}
 5 |   schedule:
 6 |     - cron: 0 12 10 * *
 7 |   push:
 8 |     branches:
 9 |     - master
10 |     paths-ignore:
11 |     - "docs/**"
12 |     - package.json
13 |     - package-lock.json
14 |     - "*.md"
15 |   pull_request:
16 |     branches:
17 |     - master
18 |     paths-ignore:
19 |     - "docs/**"
20 |     - package.json
21 |     - package-lock.json
22 | 
23 | jobs:
24 |   compute_matrix:
25 |     runs-on: ubuntu-latest
26 |     outputs:
27 |       matrix: ${{ steps.supported-version.outputs.matrix }}
28 |     steps:
29 |       - uses: graycoreio/github-actions-magento2/supported-version@main
30 |         id: supported-version
31 | 
32 |   install-test:
33 |     needs: compute_matrix
34 |     strategy:
35 |       matrix: ${{ fromJSON(needs.compute_matrix.outputs.matrix) }}
36 |     runs-on: ubuntu-latest
37 |     steps:
38 |     - uses: actions/checkout@v4
39 |     - uses: graycoreio/github-actions-magento2/installation-test@main
40 |       with:
41 |         composer_version: ${{ matrix.composer }}
42 |         php_version: ${{ matrix.php }}
43 |         magento_version: ${{ matrix.magento }}
44 |         composer_auth: ${{ secrets.COMPOSER_AUTH }}
45 |         package_name: graycore/magento2-cors
46 |         source_folder: $GITHUB_WORKSPACE


--------------------------------------------------------------------------------
/.github/workflows/integration.yaml:
--------------------------------------------------------------------------------
 1 | name: Integration Test
 2 | 
 3 | on:
 4 |   workflow_dispatch: {}
 5 |   schedule:
 6 |     - cron: 0 12 10 * *
 7 |   push:
 8 |     branches:
 9 |     - master
10 |     paths-ignore:
11 |     - "docs/**"
12 |     - package.json
13 |     - package-lock.json
14 |     - "*.md"
15 |   pull_request:
16 |     branches:
17 |     - master
18 |     paths-ignore:
19 |     - "docs/**"
20 |     - package.json
21 |     - package-lock.json
22 |     - "*.md"
23 | 
24 | jobs:
25 |   compute_matrix:
26 |       runs-on: ubuntu-latest
27 |       outputs:
28 |         matrix: ${{ steps.supported-version.outputs.matrix }}
29 |       steps:
30 |         - uses: graycoreio/github-actions-magento2/supported-version@main
31 |           id: supported-version
32 |   integration-workflow:
33 |     needs: compute_matrix
34 |     uses: graycoreio/github-actions-magento2/.github/workflows/integration.yaml@main
35 |     with:
36 |       package_name: graycore/magento2-cors
37 |       matrix: ${{ needs.compute_matrix.outputs.matrix }}
38 |       test_command: ../../../vendor/bin/phpunit ../../../vendor/graycore/magento2-cors/Test/Integration
39 |       fail-fast: false
40 |     secrets:
41 |       composer_auth: ${{ secrets.COMPOSER_AUTH }}
42 | 


--------------------------------------------------------------------------------
/.github/workflows/release-please.yml:
--------------------------------------------------------------------------------
 1 | name: Create Release
 2 | 
 3 | on:
 4 |   push:
 5 |     branches:
 6 |       - master
 7 | 
 8 | jobs:
 9 |   release-please:
10 |     runs-on: ubuntu-latest
11 |     steps:
12 |       - uses: google-github-actions/release-please-action@v3
13 |         with:
14 |           token: ${{ secrets.GRAYCORE_GITHUB_TOKEN }}
15 |           command: manifest
16 |           default-branch: master
17 | 


--------------------------------------------------------------------------------
/.github/workflows/unit.yaml:
--------------------------------------------------------------------------------
 1 | name: Unit Test
 2 | 
 3 | on:
 4 |   workflow_dispatch: {}
 5 |   schedule:
 6 |     - cron: 0 12 10 * *
 7 |   push:
 8 |     branches:
 9 |     - master
10 |     paths-ignore:
11 |     - "docs/**"
12 |     - package.json
13 |     - package-lock.json
14 |     - "*.md"
15 |   pull_request:
16 |     branches:
17 |     - master
18 |     paths-ignore:
19 |     - "docs/**"
20 |     - package.json
21 |     - package-lock.json
22 |     - "*.md"
23 | 
24 | jobs:
25 |   unit-test:
26 |     strategy:
27 |       matrix:
28 |         php_version:
29 |           - 8.1
30 |           - 8.2
31 |           - 8.3
32 |           - 8.4
33 |     runs-on: ubuntu-latest
34 |     steps:
35 |     - uses: actions/checkout@v4
36 |     - uses: graycoreio/github-actions-magento2/unit-test@main
37 |       with:
38 |         php_version: ${{ matrix.php_version }}
39 |         composer_auth: ${{ secrets.COMPOSER_AUTH }}
40 |         test_command: composer run unit-test


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | /vendor/
2 | node_modules/
3 | composer.lock


--------------------------------------------------------------------------------
/.release-please-manifest.json:
--------------------------------------------------------------------------------
1 | {".":"2.1.1"}
2 | 


--------------------------------------------------------------------------------
/.versionrc.json:
--------------------------------------------------------------------------------
1 | {}


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
  1 | # Changelog
  2 | 
  3 | All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
  4 | 
  5 | ## [2.1.1](https://github.com/graycoreio/magento2-cors/compare/v2.1.0...v2.1.1) (2025-04-15)
  6 | 
  7 | 
  8 | ### Bug Fixes
  9 | 
 10 | * prevent 500 errors on frontend/admin routes for options requests ([627a211](https://github.com/graycoreio/magento2-cors/commit/627a21190d3636ae32303da738e87182c1536bf6))
 11 | 
 12 | ## [2.1.0](https://github.com/graycoreio/magento2-cors/compare/v2.0.1...v2.1.0) (2024-10-10)
 13 | 
 14 | 
 15 | ### Features
 16 | 
 17 | * **docs:** augment docs for configuring Commerce Cloud ([#87](https://github.com/graycoreio/magento2-cors/issues/87)) ([d9f7f69](https://github.com/graycoreio/magento2-cors/commit/d9f7f69b301ba9bcbfb03bca8d27254a6eb98601))
 18 | 
 19 | ## [2.0.1](https://github.com/graycoreio/magento2-cors/compare/v2.0.0...v2.0.1) (2024-02-07)
 20 | 
 21 | 
 22 | ### Bug Fixes
 23 | 
 24 | * `Access-Control-Expose-Headers` only set on preflight ([#84](https://github.com/graycoreio/magento2-cors/issues/84)) ([f2515c8](https://github.com/graycoreio/magento2-cors/commit/f2515c831641eeb9cc3dbefc082a14706158581b))
 25 | * wrong di.xml configuration - missing noNamespaceSchemaLocation and xmlns:xsi ([#82](https://github.com/graycoreio/magento2-cors/issues/82)) ([104fd5d](https://github.com/graycoreio/magento2-cors/commit/104fd5dcb3a1c00e83a06973719d4aa4683cdcc6))
 26 | 
 27 | ## [2.0.0](https://github.com/graycoreio/magento2-cors/compare/v2.0.0-rc.0...v2.0.0) (2022-10-14)
 28 | 
 29 | 
 30 | ### Bug Fixes
 31 | 
 32 | * add compatability between Laminas\Http and Zend\Http ([#75](https://github.com/graycoreio/magento2-cors/issues/75)) ([b1d4af1](https://github.com/graycoreio/magento2-cors/commit/b1d4af124b1a1a0f3ad19009a0eba5d9d973309f))
 33 | 
 34 | ## [2.0.0-rc.0](https://github.com/graycoreio/magento2-cors/compare/v1.6.0...v2.0.0-rc.0) (2022-06-11)
 35 | 
 36 | 
 37 | ### ⚠ BREAKING CHANGES
 38 | 
 39 | * If you were expecting to use the native GraphQl/REST controller when computing CORS headers (and everything else that entails - like having a Magento session, for example) that guarantee is no-longer provided.
 40 | 
 41 | ### Features
 42 | 
 43 | * **graphql,rest:** add faster CORS headers ([#66](https://github.com/graycoreio/magento2-cors/issues/66)) ([cefd663](https://github.com/graycoreio/magento2-cors/commit/cefd6631d4f2aaf5347875a02d773317480783d5))
 44 | 
 45 | 
 46 | * denote breaking changes ([b98b9bc](https://github.com/graycoreio/magento2-cors/commit/b98b9bcfcefa533f84e85921a9becb5be2a9ff71))
 47 | 
 48 | ## [1.6.0](https://github.com/graycoreio/magento2-cors/compare/v1.4.1...v1.6.0) (2022-06-11)
 49 | 
 50 | 
 51 | ### Features
 52 | 
 53 | * add Magento v2.4.4 and PHP8.1 support ([#70](https://github.com/graycoreio/magento2-cors/issues/70)) ([6e8bfe1](https://github.com/graycoreio/magento2-cors/commit/6e8bfe184e47e602b26c001d986bb296d42c3665))
 54 | * **rest:** extend REST request to allow OPTIONS without error ([#55](https://github.com/graycoreio/magento2-cors/issues/55)) ([eb1df2d](https://github.com/graycoreio/magento2-cors/commit/eb1df2d0c25897897998e8e3f88fcec500a8a3f8))
 55 | 
 56 | ### [1.4.1](https://github.com/graycoreio/magento2-cors/compare/v1.4.0...v1.4.1) (2021-03-04)
 57 | 
 58 | 
 59 | ### Bug Fixes
 60 | 
 61 | * **graphql, rest:** allow caching of options requests ([#53](https://github.com/graycoreio/magento2-cors/issues/53)) ([f6b9b3f](https://github.com/graycoreio/magento2-cors/commit/f6b9b3fbf042d7c551b3993cca8e24a169309748))
 62 | 
 63 | ## [1.4.0](https://github.com/graycoreio/magento2-cors/compare/v1.3.2...v1.4.0) (2021-03-02)
 64 | 
 65 | 
 66 | ### Features
 67 | 
 68 | * **graphql, rest:** add support for access-control-expose-headers ([#49](https://github.com/graycoreio/magento2-cors/issues/49)) ([53aac87](https://github.com/graycoreio/magento2-cors/commit/53aac87f4397352426dc5b8eef720ca22a5594f6))
 69 | * **graphql, rest:** apply certain headers only to preflight requests ([#51](https://github.com/graycoreio/magento2-cors/issues/51)) ([30bcff0](https://github.com/graycoreio/magento2-cors/commit/30bcff0931134e56d0f4d4217bfe84dde1588b00))
 70 | * **graphql,rest:** add support for Vary header with Origin ([#47](https://github.com/graycoreio/magento2-cors/issues/47)) ([e656909](https://github.com/graycoreio/magento2-cors/commit/e65690922063d7e52e0cd6bbed8643dda4a3d061))
 71 | * **validator:** add a new method to determine whether or not a reque… ([#50](https://github.com/graycoreio/magento2-cors/issues/50)) ([8c3ef8b](https://github.com/graycoreio/magento2-cors/commit/8c3ef8b085c79dfd6aad8a6a3a725ade98e9490b))
 72 | 
 73 | ### [1.3.2](https://github.com/graycoreio/magento2-cors/compare/v1.3.1...v1.3.2) (2020-08-10)
 74 | 
 75 | ### [1.3.1](https://github.com/graycoreio/magento2-cors/compare/v1.3.0...v1.3.1) (2020-08-10)
 76 | 
 77 | ## [1.3.0](https://github.com/graycoreio/magento2-cors/compare/v1.2.0...v1.3.0) (2020-05-18)
 78 | 
 79 | 
 80 | ### Bug Fixes
 81 | 
 82 | * **graphql:** prevent fatal error when using Chrome extensions for graphql querying ([#24](https://github.com/graycoreio/magento2-cors/issues/24)) ([486fe10](https://github.com/graycoreio/magento2-cors/commit/486fe10))
 83 | 
 84 | 
 85 | ### Build System
 86 | 
 87 | * **all:** added unit tests to CI ([#18](https://github.com/graycoreio/magento2-cors/issues/18)) ([aade441](https://github.com/graycoreio/magento2-cors/commit/aade441))
 88 | * **all:** adding linting with phpcs ([#16](https://github.com/graycoreio/magento2-cors/issues/16)) ([8753bd2](https://github.com/graycoreio/magento2-cors/commit/8753bd2))
 89 | * **all:** set up CI with Azure Pipelines ([#15](https://github.com/graycoreio/magento2-cors/issues/15)) ([f30b51f](https://github.com/graycoreio/magento2-cors/commit/f30b51f))
 90 | * **ci:** run integration tests in ci ([#21](https://github.com/graycoreio/magento2-cors/issues/21)) ([a79d7f7](https://github.com/graycoreio/magento2-cors/commit/a79d7f7))
 91 | 
 92 | 
 93 | ### Features
 94 | 
 95 | * **cors:** add header provider for Allow-Credentials ([#27](https://github.com/graycoreio/magento2-cors/issues/27)) ([38bf597](https://github.com/graycoreio/magento2-cors/commit/38bf597))
 96 | 
 97 | 
 98 | ### Tests
 99 | 
100 | * **configuration:** added/updated unit tests for config files ([#19](https://github.com/graycoreio/magento2-cors/issues/19)) ([826b68e](https://github.com/graycoreio/magento2-cors/commit/826b68e))
101 | * **integration:** updated integration tests to pass ([#23](https://github.com/graycoreio/magento2-cors/issues/23)) ([89736d7](https://github.com/graycoreio/magento2-cors/commit/89736d7))
102 | 
103 | 
104 | 
105 | ## [1.2.0](https://github.com/graycoreio/magento2-cors/compare/v1.1.0...v1.2.0) (2020-01-20)
106 | 
107 | 
108 | ### Features
109 | 
110 | * **rest:** fixup rest api to handle options requests ([#13](https://github.com/graycoreio/magento2-cors/issues/13)) ([3520b9d](https://github.com/graycoreio/magento2-cors/commit/3520b9d))
111 | 
112 | 
113 | 
114 | ## [1.1.0](https://github.com/graycoreio/magento2-cors/compare/v1.0.0...v1.1.0) (2020-01-17)
115 | 
116 | 
117 | ### Bug Fixes
118 | 
119 | * **graphql:** swap config key name ([#10](https://github.com/graycoreio/magento2-cors/issues/10)) ([2aed35c](https://github.com/graycoreio/magento2-cors/commit/2aed35c))
120 | 
121 | 
122 | ### Features
123 | 
124 | * **rest:** add CORS support for Magento 2 REST APIs ([#11](https://github.com/graycoreio/magento2-cors/issues/11)) ([2342976](https://github.com/graycoreio/magento2-cors/commit/2342976))
125 | * **rest:** allow rest api and graphql apis to be configurable separately ([#12](https://github.com/graycoreio/magento2-cors/issues/12)) ([ff5813e](https://github.com/graycoreio/magento2-cors/commit/ff5813e))
126 | 
127 | 
128 | 
129 | ## 1.0.0 (2019-07-23)
130 | 
131 | 
132 | ### Bug Fixes
133 | 
134 | * **configuration:** remove backtick in di.xml ([3a6549c](https://github.com/graycoreio/magento2-cors/commit/3a6549c))
135 | 
136 | 
137 | ### Features
138 | 
139 | * **cors:** initial package with configuration and validation for CORS headers on the GraphQL api ([493c6ad](https://github.com/graycoreio/magento2-cors/commit/493c6ad))
140 | * **release:** add basic release process ([b09b62b](https://github.com/graycoreio/magento2-cors/commit/b09b62b))
141 | * **security:** enforce security by default, no headers out of the box ([cb3291c](https://github.com/graycoreio/magento2-cors/commit/cb3291c))
142 | 
143 | 
144 | 
145 | ## 1.0.0 (2019-07-23)
146 | 
147 | 
148 | ### Bug Fixes
149 | 
150 | * **configuration:** remove backtick in di.xml ([3a6549c](https://github.com/graycoreio/magento2-cors/commit/3a6549c))
151 | 
152 | 
153 | ### Features
154 | 
155 | * **cors:** initial package with configuration and validation for CORS headers on the GraphQL api ([493c6ad](https://github.com/graycoreio/magento2-cors/commit/493c6ad))
156 | * **release:** add basic release process ([b09b62b](https://github.com/graycoreio/magento2-cors/commit/b09b62b))
157 | * **security:** enforce security by default, no headers out of the box ([cb3291c](https://github.com/graycoreio/magento2-cors/commit/cb3291c))
158 | 


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
 1 | # Contributor Covenant Code of Conduct
 2 | 
 3 | ## Our Pledge
 4 | 
 5 | In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
 6 | 
 7 | ## Our Standards
 8 | 
 9 | Examples of behavior that contributes to creating a positive environment
10 | include:
11 | 
12 | * Using welcoming and inclusive language
13 | * Being respectful of differing viewpoints and experiences
14 | * Gracefully accepting constructive criticism
15 | * Focusing on what is best for the community
16 | * Showing empathy towards other community members
17 | 
18 | Examples of unacceptable behavior by participants include:
19 | 
20 | * The use of sexualized language or imagery and unwelcome sexual attention or advances
21 | * Trolling, insulting/derogatory comments, and personal or political attacks
22 | * Public or private harassment
23 | * Publishing others' private information, such as a physical or electronic address, without explicit permission
24 | * Other conduct which could reasonably be considered inappropriate in a professional setting
25 | 
26 | ## Our Responsibilities
27 | 
28 | Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
29 | 
30 | Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
31 | 
32 | ## Scope
33 | 
34 | This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
35 | 
36 | ## Enforcement
37 | 
38 | Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project lead at [damien@graycore.io](mailto:damien@graycore.io). All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
39 | 
40 | Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
41 | 
42 | ## Attribution
43 | 
44 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
45 | 
46 | [homepage]: https://www.contributor-covenant.org
47 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
  1 | # Contributing to Magento 2 CORS
  2 | 
  3 | We would love for you to contribute to "Magento 2 CORS" and help make it even better than it is
  4 | today! As a contributor, here are the guidelines we would like you to follow:
  5 | 
  6 |  - [Code of Conduct](#coc)
  7 |  - [Question or Problem?](#question)
  8 |  - [Issues and Bugs](#issue)
  9 |  - [Feature Requests](#feature)
 10 |  - [Submission Guidelines](#submit)
 11 |  - [Coding Rules](#rules)
 12 |  - [Commit Message Guidelines](#commit)
 13 | 
 14 | ## <a name="coc"></a> Code of Conduct
 15 | Help us keep "Magento 2 CORS" open and inclusive. Please read and follow our [Code of Conduct][coc].
 16 | 
 17 | ## <a name="question"></a> Got a Question or Problem?
 18 | 
 19 | Do not open issues for general support questions as we want to keep GitHub issues for bug reports and feature requests. You've got much better chances of getting your question answered on [Stack Overflow](https://stackoverflow.com/questions/tagged/magento2-cors) where the questions should be tagged with tag `magento2-cors`.
 20 | 
 21 | Stack Overflow is a much better place to ask questions since:
 22 | 
 23 | - there are thousands of people willing to help on Stack Overflow
 24 | - questions and answers stay available for public viewing so your question / answer might help someone else
 25 | - Stack Overflow's voting system assures that the best answers are prominently visible.
 26 | 
 27 | To save your and our time, we will systematically close all issues that are requests for general support and redirect people to Stack Overflow.
 28 | 
 29 | If you would like to chat about the question in real-time, you can reach out via [our gitter channel][gitter].
 30 | 
 31 | ## <a name="issue"></a> Found a Bug?
 32 | If you find a bug in the source code, you can help us by
 33 | [submitting an issue](#submit-issue) to our [GitHub Repository][github]. Even better, you can
 34 | [submit a Pull Request](#submit-pr) with a fix.
 35 | 
 36 | ## <a name="feature"></a> Missing a Feature?
 37 | You can *request* a new feature by [submitting an issue](#submit-issue) to our GitHub
 38 | Repository. If you would like to *implement* a new feature, please submit an issue with
 39 | a proposal for your work first, to be sure that we can use it.
 40 | Please consider what kind of change it is:
 41 | 
 42 | * For a **Major Feature**, first open an issue and outline your proposal so that it can be
 43 | discussed. This will also allow us to better coordinate our efforts, prevent duplication of work,
 44 | and help you to craft the change so that it is successfully accepted into the project.
 45 | * **Small Features** can be crafted and directly [submitted as a Pull Request](#submit-pr).
 46 | 
 47 | ## <a name="submit"></a> Submission Guidelines
 48 | 
 49 | ### <a name="submit-issue"></a> Submitting an Issue
 50 | 
 51 | Before you submit an issue, please search the issue tracker, maybe an issue for your problem already exists and the discussion might inform you of workarounds readily available.
 52 | 
 53 | We want to fix all the issues as soon as possible, but before fixing a bug we need to reproduce and confirm it. In order to reproduce bugs, we will systematically ask you to provide a minimal reproduction scenario using http://plnkr.co. Having a live, reproducible scenario gives us a wealth of important information without going back & forth to you with additional questions like:
 54 | 
 55 | - version of "Magento 2 CORS" used
 56 | - 3rd-party libraries and their versions
 57 | - and most importantly - a use-case that fails
 58 | 
 59 | A minimal reproduce scenario using http://plnkr.co/ allows us to quickly confirm a bug (or point out coding problem) as well as confirm that we are fixing the right problem. If plunker is not a suitable way to demonstrate the problem (for example for issues related to our npm packaging), please create a standalone git repository demonstrating the problem.
 60 | 
 61 | We will be insisting on a minimal reproduce scenario in order to save maintainers time and ultimately be able to fix more bugs. Interestingly, from our experience users often find coding problems themselves while preparing a minimal plunk. We understand that sometimes it might be hard to extract essentials bits of code from a larger code-base but we really need to isolate the problem before we can fix it.
 62 | 
 63 | Unfortunately, we are not able to investigate / fix bugs without a minimal reproduction, so if we don't hear back from you we are going to close an issue that doesn't have enough info to be reproduced.
 64 | 
 65 | You can file new issues by filling out our [new issue form](https://github.com/graycoreio/magento2-cors/issues/new).
 66 | 
 67 | 
 68 | ### <a name="submit-pr"></a> Submitting a Pull Request (PR)
 69 | Before you submit your Pull Request (PR) consider the following guidelines:
 70 | 
 71 | 1. Search [GitHub](https://github.com/graycoreio/magento2-cors/pulls) for an open or closed PR
 72 |   that relates to your submission. You don't want to duplicate effort.
 73 | 1. Fork the [graycoreio/magento2-cors](https://github.com/graycoreio/magento2-cors) repo.
 74 | 1. Make your changes in a new git branch:
 75 | 
 76 |      ```shell
 77 |      git checkout -b my-fix-branch master
 78 |      ```
 79 | 
 80 | 1. Create your patch, **including appropriate test cases**.
 81 | 1. Follow our [Coding Rules](#rules).
 82 | 1. Run the full test suite, as described in the [developer documentation][dev-doc],
 83 |   and ensure that all tests pass.
 84 | 1. Commit your changes using a descriptive commit message that follows our
 85 |   [commit message conventions](#commit). Adherence to these conventions
 86 |   is necessary because release notes are automatically generated from these messages.
 87 | 
 88 |      ```shell
 89 |      git commit -a
 90 |      ```
 91 |     Note: the optional commit `-a` command line option will automatically "add" and "rm" edited files.
 92 | 
 93 | 1. Push your branch to GitHub:
 94 | 
 95 |     ```shell
 96 |     git push origin my-fix-branch
 97 |     ```
 98 | 
 99 | 1. In GitHub, send a pull request to `magento2-cors:master`.
100 | * If we suggest changes then:
101 |   * Make the required updates.
102 |   * Re-run the "Magento 2 Cors" test suites to ensure tests are still passing.
103 |   * Rebase your branch and force push to your GitHub repository (this will update your Pull Request):
104 | 
105 |     ```shell
106 |     git rebase master -i
107 |     git push -f
108 |     ```
109 |   * Note: don't squash your branch until after the reviewers comment "lgtm", so they don't need to re-review your entire branch every commit.
110 | 
111 | That's it! Thank you for your contribution!
112 | 
113 | #### After your pull request is merged
114 | 
115 | After your pull request is merged, you can safely delete your branch and pull the changes
116 | from the main (upstream) repository:
117 | 
118 | * Delete the remote branch on GitHub either through the GitHub web UI or your local shell as follows:
119 | 
120 |     ```shell
121 |     git push origin --delete my-fix-branch
122 |     ```
123 | 
124 | * Check out the master branch:
125 | 
126 |     ```shell
127 |     git checkout master -f
128 |     ```
129 | 
130 | * Delete the local branch:
131 | 
132 |     ```shell
133 |     git branch -D my-fix-branch
134 |     ```
135 | 
136 | * Update your master with the latest upstream version:
137 | 
138 |     ```shell
139 |     git pull --ff upstream master
140 |     ```
141 | 
142 | ## <a name="rules"></a> Coding Rules
143 | To ensure consistency throughout the source code, keep these rules in mind as you are working:
144 | 
145 | * All features or bug fixes **must be tested** by one or more specs (unit-tests).
146 | * All public API methods **must be documented**. (Details TBC).
147 | * We follow [Google's JavaScript Style Guide][js-style-guide], but wrap all code at
148 |   **100 characters**. An automated formatter is available, see
149 |   [DEVELOPER.md](docs/DEVELOPER.md#clang-format).
150 | 
151 | ## <a name="commit"></a> Commit Message Guidelines
152 | 
153 | We have very precise rules over how our git commit messages can be formatted.  This leads to **more
154 | readable messages** that are easy to follow when looking through the **project history**.
155 | 
156 | ### Commit Message Format
157 | Each commit message consists of a **header**, a **body** and a **footer**.  The header has a special
158 | format that includes a **type**, a **scope** and a **subject**:
159 | 
160 | ```
161 | <type>(<scope>): <subject>
162 | <BLANK LINE>
163 | <body>
164 | <BLANK LINE>
165 | <footer>
166 | ```
167 | 
168 | The **header** is mandatory and the **scope** of the header is optional.
169 | 
170 | Any line of the commit message cannot be longer 100 characters! This allows the message to be easier
171 | to read on GitHub as well as in various git tools.
172 | 
173 | The footer should contain a [closing reference to an issue](https://help.github.com/articles/closing-issues-via-commit-messages/) if any.
174 | 
175 | Samples: (even more [samples](https://github.com/graycoreio/magento2-cors/commits/master))
176 | 
177 | ```
178 | docs(changelog): update changelog to beta.5
179 | ```
180 | ```
181 | fix(release): need to depend on latest rxjs and zone.js
182 | 
183 | The version in our package.json gets copied to the one we publish, and users need the latest of these.
184 | ```
185 | 
186 | ### Revert
187 | If the commit reverts a previous commit, it should begin with `revert: `, followed by the header of the reverted commit. In the body it should say: `This reverts commit <hash>.`, where the hash is the SHA of the commit being reverted.
188 | 
189 | ### Type
190 | Must be one of the following:
191 | 
192 | * **build**: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
193 | * **ci**: Changes to our CI configuration files and scripts (example scopes: Travis)
194 | * **docs**: Documentation only changes
195 | * **feat**: A new feature
196 | * **fix**: A bug fix
197 | * **perf**: A code change that improves performance
198 | * **refactor**: A code change that neither fixes a bug nor adds a feature
199 | * **style**: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
200 | * **test**: Adding missing tests or correcting existing tests
201 | 
202 | ### Scope
203 | The scope should be the name of the npm package affected (as perceived by the person reading the changelog generated from commit messages.
204 | 
205 | The following is the list of supported scopes:
206 | 
207 | * **graphql**
208 | * **rest**
209 | 
210 | ### Subject
211 | The subject contains a succinct description of the change:
212 | 
213 | * use the imperative, present tense: "change" not "changed" nor "changes"
214 | * don't capitalize the first letter
215 | * no dot (.) at the end
216 | 
217 | ### Body
218 | Just as in the **subject**, use the imperative, present tense: "change" not "changed" nor "changes".
219 | The body should include the motivation for the change and contrast this with previous behavior.
220 | 
221 | ### Footer
222 | The footer should contain any information about **Breaking Changes** and is also the place to
223 | reference GitHub issues that this commit **Closes**.
224 | 
225 | **Breaking Changes** should start with the word `BREAKING CHANGE:` with a space or two newlines. The rest of the commit message is then used for this.
226 | 
227 | A detailed explanation can be found in this [document][commit-message-format].
228 | 
229 | 
230 | [coc]: https://github.com/graycoreio/magento2-cors/code-of-conduct/blob/master/CODE_OF_CONDUCT.md
231 | [commit-message-format]: https://docs.google.com/document/d/1QrDFcIiPjSLDn3EL15IJygNPiHORgU1_OOAqWjiDU5Y/edit#
232 | [dev-doc]: https://github.com/graycoreio/magento2-cors/blob/master/docs/DEVELOPER.md
233 | [github]: https://github.com/graycoreio/magento2-cors
234 | [stackoverflow]: http://stackoverflow.com/questions/tagged/magento2-cors


--------------------------------------------------------------------------------
/Configuration/ConfigurationCleaner.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * Copyright © Graycore, LLC. All rights reserved.
 5 |  * See LICENSE.md for details.
 6 |  */
 7 | 
 8 | namespace Graycore\Cors\Configuration;
 9 | 
10 | /**
11 |  * ConfigurationCleaner is responsible processing end-user specified configuration values
12 |  * into values utilizable by the module.
13 |  * @author    Graycore <damien@graycore.io>
14 |  * @copyright Graycore, LLC (https://www.graycore.io/)
15 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
16 |  * @link      https://github.com/graycoreio/magento2-cors
17 |  */
18 | class ConfigurationCleaner
19 | {
20 | 
21 |     public function processDelimitedString($string, $delimiter = ',')
22 |     {
23 |         if (empty($string)) {
24 |             return [];
25 |         }
26 |         $configuration = explode($delimiter, $string);
27 |         $cleanedConfiguration = [];
28 |         $cleanedConfiguration = array_map(
29 |             function ($item) {
30 |                 return trim($item);
31 |             },
32 |             $configuration
33 |         );
34 | 
35 |         $cleanedConfiguration = array_values(array_filter($cleanedConfiguration, function ($item) {
36 |             return !empty($item) ? true : false;
37 |         }));
38 |         return $cleanedConfiguration;
39 |     }
40 | }
41 | 


--------------------------------------------------------------------------------
/Configuration/CorsConfigurationInterface.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Configuration;
 7 | 
 8 | /**
 9 |  * CorsConfigurationInterface is a generic interface
10 |  * that describes what types of configuration one would need to
11 |  * implement CORS from a the "Resource" side.
12 |  * @author    Graycore <damien@graycore.io>
13 |  * @copyright Graycore, LLC (https://www.graycore.io/)
14 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
15 |  * @link      https://github.com/graycoreio/magento2-cors
16 |  */
17 | interface CorsConfigurationInterface
18 | {
19 |     /**
20 |      * @return string[];
21 |      */
22 |     public function getAllowedOrigins(): array;
23 | 
24 |     /**
25 |      * @return string[];
26 |      */
27 |     public function getAllowedHeaders(): array;
28 | 
29 |     /**
30 |      * @return string[];
31 |      */
32 |     public function getAllowedMethods(): array;
33 | 
34 |     /**
35 |      * @return string;
36 |      */
37 |     public function getMaxAge(): ?string;
38 | 
39 |     /**
40 |      * @return bool
41 |      */
42 |     public function getAllowCredentials(): bool;
43 | 
44 |     /**
45 |      * @return string[];
46 |      */
47 |     public function getExposedHeaders(): array;
48 | }
49 | 


--------------------------------------------------------------------------------
/Configuration/GraphQl/CorsConfiguration.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | /**
  3 |  * Copyright © Graycore, LLC. All rights reserved.
  4 |  * See LICENSE.md for details.
  5 |  */
  6 | namespace Graycore\Cors\Configuration\GraphQl;
  7 | 
  8 | use Graycore\Cors\Configuration\ConfigurationCleaner;
  9 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
 10 | use Magento\Framework\App\Config\ScopeConfigInterface;
 11 | 
 12 | /**
 13 |  * CorsConfiguration is responsible for retrieving the Configuration
 14 |  * for the GraphQL Cors settings from the Magento Configuration.
 15 |  * @author    Graycore <damien@graycore.io>
 16 |  * @copyright Graycore, LLC (https://www.graycore.io/)
 17 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
 18 |  * @link      https://github.com/graycoreio/magento2-cors
 19 |  */
 20 | class CorsConfiguration implements CorsConfigurationInterface
 21 | {
 22 |     const XML_PATH_GRAPHQL_CORS_ORIGINS = 'web/graphql/cors_allowed_origins';
 23 | 
 24 |     const XML_PATH_GRAPHQL_CORS_METHODS = 'web/graphql/cors_allowed_methods';
 25 | 
 26 |     const XML_PATH_GRAPHQL_CORS_HEADERS = 'web/graphql/cors_allowed_headers';
 27 | 
 28 |     const XML_PATH_GRAPHQL_CORS_MAX_AGE = 'web/graphql/cors_max_age';
 29 | 
 30 |     const XML_PATH_GRAPHQL_CORS_EXPOSE_HEADERS = 'web/graphql/cors_expose_headers';
 31 | 
 32 |     const XML_PATH_GRAPHQL_CORS_CREDENTIALS = 'web/graphql/cors_allow_credentials';
 33 | 
 34 |     /** @var ScopeConfigInterface */
 35 |     private $scopeConfig;
 36 | 
 37 |     /** @var ConfigurationCleaner */
 38 |     private $cleaner;
 39 | 
 40 |     /**
 41 |      * CorsAllowHeadersHeaderProvider constructor.
 42 |      *
 43 |      * @param ScopeConfigInterface $scopeConfig
 44 |      */
 45 |     public function __construct(ScopeConfigInterface $scopeConfig)
 46 |     {
 47 |         $this->cleaner = new ConfigurationCleaner();
 48 |         $this->scopeConfig = $scopeConfig;
 49 |     }
 50 | 
 51 |     /**
 52 |      * Takes the configuration for Cors Origins
 53 |      * and parses it into an array of allowed origins
 54 |      * @return array
 55 |      */
 56 |     public function getAllowedOrigins(): array
 57 |     {
 58 |         return $this->cleaner->processDelimitedString(
 59 |             $this->scopeConfig->getValue(self::XML_PATH_GRAPHQL_CORS_ORIGINS)
 60 |         );
 61 |     }
 62 | 
 63 |     /**
 64 |      * Retrieves the allowed CORS headers from configuration
 65 |      * @return string;
 66 |      */
 67 |     public function getAllowedHeaders(): array
 68 |     {
 69 |         return $this->cleaner->processDelimitedString(
 70 |             $this->scopeConfig->getValue(self::XML_PATH_GRAPHQL_CORS_HEADERS)
 71 |         );
 72 |     }
 73 | 
 74 |     /**
 75 |      * @return string[];
 76 |      */
 77 |     public function getAllowedMethods(): array
 78 |     {
 79 |         return $this->cleaner->processDelimitedString(
 80 |             $this->scopeConfig->getValue(self::XML_PATH_GRAPHQL_CORS_METHODS)
 81 |         );
 82 |     }
 83 | 
 84 |     /**
 85 |      * @return string;
 86 |      */
 87 |     public function getMaxAge(): string
 88 |     {
 89 |         return $this->scopeConfig->getValue(self::XML_PATH_GRAPHQL_CORS_MAX_AGE);
 90 |     }
 91 | 
 92 |     /**
 93 |      * @return bool
 94 |      */
 95 |     public function getAllowCredentials(): bool
 96 |     {
 97 |         return $this->scopeConfig->isSetFlag(self::XML_PATH_GRAPHQL_CORS_CREDENTIALS);
 98 |     }
 99 | 
100 |     /**
101 |      * @return string[];
102 |      */
103 |     public function getExposedHeaders(): array
104 |     {
105 |         return $this->cleaner->processDelimitedString(
106 |             $this->scopeConfig->getValue(self::XML_PATH_GRAPHQL_CORS_EXPOSE_HEADERS)
107 |         );
108 |     }
109 | }
110 | 


--------------------------------------------------------------------------------
/Configuration/Rest/CorsConfiguration.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | /**
  4 |  * Copyright © Graycore, LLC. All rights reserved.
  5 |  * See LICENSE.md for details.
  6 |  */
  7 | 
  8 | namespace Graycore\Cors\Configuration\Rest;
  9 | 
 10 | use Graycore\Cors\Configuration\ConfigurationCleaner;
 11 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
 12 | use Magento\Framework\App\Config\ScopeConfigInterface;
 13 | 
 14 | /**
 15 |  * CorsConfiguration is responsible for retrieving the Configuration
 16 |  * for the WebApi REST CORS settings from the Magento Configuration.
 17 |  * @author    Graycore <damien@graycore.io>
 18 |  * @copyright Graycore, LLC (https://www.graycore.io/)
 19 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
 20 |  * @link      https://github.com/graycoreio/magento2-cors
 21 |  */
 22 | class CorsConfiguration implements CorsConfigurationInterface
 23 | {
 24 |     const XML_PATH_WEBAPI_REST_CORS_ORIGINS = 'web/api_rest/cors_allowed_origins';
 25 | 
 26 |     const XML_PATH_WEBAPI_REST_CORS_METHODS = 'web/api_rest/cors_allowed_methods';
 27 | 
 28 |     const XML_PATH_WEBAPI_REST_CORS_HEADERS = 'web/api_rest/cors_allowed_headers';
 29 | 
 30 |     const XML_PATH_WEBAPI_REST_CORS_MAX_AGE = 'web/api_rest/cors_max_age';
 31 | 
 32 |     const XML_PATH_WEBAPI_REST_CORS_EXPOSE_HEADERS = 'web/api_rest/cors_expose_headers';
 33 | 
 34 |     const XML_PATH_REST_CORS_CREDENTIALS = 'web/api_rest/cors_allow_credentials';
 35 | 
 36 |     /** @var ConfigurationCleaner */
 37 |     private $cleaner;
 38 | 
 39 |     /** @var ScopeConfigInterface */
 40 |     private $scopeConfig;
 41 | 
 42 |     /**
 43 |      * CorsAllowHeadersHeaderProvider constructor.
 44 |      *
 45 |      * @param ScopeConfigInterface $scopeConfig
 46 |      */
 47 |     public function __construct(ScopeConfigInterface $scopeConfig)
 48 |     {
 49 |         $this->cleaner = new ConfigurationCleaner();
 50 |         $this->scopeConfig = $scopeConfig;
 51 |     }
 52 | 
 53 |     /**
 54 |      * Takes the configuration for Cors Origins
 55 |      * and parses it into an array of allowed origins
 56 |      * @return array
 57 |      */
 58 |     public function getAllowedOrigins(): array
 59 |     {
 60 |         return $this->cleaner->processDelimitedString(
 61 |             $this->scopeConfig->getValue(self::XML_PATH_WEBAPI_REST_CORS_ORIGINS)
 62 |         );
 63 |     }
 64 | 
 65 |     /**
 66 |      * Retrieves the allowed CORS headers from configuration
 67 |      * @return string;
 68 |      */
 69 |     public function getAllowedHeaders(): array
 70 |     {
 71 |         return $this->cleaner->processDelimitedString(
 72 |             $this->scopeConfig->getValue(self::XML_PATH_WEBAPI_REST_CORS_HEADERS)
 73 |         );
 74 |     }
 75 | 
 76 |     /**
 77 |      * @return string[];
 78 |      */
 79 |     public function getAllowedMethods(): array
 80 |     {
 81 |         return $this->cleaner->processDelimitedString(
 82 |             $this->scopeConfig->getValue(self::XML_PATH_WEBAPI_REST_CORS_METHODS)
 83 |         );
 84 |     }
 85 | 
 86 |     /**
 87 |      * @return string;
 88 |      */
 89 |     public function getMaxAge(): string
 90 |     {
 91 |         return $this->scopeConfig->getValue(self::XML_PATH_WEBAPI_REST_CORS_MAX_AGE);
 92 |     }
 93 | 
 94 |     /**
 95 |      * @return bool
 96 |      */
 97 |     public function getAllowCredentials(): bool
 98 |     {
 99 |         return $this->scopeConfig->isSetFlag(self::XML_PATH_REST_CORS_CREDENTIALS);
100 |     }
101 | 
102 |     /**
103 |      * @return string[];
104 |      */
105 |     public function getExposedHeaders(): array
106 |     {
107 |         return $this->cleaner->processDelimitedString(
108 |             $this->scopeConfig->getValue(self::XML_PATH_WEBAPI_REST_CORS_EXPOSE_HEADERS)
109 |         );
110 |     }
111 | }
112 | 


--------------------------------------------------------------------------------
/Controller/NoopController.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace Graycore\Cors\Controller;
 4 | 
 5 | use Graycore\Cors\Response\HeaderManager;
 6 | use Magento\Framework\App\RequestInterface;
 7 | use Magento\Framework\App\ResponseInterface;
 8 | use Magento\Framework\App\Response\Http as ResponseHttp;
 9 | 
10 | class NoopController
11 | {
12 | 
13 |     /**
14 |      * @var HeaderManager
15 |      */
16 |     private $_headerManager;
17 | 
18 |     /**
19 |      * @var ResponseHttp
20 |      */
21 |     private $_response;
22 | 
23 |     public function __construct(
24 |         HeaderManager $headerManager,
25 |         ResponseHttp $response
26 |     ) {
27 |         $this->_headerManager = $headerManager;
28 |         $this->_response = $response;
29 |     }
30 | 
31 |     /**
32 |      * Dispatch application action
33 |      *
34 |      * @param RequestInterface $request
35 |      * @return ResponseInterface
36 |      */
37 |     public function dispatch(RequestInterface $request)
38 |     {
39 |         $this->_headerManager->applyHeaders($this->_response);
40 |         return $this->_response;
41 |     }
42 | }
43 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 - 2020 Graycore, LLC
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Plugin/FastLauncher.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace Graycore\Cors\Plugin;
 4 | 
 5 | use Magento\Framework\App\Area;
 6 | use Magento\Framework\App\AreaList;
 7 | use Magento\Framework\App\State;
 8 | use Magento\Framework\ObjectManager\ConfigLoaderInterface;
 9 | use Magento\Framework\ObjectManagerInterface;
10 | use Magento\Framework\App\Request\Http as RequestHttp;
11 | 
12 | class FastLauncher
13 | {
14 |     /**
15 |      * @var ObjectManagerInterface
16 |      */
17 |     private $_objectManager;
18 | 
19 |     /**
20 |      * @var AreaList
21 |      */
22 |     private $_areaList;
23 | 
24 |     /**
25 |      * @var ConfigLoaderInterface
26 |      */
27 |     private $_configLoader;
28 | 
29 |     /**
30 |      * @var State
31 |      */
32 |     private $_state;
33 | 
34 |     /**
35 |      * @var RequestHttp
36 |      */
37 |     private $_request;
38 | 
39 |     /**
40 |      * @param ObjectManagerInterface $objectManager
41 |      * @param AreaList $areaList
42 |      * @param RequestHttp $request
43 |      * @param ConfigLoaderInterface $configLoader
44 |      * @param State $state
45 |      */
46 |     public function __construct(
47 |         ObjectManagerInterface $objectManager,
48 |         AreaList $areaList,
49 |         RequestHttp $request,
50 |         ConfigLoaderInterface $configLoader,
51 |         State $state
52 |     ) {
53 |         $this->_objectManager = $objectManager;
54 |         $this->_areaList = $areaList;
55 |         $this->_configLoader = $configLoader;
56 |         $this->_state = $state;
57 |         $this->_request = $request;
58 |     }
59 | 
60 |     public function aroundLaunch(\Magento\Framework\AppInterface $subject, callable $proceed)
61 |     {
62 |         if ($this->_request->getMethod() === RequestHttp::METHOD_OPTIONS) {
63 |             $areaCode = $this->_areaList->getCodeByFrontName($this->_request->getFrontName());
64 |             if(
65 |                     $areaCode !== Area::AREA_WEBAPI_REST &&
66 |                     $areaCode !== Area::AREA_GRAPHQL
67 |             ) {
68 |                 return $proceed();
69 |             }
70 |             $this->_state->setAreaCode($areaCode);
71 |             $this->_objectManager->configure($this->_configLoader->load($areaCode));
72 |             /** @var \Graycore\Cors\Controller\NoopController::class */
73 |             $controller = $this->_objectManager->get(\Graycore\Cors\Controller\NoopController::class);
74 |             $response = $controller->dispatch($this->_request);
75 |             return $response;
76 |         };
77 | 
78 |         return $proceed();
79 |     }
80 | }
81 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Magento 2 CORS
 2 | 
 3 | <div align="center">
 4 | 
 5 | [![Packagist Downloads](https://img.shields.io/packagist/dm/graycore/magento2-cors?color=blue)](https://packagist.org/packages/graycore/magento2-cors/stats)
 6 | [![Packagist Version](https://img.shields.io/packagist/v/graycore/magento2-cors?color=blue)](https://packagist.org/packages/graycore/magento2-cors)
 7 | [![Packagist License](https://img.shields.io/packagist/l/graycore/magento2-cors)](https://github.com/graycoreio/magento2-cors/blob/master/LICENSE)
 8 | [![Unit Test](https://github.com/graycoreio/magento2-cors/actions/workflows/unit.yaml/badge.svg)](https://github.com/graycoreio/magento2-cors/actions/workflows/unit.yaml)
 9 | [![Integration Test](https://github.com/graycoreio/magento2-cors/actions/workflows/integration.yaml/badge.svg)](https://github.com/graycoreio/magento2-cors/actions/workflows/integration.yaml)
10 | [![Installation Test](https://github.com/graycoreio/magento2-cors/actions/workflows/install.yaml/badge.svg)](https://github.com/graycoreio/magento2-cors/actions/workflows/install.yaml)
11 | 
12 | </div>
13 | 
14 | 
15 | ## Magento Version Support
16 | ![Magento v2.3 Supported](https://img.shields.io/badge/Magento-2.3-brightgreen.svg?labelColor=2f2b2f&logo=magento&logoColor=f26724&color=464246&longCache=true&style=flat)
17 | ![Magento v2.4 Supported](https://img.shields.io/badge/Magento-2.4-brightgreen.svg?labelColor=2f2b2f&logo=magento&logoColor=f26724&color=464246&longCache=true&style=flat)
18 | 
19 | Ever try to work with the Magento GraphQL API or REST API from your browser and see the following?
20 | 
21 | ```txt
22 | Access to XMLHttpRequest at 'https://my.magento.app' from origin 'http://my.webapp.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
23 | ```
24 | 
25 | This package allows you to securely add the necessary CORS headers to the Magento 2 GraphQL or REST APIs with ease.
26 | 
27 | ## Purpose
28 | When building a headless application for Magento, or working with a client that respects the CORS protocol, you will need [CORS headers](https://fetch.spec.whatwg.org/#http-cors-protocol) on your backend resource.
29 | 
30 | This package will add configurable CORS Resource headers to the Magento 2 GraphQL or REST APIs, allowing you to access the GraphQL or REST APIs from your browser.
31 | 
32 | ## Getting Started
33 | This module is intended to be installed with [composer](https://getcomposer.org/). From the root of your Magento 2 project:
34 | 
35 | 1. Download the package
36 | ```bash
37 | composer require graycore/magento2-cors
38 | ```
39 | 2. [Configure the package](/docs/stories/configuring-the-headers.md)
40 | 3. Enable the package
41 | 
42 | ```bash
43 | ./bin/magento module:enable Graycore_Cors
44 | ```
45 | 
46 | ## Features
47 | * [Configurable](./docs/stories/configuring-the-headers.md)
48 | * [Respects the full CORS Protocol](https://fetch.spec.whatwg.org/#http-cors-protocol)
49 |     * `Access-Control-Allow-Origin`
50 |     * `Access-Control-Allow-Methods`
51 |     * `Access-Control-Allow-Headers`
52 |     * `Access-Control-Max-Age`
53 |     * `Access-Control-Expose-Headers`
54 |     * `Access-Control-Allow-Credentials`
55 | 
56 | * [Security By Default](./docs/stories/security.md#security-by-default)
57 | * [Vary: Origin](https://fetch.spec.whatwg.org/#cors-protocol-and-http-caches)
58 | ## Helpful Links
59 | * [FAQ](./docs/faq/faqs.md)
60 |     * [Can I configure this from the admin panel?](./docs/faq/faqs.md#can-i-configure-this-from-the-admin-panel)
61 | 
62 | ## Upgrading
63 | * [Semver Policy](https://semver.org/)
64 | * [Guide](./docs/upgrading/guide.md)
65 | 


--------------------------------------------------------------------------------
/Request/RestRequest.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * @copyright Copyright 2017 SplashLab
 5 |  */
 6 | /**
 7 |  * Copyright © Graycore, LLC. All rights reserved.
 8 |  * See LICENSE.md for details.
 9 |  */
10 | 
11 | namespace Graycore\Cors\Request;
12 | 
13 | use Magento\Framework\Webapi\Request;
14 | use Magento\Framework\Exception\InputException;
15 | 
16 | class RestRequest
17 | {
18 |     /**
19 |      * Triggers before original dispatch
20 |      *
21 |      * @param  Request $subject
22 |      * @return void
23 |      * @throws InputException
24 |      */
25 |     public function aroundGetHttpMethod(
26 |         Request $subject
27 |     ) {
28 |         if (!$subject->isGet()
29 |             && !$subject->isPost()
30 |             && !$subject->isPut()
31 |             && !$subject->isDelete()
32 |             && !$subject->isOptions()
33 |         ) {
34 |             throw new InputException(__('Request method is invalid.'));
35 |         }
36 |         return $subject->getMethod();
37 |     }
38 | }
39 | 


--------------------------------------------------------------------------------
/Response/HeaderManager.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Response;
 7 | 
 8 | use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
 9 | use Magento\Framework\Exception\LocalizedException;
10 | use Magento\Framework\Phrase;
11 | 
12 | /**
13 |  * CorsAllowHeadersHeaderProvider is responsible for adding the header
14 |  * Access-Control-Allow-Headers to a response.
15 |  * @author    Graycore <damien@graycore.io>
16 |  * @copyright Graycore, LLC (https://www.graycore.io/)
17 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
18 |  * @link      https://github.com/graycoreio/magento2-cors
19 |  */
20 | class HeaderManager
21 | {
22 |     /**
23 |      * @var HeaderProviderInterface[]
24 |      */
25 |     private $headerProviders;
26 | 
27 |     /**
28 |      * @param HeaderProviderInterface[] $headerProviderList
29 |      * @throws LocalizedException In case one of the header providers is invalid
30 |      */
31 |     public function __construct($headerProviderList)
32 |     {
33 |         foreach ($headerProviderList as $header) {
34 |             if (!($header instanceof HeaderProviderInterface)) {
35 |                 throw new LocalizedException(new Phrase('The header provider is invalid. Verify and try again.'));
36 |             }
37 |         }
38 |         $this->headerProviders = $headerProviderList;
39 |     }
40 | 
41 |      /**
42 |       * @param \Magento\Framework\App\Response\HttpInterface $response
43 |       * @return void
44 |       */
45 |     public function applyHeaders(\Magento\Framework\App\Response\HttpInterface $response)
46 |     {
47 |         foreach ($this->headerProviders as $provider) {
48 |             if ($provider->canApply()) {
49 |                 $response->setHeader($provider->getName(), $provider->getValue());
50 |             }
51 |         }
52 |         return $response;
53 |     }
54 | 
55 |     /**
56 |      * @param \Magento\Framework\App\Response\HttpInterface $subject
57 |      * @return void
58 |      * @codeCoverageIgnore
59 |      */
60 |     public function beforeSendResponse(\Magento\Framework\App\Response\HttpInterface $subject)
61 |     {
62 |         $this->applyHeaders($subject);
63 |     }
64 | }
65 | 


--------------------------------------------------------------------------------
/Response/HeaderProvider/CorsAllowCredentialsHeaderProvider.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Response\HeaderProvider;
 7 | 
 8 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
 9 | use Graycore\Cors\Validator\CorsValidatorInterface;
10 | use Magento\Framework\App\Response\HeaderProvider\AbstractHeaderProvider;
11 | use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
12 | 
13 | /**
14 |  * CorsAllowCredentialsHeaderProvider is responsible for adding the header
15 |  * Access-Control-Allow-Credentials to a response.
16 |  * @author    Matthew O'Loughlin <matthew@aligent.com.au>
17 |  * @copyright Graycore, LLC (https://www.graycore.io/)
18 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
19 |  * @link      https://github.com/graycoreio/magento2-cors
20 |  */
21 | class CorsAllowCredentialsHeaderProvider extends AbstractHeaderProvider implements HeaderProviderInterface
22 | {
23 |     /**
24 |      * @var string
25 |      */
26 |     protected $headerName = 'Access-Control-Allow-Credentials';
27 | 
28 |     /** @var CorsConfigurationInterface */
29 |     protected $configuration;
30 | 
31 |     /** @var CorsValidatorInterface */
32 |     protected $validator;
33 | 
34 |     /**
35 |      * CorsAllowHeadersHeaderProvider constructor.
36 |      *
37 |      * @param CorsConfigurationInterface $configuration
38 |      * @param CorsValidatorInterface $validator
39 |      */
40 |     public function __construct(CorsConfigurationInterface $configuration, CorsValidatorInterface $validator)
41 |     {
42 |         $this->configuration = $configuration;
43 |         $this->validator = $validator;
44 |     }
45 | 
46 |     public function getValue()
47 |     {
48 |         return "true";
49 |     }
50 | 
51 |     public function canApply()
52 |     {
53 |         return $this->validator->originIsValid() && $this->configuration->getAllowCredentials();
54 |     }
55 | }
56 | 


--------------------------------------------------------------------------------
/Response/HeaderProvider/CorsAllowHeadersHeaderProvider.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Response\HeaderProvider;
 7 | 
 8 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
 9 | use Graycore\Cors\Validator\CorsValidatorInterface;
10 | use Magento\Framework\App\Response\HeaderProvider\AbstractHeaderProvider;
11 | use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
12 | 
13 | /**
14 |  * CorsAllowHeadersHeaderProvider is responsible for adding the header
15 |  * Access-Control-Allow-Headers to a response.
16 |  * @author    Graycore <damien@graycore.io>
17 |  * @copyright Graycore, LLC (https://www.graycore.io/)
18 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
19 |  * @link      https://github.com/graycoreio/magento2-cors
20 |  */
21 | class CorsAllowHeadersHeaderProvider extends AbstractHeaderProvider implements HeaderProviderInterface
22 | {
23 |     /**
24 |      * @var string
25 |      */
26 |     protected $headerName = 'Access-Control-Allow-Headers';
27 | 
28 |     /**
29 |      * @var string
30 |      */
31 |     protected $headerValue = '';
32 | 
33 |     /** @var CorsConfigurationInterface */
34 |     protected $configuration;
35 | 
36 |     /** @var CorsValidatorInterface */
37 |     protected $validator;
38 | 
39 |     /**
40 |      * CorsAllowHeadersHeaderProvider constructor.
41 |      *
42 |      * @param CorsConfigurationInterface $configuration
43 |      * @param CorsValidatorInterface $validator
44 |      */
45 |     public function __construct(CorsConfigurationInterface $configuration, CorsValidatorInterface $validator)
46 |     {
47 |         $this->configuration = $configuration;
48 |         $this->validator = $validator;
49 |     }
50 | 
51 |     public function getValue()
52 |     {
53 |         return $this->configuration->getAllowedHeaders()
54 |         ? implode(',', $this->configuration->getAllowedHeaders())
55 |         : $this->headerValue;
56 |     }
57 | 
58 |     public function canApply()
59 |     {
60 |         return $this->validator->isPreflightRequest() && $this->validator->originIsValid() && $this->getValue();
61 |     }
62 | }
63 | 


--------------------------------------------------------------------------------
/Response/HeaderProvider/CorsAllowMethodsHeaderProvider.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Response\HeaderProvider;
 7 | 
 8 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
 9 | use Graycore\Cors\Validator\CorsValidatorInterface;
10 | use Magento\Framework\App\Response\HeaderProvider\AbstractHeaderProvider;
11 | use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
12 | 
13 | /**
14 |  * CorsAllowMethodsHeaderProvider is responsible for adding the header
15 |  * Access-Control-Allow-Methods to a response.
16 |  * @author    Graycore <damien@graycore.io>
17 |  * @copyright Graycore, LLC (https://www.graycore.io/)
18 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
19 |  * @link      https://github.com/graycoreio/magento2-cors
20 |  */
21 | class CorsAllowMethodsHeaderProvider extends AbstractHeaderProvider implements HeaderProviderInterface
22 | {
23 |     /**
24 |      * @var string
25 |      */
26 |     protected $headerName = 'Access-Control-Allow-Methods';
27 | 
28 |     /**
29 |      * @var string
30 |      */
31 |     protected $headerValue = 'GET,POST,OPTIONS';
32 | 
33 |     /** @var CorsConfigurationInterface */
34 |     protected $configuration;
35 | 
36 |     /** @var CorsValidatorInterface */
37 |     protected $validator;
38 | 
39 |     /**
40 |      * CorsAllowMethodsHeaderProvider constructor.
41 |      *
42 |      * @param CorsConfigurationInterface $configuration
43 |      * @param CorsValidatorInterface $validator
44 |      **/
45 |     public function __construct(CorsConfigurationInterface $configuration, CorsValidatorInterface $validator)
46 |     {
47 |         $this->configuration = $configuration;
48 |         $this->validator = $validator;
49 |     }
50 | 
51 |     public function getValue()
52 |     {
53 |         return $this->configuration->getAllowedMethods()
54 |         ? implode(',', $this->configuration->getAllowedMethods())
55 |         : $this->headerValue;
56 |     }
57 | 
58 |     public function canApply()
59 |     {
60 |         return $this->validator->isPreflightRequest() && $this->validator->originIsValid() && $this->getValue();
61 |     }
62 | }
63 | 


--------------------------------------------------------------------------------
/Response/HeaderProvider/CorsAllowOriginHeaderProvider.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Response\HeaderProvider;
 7 | 
 8 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
 9 | use Graycore\Cors\Validator\CorsValidatorInterface;
10 | use Magento\Framework\App\RequestInterface;
11 | use Magento\Framework\App\Request\Http;
12 | use Magento\Framework\App\Response\HeaderProvider\AbstractHeaderProvider;
13 | use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
14 | 
15 | /**
16 |  * CorsAllowOriginHeaderProvider is responsible for adding the header
17 |  * Access-Control-Allow-Origin to a response.
18 |  * @author    Graycore <damien@graycore.io>
19 |  * @copyright Graycore, LLC (https://www.graycore.io/)
20 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
21 |  * @link      https://github.com/graycoreio/magento2-cors
22 |  */
23 | class CorsAllowOriginHeaderProvider extends AbstractHeaderProvider implements HeaderProviderInterface
24 | {
25 |     /**
26 |      * @var string
27 |      */
28 |     protected $headerName = 'Access-Control-Allow-Origin';
29 | 
30 |     /**
31 |      * @var string
32 |      */
33 |     protected $headerValue = '';
34 | 
35 |     /** @var CorsValidatorInterface */
36 |     protected $validator;
37 | 
38 |     /** @var CorsConfigurationInterface */
39 |     protected $configuration;
40 | 
41 |     /** @var Http */
42 |     protected $request;
43 | 
44 |     /**
45 |      * CorsAllowMethodsHeaderProvider constructor.
46 |      *
47 |      * @param CorsValidatorInterface $validator
48 |      * @param CorsConfigurationInterface $configuration
49 |      * @param RequestInterface $request
50 |      */
51 |     public function __construct(
52 |         CorsValidatorInterface $validator,
53 |         CorsConfigurationInterface $configuration,
54 |         RequestInterface $request
55 |     ) {
56 |         $this->validator = $validator;
57 |         $this->configuration = $configuration;
58 |         $this->request = $request;
59 |     }
60 | 
61 |     private function allowedOriginIsWildcard()
62 |     {
63 |         return in_array('*', $this->configuration->getAllowedOrigins());
64 |     }
65 | 
66 |     public function canApply()
67 |     {
68 |         return $this->validator->originIsValid() && $this->getValue();
69 |     }
70 | 
71 |     public function getValue()
72 |     {
73 |         if ($this->configuration->getAllowCredentials() && $this->allowedOriginIsWildcard()) {
74 |             return $this->request->getHeader('Origin');
75 |         }
76 | 
77 |         return $this->allowedOriginIsWildcard() ? '*' : $this->request->getHeader('Origin');
78 |     }
79 | }
80 | 


--------------------------------------------------------------------------------
/Response/HeaderProvider/CorsExposeHeadersProvider.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Response\HeaderProvider;
 7 | 
 8 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
 9 | use Graycore\Cors\Validator\CorsValidatorInterface;
10 | use Magento\Framework\App\Response\HeaderProvider\AbstractHeaderProvider;
11 | use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
12 | 
13 | /**
14 |  * CorsExposeHeadersProvider is responsible for adding the header
15 |  * Access-Control-Expose-Headers to a response.
16 |  * @author    Graycore <damien@graycore.io>
17 |  * @copyright Graycore, LLC (https://www.graycore.io/)
18 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
19 |  * @link      https://github.com/graycoreio/magento2-cors
20 |  */
21 | class CorsExposeHeadersProvider extends AbstractHeaderProvider implements HeaderProviderInterface
22 | {
23 |     /**
24 |      * @var string
25 |      */
26 |     protected $headerName = 'Access-Control-Expose-Headers';
27 | 
28 |     /**
29 |      * @var string
30 |      */
31 |     protected $headerValue = '';
32 | 
33 |     /** @var CorsConfigurationInterface */
34 |     protected $configuration;
35 | 
36 |     /** @var CorsValidatorInterface */
37 |     protected $validator;
38 | 
39 |     /**
40 |      * CorsAllowMethodsHeaderProvider constructor.
41 |      *
42 |      * @param CorsConfigurationInterface $configuration
43 |      * @param CorsValidatorInterface $validator
44 |      **/
45 |     public function __construct(CorsConfigurationInterface $configuration, CorsValidatorInterface $validator)
46 |     {
47 |         $this->configuration = $configuration;
48 |         $this->validator = $validator;
49 |     }
50 | 
51 |     public function getValue()
52 |     {
53 |         return $this->configuration->getExposedHeaders()
54 |         ? implode(',', $this->configuration->getExposedHeaders())
55 |         : $this->headerValue;
56 |     }
57 | 
58 |     public function canApply(): bool
59 |     {
60 |         return !$this->validator->isPreflightRequest() && $this->validator->originIsValid() && $this->getValue();
61 |     }
62 | }
63 | 


--------------------------------------------------------------------------------
/Response/HeaderProvider/CorsMaxAgeHeaderProvider.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Response\HeaderProvider;
 7 | 
 8 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
 9 | use Graycore\Cors\Validator\CorsValidatorInterface;
10 | use Magento\Framework\App\Response\HeaderProvider\AbstractHeaderProvider;
11 | use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
12 | 
13 | /**
14 |  * CorsAllowOriginHeaderProvider is responsible for adding the header
15 |  * Access-Control-Max-Age to a response.
16 |  * @author    Graycore <damien@graycore.io>
17 |  * @copyright Graycore, LLC (https://www.graycore.io/)
18 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
19 |  * @link      https://github.com/graycoreio/magento2-cors
20 |  */
21 | class CorsMaxAgeHeaderProvider extends AbstractHeaderProvider implements HeaderProviderInterface
22 | {
23 |     /**
24 |      * @var string
25 |      */
26 |     protected $headerName = 'Access-Control-Max-Age';
27 | 
28 |     /**
29 |      * @var string
30 |      */
31 |     protected $headerValue = '86400';
32 | 
33 |     /** @var CorsConfigurationInterface */
34 |     protected $configuration;
35 | 
36 |     /** @var CorsValidatorInterface */
37 |     protected $validator;
38 | 
39 |     /**
40 |      * CorsAllowMethodsHeaderProvider constructor.
41 |      *
42 |      * @param CorsConfigurationInterface $configuration
43 |      * @param CorsValidatorInterface $validator
44 |      **/
45 |     public function __construct(CorsConfigurationInterface $configuration, CorsValidatorInterface $validator)
46 |     {
47 |         $this->configuration = $configuration;
48 |         $this->validator = $validator;
49 |     }
50 | 
51 |     public function getValue(): ?string
52 |     {
53 |         return $this->configuration->getMaxAge() ? $this->configuration->getMaxAge() : $this->headerValue;
54 |     }
55 | 
56 |     public function canApply(): bool
57 |     {
58 |         return $this->validator->isPreflightRequest() && $this->validator->originIsValid() && $this->getValue();
59 |     }
60 | }
61 | 


--------------------------------------------------------------------------------
/Response/HeaderProvider/CorsVaryHeaderProvider.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * Copyright © Graycore, LLC. All rights reserved.
 5 |  * See LICENSE.md for details.
 6 |  */
 7 | 
 8 | namespace Graycore\Cors\Response\HeaderProvider;
 9 | 
10 | use Graycore\Cors\Validator\CorsValidatorInterface;
11 | use Magento\Framework\App\Response\HeaderProvider\AbstractHeaderProvider;
12 | use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
13 | 
14 | /**
15 |  * CorsVaryHeaderProvider is responsible for adding the header
16 |  * Vary Header to a response.
17 |  * @author    Graycore <damien@graycore.io>
18 |  * @copyright Graycore, LLC (https://www.graycore.io/)
19 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
20 |  * @link      https://github.com/graycoreio/magento2-cors
21 |  */
22 | class CorsVaryHeaderProvider extends AbstractHeaderProvider implements HeaderProviderInterface
23 | {
24 |     /**
25 |      * @var string
26 |      */
27 |     protected $headerName = 'Vary';
28 | 
29 |     /**
30 |      * @var string
31 |      */
32 |     protected $headerValue = 'Origin';
33 | 
34 |     /**
35 |      * Since we'll be responding to requests differently per request origin, we now
36 |      * need to ensure that all responses contain the vary header. Otherwise,
37 |      * HTTP caches, like Varnish or the browser cache, will incorrectly cache
38 |      * results because they won't know that the "per origin" behavior could exist.
39 |      *
40 |      * Additionally,
41 |      * ```
42 |      * Vary: Accept-Encoding
43 |      * Vary: Origin
44 |      * ```
45 |      *
46 |      * is the same as
47 |      *
48 |      * ```
49 |      * Vary: Accept-Encoding, Origin
50 |      * ```
51 |      *
52 |      * So, we don't bother attempting to merge the two headers into a comma-separated list.
53 |      *
54 |      * //TODO(damienwebdev): consider the ramifications to cache size if we don't
55 |      * normalize "Vary" this into well organized list.
56 |      */
57 |     public function canApply(): bool
58 |     {
59 |         return true;
60 |     }
61 | }
62 | 


--------------------------------------------------------------------------------
/Response/Preflight/GraphQl/PreflightRequestHandler.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * Copyright © Graycore, LLC. All rights reserved.
 5 |  * See LICENSE.md for details.
 6 |  */
 7 | 
 8 | namespace Graycore\Cors\Response\Preflight\GraphQl;
 9 | 
10 | use Magento\Framework\App\Request\Http;
11 | use Magento\Framework\App\RequestInterface;
12 | use Magento\Framework\App\Response\Http as HttpResponse;
13 | use Magento\GraphQl\Controller\GraphQl as GraphQlController;
14 | use Magento\Framework\App\Response\HeaderManager;
15 | 
16 | /**
17 |  * PreflightRequestHandler is responsible for returning a
18 |  * 200 response to an options request on the graphql endpoint.
19 |  *
20 |  * @author    Matthew O'Loughlin <matthew@aligent.com.au>
21 |  * @copyright Graycore, LLC (https://www.graycore.io/)
22 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
23 |  * @link      https://github.com/graycoreio/magento2-cors
24 |  */
25 | class PreflightRequestHandler
26 | {
27 | 
28 |     /** @var HttpResponse */
29 |     private $_response;
30 | 
31 |     /** @var HeaderManager */
32 |     private $_headerManager;
33 | 
34 |     public function __construct(HttpResponse $response, HeaderManager $headerManager)
35 |     {
36 |         $this->_response = $response;
37 |         $this->_headerManager = $headerManager;
38 |     }
39 | 
40 |     /**
41 |      * @param GraphQlController $subject
42 |      * @param callable $next
43 |      * @param RequestInterface $request
44 |      * @return \Magento\Framework\App\Response\HttpInterface
45 |      */
46 |     public function aroundDispatch(GraphQlController $subject, callable $next, RequestInterface $request)
47 |     {
48 |         if ($request instanceof Http && $request->isOptions()) {
49 |             $this->_headerManager->beforeSendResponse($this->_response);
50 |             $this->_response->setPublicHeaders(86400);
51 |             return $this->_response;
52 |         }
53 | 
54 |         return $next($request);
55 |     }
56 | }
57 | 


--------------------------------------------------------------------------------
/Response/Preflight/Rest/PreflightRequestHandler.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * Copyright © Graycore, LLC. All rights reserved.
 5 |  * See LICENSE.md for details.
 6 |  */
 7 | 
 8 | namespace Graycore\Cors\Response\Preflight\Rest;
 9 | 
10 | use Graycore\Cors\Response\HeaderManager;
11 | use Magento\Framework\App\Request\Http;
12 | use Magento\Framework\App\RequestInterface;
13 | use Magento\Webapi\Controller\Rest as RestController;
14 | use Magento\Framework\Webapi\Rest\Request as RestRequest;
15 | use Magento\Framework\App\Response\Http as HttpResponse;
16 | 
17 | /**
18 |  * PreflightRequestHandler is responsible for returning a
19 |  * 200 response to an options request.
20 |  *
21 |  * @author    Graycore <damien@graycore.io>
22 |  * @copyright Graycore, LLC (https://www.graycore.io/)
23 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
24 |  * @link      https://github.com/graycoreio/magento2-cors
25 |  */
26 | class PreflightRequestHandler
27 | {
28 | 
29 |     /** @var HttpResponse */
30 |     private $_response;
31 | 
32 |     /** @var HeaderManager */
33 |     private $_headerManager;
34 | 
35 |     public function __construct(HttpResponse $response, HeaderManager $headerManager)
36 |     {
37 |         $this->_response = $response;
38 |         $this->_headerManager = $headerManager;
39 |     }
40 | 
41 |     /**
42 |      * @param RestController $subject
43 |      * @param callable $next
44 |      * @param RequestInterface $request
45 |      * @return string
46 |      */
47 |     public function aroundDispatch(RestController $subject, callable $next, RequestInterface $request)
48 |     {
49 |         if ($request instanceof Http && $request->isOptions()) {
50 |             $this->_headerManager->applyHeaders($this->_response);
51 |             $this->_response->setPublicHeaders(86400);
52 |             return $this->_response;
53 |             
54 |         }
55 | 
56 |         /** @var HttpResponse $response */
57 |         return $next($request);
58 |     }
59 | }
60 | 


--------------------------------------------------------------------------------
/Test/Integration/CorsConfigurationDiTest.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Test\Integration;
 7 | 
 8 | use PHPUnit\Framework\TestCase;
 9 | use Magento\TestFramework\ObjectManager as ObjectManager;
10 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
11 | use Graycore\Cors\Configuration\GraphQl\CorsConfiguration as GraphQlCorsConfiguration;
12 | use Graycore\Cors\Configuration\Rest\CorsConfiguration as RestCorsConfiguration;
13 | 
14 | /**
15 |  * Tests that the Dependency Injection for the module is setup correctly.
16 |  * @author    Graycore <damien@graycore.io>
17 |  * @copyright Graycore, LLC (https://www.graycore.io/)
18 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
19 |  * @link      https://github.com/graycoreio/magento2-cors
20 |  */
21 | class CorsConfigurationDiTest extends TestCase
22 | {
23 |     /** @var ObjectManager */
24 |     private $objectManager;
25 | 
26 |     public function setUp(): void
27 |     {
28 |         $this->objectManager = ObjectManager::getInstance();
29 |     }
30 | 
31 |     /**
32 |      * @magentoAppArea global
33 |      */
34 |     public function testItDoesNotPresentAConcretionForTheCorsConfigurationInterfaceInTheGlobalScope()
35 |     {
36 |         $this->expectException(
37 |             \Error::class,
38 |             "Cannot instantiate interface Graycore\Cors\Validator\CorsConfigurationInterface"
39 |         );
40 |         $this->objectManager->get(CorsConfigurationInterface::class);
41 |     }
42 | 
43 |     /**
44 |      * @magentoAppArea graphql
45 |      */
46 |     public function testItPresentsAConcretionForTheCorsConfigurationInterfaceInTheGraphQlScope()
47 |     {
48 |         $this->assertInstanceOf(
49 |             GraphQlCorsConfiguration::class,
50 |             $this->objectManager->get(CorsConfigurationInterface::class)
51 |         );
52 |     }
53 | 
54 |     /**
55 |      * @magentoAppArea webapi_rest
56 |      */
57 |     public function testItPresentsAConcretionForTheCorsConfigurationInterfaceInTheRestScope()
58 |     {
59 |         $this->assertInstanceOf(
60 |             RestCorsConfiguration::class,
61 |             $this->objectManager->get(CorsConfigurationInterface::class)
62 |         );
63 |     }
64 | }
65 | 


--------------------------------------------------------------------------------
/Test/Integration/CorsValidatorDiTest.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Test\Integration;
 7 | 
 8 | use PHPUnit\Framework\TestCase;
 9 | use Magento\TestFramework\App\State as AppAreaState;
10 | use Magento\TestFramework\ObjectManager;
11 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
12 | use Graycore\Cors\Configuration\GraphQl\CorsConfiguration as GraphQlCorsConfiguration;
13 | use Graycore\Cors\Configuration\Rest\CorsConfiguration as RestCorsConfiguration;
14 | use Graycore\Cors\Validator\CorsValidatorInterface;
15 | use Graycore\Cors\Validator\CorsValidator;
16 | 
17 | /**
18 |  * Tests that the Dependency Injection for the module is setup correctly.
19 |  * @author    Graycore <damien@graycore.io>
20 |  * @copyright Graycore, LLC (https://www.graycore.io/)
21 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
22 |  * @link      https://github.com/graycoreio/magento2-cors
23 |  */
24 | class CorsValidatorDiTest extends TestCase
25 | {
26 |     /** @var ObjectManager */
27 |     private $objectManager;
28 | 
29 |     public function setUp(): void
30 |     {
31 |         $this->objectManager = ObjectManager::getInstance();
32 |     }
33 | 
34 |     /**
35 |      * @magentoAppArea global
36 |      */
37 |     public function testItDoesNotPresentAConcretionForTheCorsValidatorInterfaceInTheGlobalScope()
38 |     {
39 |         $this->expectException(
40 |             \Error::class,
41 |             "Cannot instantiate interface Graycore\Cors\Validator\CorsValidatorInterface"
42 |         );
43 |         $this->objectManager->get(CorsValidatorInterface::class);
44 |     }
45 | 
46 |     /**
47 |      * @magentoAppArea graphql
48 |      */
49 |     public function testItPresentsAConcretionForTheCorsValidatorInterfaceInTheGraphQlScope()
50 |     {
51 |         $this->assertInstanceOf(
52 |             CorsValidator::class,
53 |             $this->objectManager->get(CorsValidatorInterface::class)
54 |         );
55 |     }
56 | 
57 |     /**
58 |      * @magentoAppArea webapi_rest
59 |      */
60 |     public function testItPresentsAConcretionForTheCorsValidatorInterfaceInTheWebApiRestScope()
61 |     {
62 |         $this->assertInstanceOf(
63 |             CorsValidator::class,
64 |             $this->objectManager->get(CorsValidatorInterface::class)
65 |         );
66 |     }
67 | }
68 | 


--------------------------------------------------------------------------------
/Test/Integration/HeaderManagerConfigurationTest.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Test\Integration;
 7 | 
 8 | use PHPUnit\Framework\TestCase;
 9 | 
10 | /**
11 |  * Tests that ensure that the CORS headers are properly
12 |  * dependency injected into the HeaderManager
13 |  * @author    Graycore <damien@graycore.io>
14 |  * @copyright 2019 Graycore, LLC (https://www.graycore.io/)
15 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
16 |  * @link      https://github.com/graycoreio/magento2-cors
17 |  */
18 | class HeaderManagerConfigurationTest extends TestCase
19 | {
20 |     public function testTheModuleAddsCorsHeadersInTheGraphQlScope()
21 |     {
22 |         $this->markTestIncomplete('This test has not been implemented yet.');
23 |     }
24 | 
25 |     public function testTheModuleDoesNotAddCorsHeadersInTheGlobalScope()
26 |     {
27 |         $this->markTestIncomplete('This test has not been implemented yet.');
28 |     }
29 | }
30 | 


--------------------------------------------------------------------------------
/Test/Integration/Preflight/GraphQlResponseTest.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * Copyright © Graycore, LLC. All rights reserved.
 5 |  * See LICENSE.md for details.
 6 |  */
 7 | 
 8 | namespace Graycore\Cors\Test\Integration\Preflight;
 9 | 
10 | use Magento\Framework\App\Response\Http;
11 | use Magento\TestFramework\TestCase\AbstractController as ControllerTestCase;
12 | use Laminas\Http\Headers;
13 | 
14 | /**
15 |  * Tests that the responses to GraphQl API requests
16 |  * properly respond with the CORS headers in the
17 |  * default configuration
18 |  * @author    Graycore <damien@graycore.io>
19 |  * @copyright Graycore, LLC (https://www.graycore.io/)
20 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
21 |  * @link      https://github.com/graycoreio/magento2-cors
22 |  */
23 | class GraphQlResponseTest extends ControllerTestCase
24 | {
25 |     private function dispatchToGraphQlApiWithOrigin(string $origin)
26 |     {
27 |         $headers = new Headers();
28 |         $headers->addHeaderLine('Origin: ' . $origin);
29 |         $headers->addHeaderLine('Content-Type: application/json');
30 |         $this->getRequest()->setMethod('OPTIONS')->setHeaders($headers)
31 |             ->setContent('{"query": "{products(search:\"Pierce\"){total_count}}"}');
32 |         $this->dispatch('/graphql');
33 |     }
34 | 
35 |     public function testItDoesNotAddAnyCrossOriginHeadersOutOfTheBox()
36 |     {
37 |         $this->dispatchToGraphQlApiWithOrigin("https://www.example.com");
38 | 
39 |         /** @var Http $response */
40 |         $response = $this->getResponse();
41 |         $this->assertFalse($response->getHeader('Access-Control-Allow-Origin'));
42 |         $this->assertFalse($response->getHeader('Access-Control-Max-Age'));
43 |     }
44 | 
45 |     /**
46 |      * @magentoConfigFixture default/web/graphql/cors_allowed_origins https://www.example.com
47 |      */
48 |     public function testItdoesNotAddAnyCrossOriginHeadersToATypicalRequest()
49 |     {
50 |         $this->dispatch('/');
51 | 
52 |         /** @var Http $response */
53 |         $response = $this->getResponse();
54 |         $this->assertFalse($response->getHeader('Access-Control-Allow-Origin'));
55 |     }
56 | 
57 |     /**
58 |      * @magentoConfigFixture default/web/graphql/cors_allowed_origins https://www.example.com
59 |      */
60 |     public function testTheGraphQlPreflightResponseContainsCrossOriginHeaders()
61 |     {
62 |         $this->dispatchToGraphQlApiWithOrigin("https://www.example.com");
63 | 
64 |         /** @var Http $response */
65 |         $response = $this->getResponse();
66 |         $this->assertNotFalse($response->getHeader('Access-Control-Allow-Origin'));
67 |         $this->assertNotFalse($response->getHeader('Access-Control-Max-Age'));
68 |         $this->assertSame(200, $response->getHttpResponseCode());
69 |         $this->assertEquals("", $response->getBody());
70 |     }
71 | }
72 | 


--------------------------------------------------------------------------------
/Test/Integration/Preflight/WebApiResponseTest.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * Copyright © Graycore, LLC. All rights reserved.
 5 |  * See LICENSE.md for details.
 6 |  */
 7 | 
 8 | namespace Graycore\Cors\Test\Integration\Preflight;
 9 | 
10 | use Magento\Framework\App\Response\Http;
11 | use Magento\TestFramework\TestCase\AbstractController as ControllerTestCase;
12 | use Laminas\Http\Headers;
13 | 
14 | /**
15 |  * Tests that the responses to REST API requests
16 |  * properly respond with the CORS headers in the
17 |  * default configuration
18 |  * @author    Graycore <damien@graycore.io>
19 |  * @copyright Graycore, LLC (https://www.graycore.io/)
20 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
21 |  * @link      https://github.com/graycoreio/magento2-cors
22 |  */
23 | class WebApiResponseTest extends ControllerTestCase
24 | {
25 |     const ENDPOINT = '/rest/default/V1/directory/currency';
26 | 
27 |     public function getResponse()
28 |     {
29 |         if (!$this->_response) {
30 |             $this->_response = $this->_objectManager->get(\Magento\Framework\Webapi\Rest\Response::class);
31 |         }
32 |         return $this->_response;
33 |     }
34 | 
35 |     private function dispatchToRestApi()
36 |     {
37 |         ob_start();
38 |         $this->dispatch(self::ENDPOINT);
39 |         $this->getResponse()->sendResponse();
40 |         ob_end_clean();
41 |     }
42 | 
43 |     private function dispatchToRestApiWithOrigin(string $origin)
44 |     {
45 |         $headers = new Headers();
46 |         $headers->addHeaderLine('Origin: ' . $origin);
47 |         $headers->addHeaderLine('Content-Type: application/json');
48 |         $this->getRequest()->setMethod('OPTIONS')->setHeaders($headers);
49 |         ob_start();
50 |         $this->dispatch(self::ENDPOINT);
51 |         $this->getResponse()->sendResponse();
52 |         ob_end_clean();
53 |     }
54 | 
55 |     public function testItDoesNotAddAnyCrossOriginHeadersOutOfTheBox()
56 |     {
57 |         $this->dispatchToRestApiWithOrigin("https://www.example.com");
58 | 
59 |         /** @var Http $response */
60 |         $response = $this->getResponse();
61 |         $this->assertFalse($response->getHeader('Access-Control-Allow-Origin'));
62 |         $this->assertFalse($response->getHeader('Access-Control-Max-Age'));
63 |     }
64 | 
65 |     /**
66 |      * @magentoConfigFixture default/web/api_rest/cors_allowed_origins https://www.example.com
67 |      */
68 |     public function testItdoesNotAddAnyCrossOriginHeadersToATypicalRequest()
69 |     {
70 |         $this->dispatchToRestApi();
71 | 
72 |         /** @var Http $response */
73 |         $response = $this->getResponse();
74 |         $this->assertFalse($response->getHeader('Access-Control-Allow-Origin'));
75 |     }
76 | 
77 |     /**
78 |      * @magentoConfigFixture default/web/api_rest/cors_allowed_origins https://www.example.com
79 |      */
80 |     public function testTheWebApiPreflightResponseContainsCrossOriginHeaders()
81 |     {
82 |         $this->dispatchToRestApiWithOrigin("https://www.example.com");
83 | 
84 |         /** @var Http $response */
85 |         $response = $this->getResponse();
86 |         $this->assertNotFalse($response->getHeader('Access-Control-Allow-Origin'));
87 |         $this->assertNotFalse($response->getHeader('Access-Control-Max-Age'));
88 |         $this->assertSame(200, $response->getHttpResponseCode());
89 |         $this->assertEquals("", $response->getBody());
90 |     }
91 | }
92 | 


--------------------------------------------------------------------------------
/Test/Integration/RegistrationTest.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Test\Integration;
 7 | 
 8 | use Magento\Framework\Component\ComponentRegistrar;
 9 | use Magento\Framework\Module\ModuleList;
10 | use Magento\TestFramework\ObjectManager;
11 | use PHPUnit\Framework\TestCase;
12 | 
13 | /**
14 |  * Tests that ensure that the CORS module gets registered properly into the
15 |  * Magento application.
16 |  * @author    Graycore <damien@graycore.io>
17 |  * @copyright 2019 Graycore, LLC (https://www.graycore.io/)
18 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
19 |  * @link      https://github.com/graycoreio/magento2-cors
20 |  */
21 | class RegistrationTest extends TestCase
22 | {
23 |     /**
24 |      * @var string
25 |      */
26 |     private $moduleName = "Graycore_Cors";
27 | 
28 |     public function testItRegistersTheModuleIntoMagento()
29 |     {
30 |         $registrar = new ComponentRegistrar();
31 |         $this->assertArrayHasKey($this->moduleName, $registrar->getPaths(ComponentRegistrar::MODULE));
32 |     }
33 | 
34 |     public function testTheModuleIsConfiguredAndEnabled()
35 |     {
36 |         $manager = ObjectManager::getInstance();
37 |         $moduleList = $manager->create(ModuleList::class);
38 | 
39 |         $this->assertTrue($moduleList->has($this->moduleName));
40 |     }
41 | }
42 | 


--------------------------------------------------------------------------------
/Test/Integration/Response/GraphQlResponseTest.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * Copyright © Graycore, LLC. All rights reserved.
 5 |  * See LICENSE.md for details.
 6 |  */
 7 | 
 8 | namespace Graycore\Cors\Test\Integration\Response;
 9 | 
10 | use Magento\Framework\App\Response\Http;
11 | use Magento\TestFramework\TestCase\AbstractController as ControllerTestCase;
12 | use Laminas\Http\Headers;
13 | 
14 | /**
15 |  * Tests that the responses to GraphQl API requests
16 |  * properly respond with the CORS headers in the
17 |  * default configuration
18 |  * @author    Graycore <damien@graycore.io>
19 |  * @copyright Graycore, LLC (https://www.graycore.io/)
20 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
21 |  * @link      https://github.com/graycoreio/magento2-cors
22 |  */
23 | class GraphQlResponseTest extends ControllerTestCase
24 | {
25 |     private function dispatchToGraphQlApiWithOrigin(string $origin)
26 |     {
27 |         $headers = new Headers();
28 |         $headers->addHeaderLine('Origin: ' . $origin);
29 |         $headers->addHeaderLine('Content-Type: application/json');
30 |         $this->getRequest()->setMethod('POST')->setHeaders($headers)
31 |             ->setContent('{"query": "{products(search:\"Pierce\"){total_count}}"}');
32 |         $this->dispatch('/graphql');
33 |     }
34 | 
35 |     /**
36 |      * @magentoConfigFixture default/web/graphql/cors_allowed_origins https://www.example.com
37 |      */
38 |     public function testItdoesNotAddAnyCrossOriginHeadersToATypicalRequest()
39 |     {
40 |         $headers = new Headers();
41 |         $headers->addHeaderLine('Origin: https://www.example.com');
42 |         $this->dispatch('/');
43 | 
44 |         /** @var Http $response */
45 |         $response = $this->getResponse();
46 |         $this->assertFalse($response->getHeader('Access-Control-Allow-Origin'));
47 |     }
48 | 
49 |     public function testItDoesNotAddAnyCrossOriginHeadersOutOfTheBox()
50 |     {
51 |         $this->dispatchToGraphQlApiWithOrigin("https://www.example.com");
52 | 
53 |         /** @var Http $response */
54 |         $response = $this->getResponse();
55 |         $this->assertFalse($response->getHeader('Access-Control-Allow-Origin'));
56 |         $this->assertFalse($response->getHeader('Access-Control-Max-Age'));
57 |     }
58 | 
59 |     /**
60 |      * @magentoConfigFixture default/web/api_rest/cors_allowed_origins https://www.example.com
61 |      */
62 |     public function testTheGraphQlApiWillResponseToACorsRequestWithA200Response()
63 |     {
64 |         $this->dispatchToGraphQlApiWithOrigin('https://www.example.com');
65 | 
66 |         /** @var Http $response */
67 |         $response = $this->getResponse();
68 |         $this->assertSame(200, $response->getHttpResponseCode());
69 |     }
70 | 
71 |     /**
72 |      * @magentoConfigFixture default/web/graphql/cors_allowed_origins https://www.example.com
73 |      */
74 |     public function testTheGraphQlResponseContainsCrossOriginHeaders()
75 |     {
76 |         $this->dispatchToGraphQlApiWithOrigin("https://www.example.com");
77 | 
78 |         /** @var Http $response */
79 |         $response = $this->getResponse();
80 |         $this->assertNotFalse($response->getHeader('Access-Control-Allow-Origin'));
81 |     }
82 | }
83 | 


--------------------------------------------------------------------------------
/Test/Integration/Response/WebApiResponseTest.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | /**
  3 |  * Copyright © Graycore, LLC. All rights reserved.
  4 |  * See LICENSE.md for details.
  5 |  */
  6 | namespace Graycore\Cors\Test\Integration\Response;
  7 | 
  8 | use Magento\Framework\App\Response\Http;
  9 | use Magento\TestFramework\TestCase\AbstractController as ControllerTestCase;
 10 | use Laminas\Http\Headers;
 11 | 
 12 | /**
 13 |  * Tests that the responses to REST API requests
 14 |  * properly respond with the CORS headers in the
 15 |  * default configuration
 16 |  * @author    Graycore <damien@graycore.io>
 17 |  * @copyright Graycore, LLC (https://www.graycore.io/)
 18 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
 19 |  * @link      https://github.com/graycoreio/magento2-cors
 20 |  */
 21 | class WebApiResponseTest extends ControllerTestCase
 22 | {
 23 |     const ENDPOINT = '/rest/default/V1/directory/currency';
 24 | 
 25 |     public function getResponse()
 26 |     {
 27 |         if (!$this->_response) {
 28 |             $this->_response = $this->_objectManager->get(\Magento\Framework\Webapi\Rest\Response::class);
 29 |         }
 30 |         return $this->_response;
 31 |     }
 32 | 
 33 |     private function dispatchToRestApi()
 34 |     {
 35 |         ob_start();
 36 |         $this->dispatch(self::ENDPOINT);
 37 |         $this->getResponse()->sendResponse();
 38 |         ob_end_clean();
 39 |     }
 40 | 
 41 |     private function dispatchToRestApiWithOrigin(string $origin)
 42 |     {
 43 |         $headers = new Headers();
 44 |         $headers->addHeaderLine('Origin: ' . $origin);
 45 |         $headers->addHeaderLine('Content-Type: application/json');
 46 |         $this->getRequest()->setMethod('GET')->setHeaders($headers);
 47 |         ob_start();
 48 |         $this->dispatch(self::ENDPOINT);
 49 |         $this->getResponse()->sendResponse();
 50 |         ob_end_clean();
 51 |     }
 52 | 
 53 |     /**
 54 |      * @magentoConfigFixture default/web/api_rest/cors_allowed_origins https://www.example.com
 55 |      */
 56 |     public function testItdoesNotAddAnyCrossOriginHeadersToATypicalRequest()
 57 |     {
 58 |         $this->dispatchToRestApi();
 59 | 
 60 |         /** @var Http $response */
 61 |         $response = $this->getResponse();
 62 |         $this->assertFalse($response->getHeader('Access-Control-Allow-Origin'));
 63 |     }
 64 | 
 65 |     public function testItDoesNotAddAnyCrossOriginHeadersOutOfTheBox()
 66 |     {
 67 |         $this->dispatchToRestApiWithOrigin("https://www.example.com");
 68 | 
 69 |         /** @var Http $response */
 70 |         $response = $this->getResponse();
 71 |         $this->assertFalse($response->getHeader('Access-Control-Allow-Origin'));
 72 |         $this->assertFalse($response->getHeader('Access-Control-Max-Age'));
 73 |     }
 74 | 
 75 |     /**
 76 |      * @magentoConfigFixture default/web/api_rest/cors_allowed_origins https://www.example.com
 77 |      */
 78 |     public function testTheRestApiWillResponseToACorsRequestWithA200Response()
 79 |     {
 80 |         $this->dispatchToRestApiWithOrigin('https://www.example.com');
 81 | 
 82 |         /** @var Http $response */
 83 |         $response = $this->getResponse();
 84 |         $this->assertSame(200, $response->getHttpResponseCode());
 85 |     }
 86 | 
 87 |     /**
 88 |      * @magentoConfigFixture default/web/api_rest/cors_allowed_origins https://www.example.com
 89 |      */
 90 |     public function testTheRestApiResponseContainsCrossOriginHeaders()
 91 |     {
 92 |         $this->dispatchToRestApiWithOrigin("https://www.example.com");
 93 | 
 94 |         /** @var Http $response */
 95 |         $response = $this->getResponse();
 96 | 
 97 |         $this->assertNotFalse($response->getHeader('Access-Control-Allow-Origin'));
 98 |     }
 99 | }
100 | 


--------------------------------------------------------------------------------
/Test/Unit/Configuration/ConfigurationCleanerTest.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Test\Unit\Configuration;
 7 | 
 8 | use Graycore\Cors\Configuration\ConfigurationCleaner;
 9 | use Magento\Framework\App\Config\ScopeConfigInterface;
10 | 
11 | /**
12 |  * @author    Graycore <damien@graycore.io>
13 |  * @copyright Graycore, LLC (https://www.graycore.io/)
14 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
15 |  * @link      https://github.com/graycoreio/magento2-cors
16 |  */
17 | class ConfigurationCleanerTest extends \PHPUnit\Framework\TestCase
18 | {
19 |     /**
20 |      * @var configurationCleaner
21 |      */
22 |     protected $configurationCleaner;
23 | 
24 |     protected function setUp(): void
25 |     {
26 |         $this->configurationCleaner = new ConfigurationCleaner();
27 |     }
28 |     public function testItProperlyCleansArray()
29 |     {
30 |         $string = "1, 2, 3, 4";
31 |         $this->assertEquals(["1","2","3","4"], $this->configurationCleaner->processDelimitedString($string));
32 |         $string = "1,, 2,, 3, 4";
33 |         $this->assertEquals(["1","2","3","4"], $this->configurationCleaner->processDelimitedString($string));
34 |     }
35 | }
36 | 


--------------------------------------------------------------------------------
/Test/Unit/Configuration/GraphQlCorsConfigurationTest.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Test\Unit\Configuration;
 7 | 
 8 | use Graycore\Cors\Configuration\GraphQl\CorsConfiguration;
 9 | use Magento\Framework\App\Config\ScopeConfigInterface;
10 | 
11 | /**
12 |  * Tests that the Cors Configuration object properly
13 |  * retrieves, parses and transforms configuration
14 |  * settings from Magento configuration.
15 |  * @author    Graycore <damien@graycore.io>
16 |  * @copyright Graycore, LLC (https://www.graycore.io/)
17 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
18 |  * @link      https://github.com/graycoreio/magento2-cors
19 |  */
20 | class GraphQlCorsConfigurationTest extends \PHPUnit\Framework\TestCase
21 | {
22 |     /**
23 |      * @var CorsConfiguration
24 |      */
25 |     protected $configuration;
26 | 
27 |     /**
28 |      * @var ScopeConfigInterface|\PHPUnit_Framework_MockObject_MockObject
29 |      */
30 |     protected $scopeConfigMock;
31 | 
32 |     protected function setUp(): void
33 |     {
34 |         $this->scopeConfigMock = $this->createMock(ScopeConfigInterface::class);
35 |         $this->configuration = new CorsConfiguration($this->scopeConfigMock);
36 |     }
37 | 
38 |     public function testItReturnsAnArrayOfAllowedOrigins()
39 |     {
40 |         $this->scopeConfigMock->method('getValue')->willReturn('https://www.example.com');
41 |         $this->assertEquals(['https://www.example.com'], $this->configuration->getAllowedOrigins());
42 |     }
43 | 
44 |     public function testIfTheConfigurationIsEmptyItWillReturnAnEmptyArray()
45 |     {
46 |         $this->scopeConfigMock->method('getValue')->willReturn('');
47 |         $this->assertEquals([], $this->configuration->getAllowedOrigins());
48 |     }
49 | 
50 |     public function testIfTheConfigurationIsNullItWillReturnAnEmptyArray()
51 |     {
52 |         $this->scopeConfigMock->method('getValue')->willReturn(null);
53 |         $this->assertEquals([], $this->configuration->getAllowedOrigins());
54 |     }
55 | 
56 |     public function testIfTheConfigurationIsACommaSeparatedStringWithSpacesInItThenItWillReturnAnArrayOfOrigins()
57 |     {
58 |         $this->scopeConfigMock
59 |             ->method('getValue')->willReturn('https://www.example.com, ,https://www.myother.valid.domain ');
60 |         $this->assertEquals(
61 |             ['https://www.example.com', 'https://www.myother.valid.domain'],
62 |             $this->configuration->getAllowedOrigins()
63 |         );
64 |     }
65 | 
66 |     public function testIfAllowCredentialsNotConfiguredItWillReturnFalse()
67 |     {
68 |         $this->scopeConfigMock->method('isSetFlag')->willReturn(false);
69 |         $this->assertEquals(false, $this->configuration->getAllowCredentials());
70 |     }
71 | }
72 | 


--------------------------------------------------------------------------------
/Test/Unit/Configuration/RestCorsConfigurationTest.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Test\Unit\Configuration;
 7 | 
 8 | use Graycore\Cors\Configuration\Rest\CorsConfiguration;
 9 | use Magento\Framework\App\Config\ScopeConfigInterface;
10 | 
11 | /**
12 |  * Tests that the Cors Configuration object properly
13 |  * retrieves, parses and transforms configuration
14 |  * settings from Magento configuration.
15 |  * @author    Graycore <damien@graycore.io>
16 |  * @copyright Graycore, LLC (https://www.graycore.io/)
17 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
18 |  * @link      https://github.com/graycoreio/magento2-cors
19 |  */
20 | class RestCorsConfigurationTest extends \PHPUnit\Framework\TestCase
21 | {
22 |     /**
23 |      * @var CorsConfiguration
24 |      */
25 |     protected $configuration;
26 | 
27 |     /**
28 |      * @var ScopeConfigInterface|\PHPUnit_Framework_MockObject_MockObject
29 |      */
30 |     protected $scopeConfigMock;
31 | 
32 |     protected function setUp(): void
33 |     {
34 |         $this->scopeConfigMock = $this->createMock(ScopeConfigInterface::class);
35 |         $this->configuration = new CorsConfiguration($this->scopeConfigMock);
36 |     }
37 | 
38 |     public function testItReturnsAnArrayOfAllowedOrigins()
39 |     {
40 |         $this->scopeConfigMock->method('getValue')->willReturn('https://www.example.com');
41 |         $this->assertEquals(['https://www.example.com'], $this->configuration->getAllowedOrigins());
42 |     }
43 | 
44 |     public function testIfTheConfigurationIsEmptyItWillReturnAnEmptyArray()
45 |     {
46 |         $this->scopeConfigMock->method('getValue')->willReturn('');
47 |         $this->assertEquals([], $this->configuration->getAllowedOrigins());
48 |     }
49 | 
50 |     public function testIfTheConfigurationIsNullItWillReturnAnEmptyArray()
51 |     {
52 |         $this->scopeConfigMock->method('getValue')->willReturn(null);
53 |         $this->assertEquals([], $this->configuration->getAllowedOrigins());
54 |     }
55 | 
56 |     public function testIfTheConfigurationIsACommaSeparatedStringWithSpacesInItThenItWillReturnAnArrayOfOrigins()
57 |     {
58 |         $this->scopeConfigMock
59 |             ->method('getValue')->willReturn('https://www.example.com, ,https://www.myother.valid.domain ');
60 |         $this->assertEquals(
61 |             ['https://www.example.com', 'https://www.myother.valid.domain'],
62 |             $this->configuration->getAllowedOrigins()
63 |         );
64 |     }
65 | 
66 |     public function testIfAllowCredentialsNotConfiguredItWillReturnFalse()
67 |     {
68 |         $this->scopeConfigMock->method('isSetFlag')->willReturn(false);
69 |         $this->assertEquals(false, $this->configuration->getAllowCredentials());
70 |     }
71 | }
72 | 


--------------------------------------------------------------------------------
/Test/Unit/HeaderProvider/CorsAllowCredentialsHeaderProviderTest.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /**
 3 |  * Copyright © Graycore, LLC. All rights reserved.
 4 |  * See LICENSE.md for details.
 5 |  */
 6 | namespace Graycore\Cors\Test\Unit\HeaderProvider;
 7 | 
 8 | use Graycore\Cors\Response\HeaderProvider\CorsAllowCredentialsHeaderProvider;
 9 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
10 | use Graycore\Cors\Validator\CorsValidatorInterface;
11 | 
12 | /**
13 |  * Tests that the CORS AllowCredentials header
14 |  * is properly applied to a response
15 |  * @author    Matthew O'Loughlin <matthew@aligent.com.au>
16 |  * @copyright Graycore, LLC (https://www.graycore.io/)
17 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
18 |  * @link      https://github.com/graycoreio/magento2-cors
19 |  */
20 | class CorsAllowCredentialsHeaderProviderTest extends \PHPUnit\Framework\TestCase
21 | {
22 |     /** Access-Control-Allow-Credentials Header name */
23 |     const HEADER_NAME = 'Access-Control-Allow-Credentials';
24 | 
25 |     /**
26 |      * @var CorsAllowCredentialsHeaderProvider
27 |      */
28 |     protected $provider;
29 | 
30 |     /**
31 |      * @var CorsValidatorInterface|\PHPUnit_Framework_MockObject_MockObject
32 |      */
33 |     protected $corsValidatorMock;
34 | 
35 |     /**
36 |      * @var CorsConfigurationInterface|\PHPUnit_Framework_MockObject_MockObject
37 |      */
38 |     protected $corsConfigurationMock;
39 | 
40 |     protected function setUp(): void
41 |     {
42 |         $this->corsValidatorMock = $this->createMock(CorsValidatorInterface::class);
43 |         $this->corsConfigurationMock = $this->createMock(CorsConfigurationInterface::class);
44 |         $this->provider = new CorsAllowCredentialsHeaderProvider(
45 |             $this->corsConfigurationMock,
46 |             $this->corsValidatorMock
47 |         );
48 |     }
49 | 
50 |     public function testGetName()
51 |     {
52 |         $this->assertEquals($this::HEADER_NAME, $this->provider->getName(), 'Wrong header name');
53 |     }
54 | 
55 |     public function testNotAppliedIfNotConfigured()
56 |     {
57 |         $this->corsConfigurationMock->method('getAllowCredentials')->willReturn(false);
58 |         $this->corsValidatorMock->method('originIsValid')->willReturn(true);
59 |         $this->assertEquals(false, $this->provider->canApply(), 'Incorrectly applied header');
60 |     }
61 | 
62 |     public function testHeaderAppliedIfConfigured()
63 |     {
64 |         $this->corsConfigurationMock->method('getAllowCredentials')->willReturn(true);
65 |         $this->corsValidatorMock->method('originIsValid')->willReturn(true);
66 |         $this->assertEquals(true, $this->provider->canApply());
67 |         $this->assertEquals('true', $this->provider->getValue());
68 |     }
69 | }
70 | 


--------------------------------------------------------------------------------
/Test/Unit/HeaderProvider/CorsAllowHeadersHeaderProviderTest.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | /**
  3 |  * Copyright © Graycore, LLC. All rights reserved.
  4 |  * See LICENSE.md for details.
  5 |  */
  6 | namespace Graycore\Cors\Test\Unit\HeaderProvider;
  7 | 
  8 | use Graycore\Cors\Response\HeaderProvider\CorsAllowHeadersHeaderProvider;
  9 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
 10 | use Graycore\Cors\Validator\CorsValidatorInterface;
 11 | 
 12 | /**
 13 |  * Tests that the CORS AllowHeader header
 14 |  * is properly applied to a response
 15 |  * @author    Graycore <damien@graycore.io>
 16 |  * @copyright Graycore, LLC (https://www.graycore.io/)
 17 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
 18 |  * @link      https://github.com/graycoreio/magento2-cors
 19 |  */
 20 | class CorsAllowHeadersHeaderProviderTest extends \PHPUnit\Framework\TestCase
 21 | {
 22 |     /** Access-Control-Allow-Headers Header name */
 23 |     const HEADER_NAME = 'Access-Control-Allow-Headers';
 24 | 
 25 |     /**
 26 |      * Access-Control-Allow-Headers Header value
 27 |      */
 28 |     const HEADER_VALUE = '';
 29 | 
 30 |     /**
 31 |      * @var CorsAllowHeadersHeaderProvider
 32 |      */
 33 |     protected $provider;
 34 | 
 35 |     /**
 36 |      * @var CorsValidatorInterface|\PHPUnit_Framework_MockObject_MockObject
 37 |      */
 38 |     protected $corsValidatorMock;
 39 | 
 40 |     /**
 41 |      * @var CorsConfigurationInterface|\PHPUnit_Framework_MockObject_MockObject
 42 |      */
 43 |     protected $corsConfigurationMock;
 44 | 
 45 |     protected function setUp(): void
 46 |     {
 47 |         $this->corsValidatorMock = $this->createMock(CorsValidatorInterface::class);
 48 |         $this->corsConfigurationMock = $this->createMock(CorsConfigurationInterface::class);
 49 |         $this->provider = new CorsAllowHeadersHeaderProvider($this->corsConfigurationMock, $this->corsValidatorMock);
 50 |     }
 51 | 
 52 |     public function testGetName()
 53 |     {
 54 |         $this->assertEquals($this::HEADER_NAME, $this->provider->getName(), 'Wrong header name');
 55 |     }
 56 | 
 57 |     public function testGetDefaultHeaderValue()
 58 |     {
 59 |         $this->assertEquals($this::HEADER_VALUE, $this->provider->getValue(), 'Wrong default header value');
 60 |     }
 61 | 
 62 |     public function testGetValueWillReturnAnEmptyStringIfTheConfigurationIsEmpty()
 63 |     {
 64 |         $stubHeaders = [];
 65 |         $this->corsConfigurationMock->method('getAllowedHeaders')->willReturn($stubHeaders);
 66 |         $this->assertEquals('', $this->provider->getValue());
 67 |     }
 68 | 
 69 |     public function testItUsesTheValueDefinedByScope()
 70 |     {
 71 |         $stubHeaders = ['My-Custom-Header'];
 72 |         $this->corsConfigurationMock->method('getAllowedHeaders')->willReturn($stubHeaders);
 73 |         $this->assertEquals('My-Custom-Header', $this->provider->getValue());
 74 |     }
 75 | 
 76 |     public function testItWillReturnACommaSeparatedListOfHeadersIfThereAreMultipleHeadersConfigured()
 77 |     {
 78 |         $stubHeaders = ['My-Custom-Header', 'My-Other-Custom-Header'];
 79 |         $this->corsConfigurationMock->method('getAllowedHeaders')->willReturn($stubHeaders);
 80 |         $this->assertEquals('My-Custom-Header,My-Other-Custom-Header', $this->provider->getValue());
 81 |     }
 82 | 
 83 |     /**
 84 |      * @dataProvider canApplyDataProvider
 85 |      */
 86 |     public function testCanApply($headers, $originResult, $isPreflight, $expected)
 87 |     {
 88 |         $this->corsConfigurationMock->method('getAllowedHeaders')->willReturn($headers);
 89 |         $this->corsValidatorMock->method('originIsValid')->willReturn($originResult);
 90 |         $this->corsValidatorMock->method('isPreflightRequest')->willReturn($isPreflight);
 91 |         $this->assertEquals($expected, $this->provider->canApply(), 'Incorrect canApply result');
 92 |     }
 93 | 
 94 |     public function canApplyDataProvider()
 95 |     {
 96 |         return [
 97 |             'invalid origin, cors request' => [
 98 |                 ['My-Valid-Header', 'My-Other-Valid-Header'],
 99 |                 false,
100 |                 false,
101 |                 false,
102 |             ],
103 |             'invalid origin, preflight request' => [
104 |                 ['My-Valid-Header', 'My-Other-Valid-Header'],
105 |                 false,
106 |                 true,
107 |                 false,
108 |             ],
109 |             'valid origin, cors request without configured headers' => [
110 |                 [],
111 |                 true,
112 |                 false,
113 |                 false,
114 |             ],
115 |             'valid origin, preflight request without configured headers' => [
116 |                 [],
117 |                 true,
118 |                 true,
119 |                 false,
120 |             ],
121 |             'valid origin, cors request with header configuration' => [
122 |                 ['My-Valid-Header', 'My-Other-Valid-Header'],
123 |                 true,
124 |                 false,
125 |                 false,
126 |             ],
127 |             'valid origin, preflight request with header configuration' => [
128 |                 ['My-Valid-Header', 'My-Other-Valid-Header'],
129 |                 true,
130 |                 true,
131 |                 true,
132 |             ],
133 |         ];
134 |     }
135 | }
136 | 


--------------------------------------------------------------------------------
/Test/Unit/HeaderProvider/CorsAllowMethodsHeaderProviderTest.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | /**
  3 |  * Copyright © Graycore, LLC. All rights reserved.
  4 |  * See LICENSE.md for details.
  5 |  */
  6 | namespace Graycore\Cors\Test\Unit\HeaderProvider;
  7 | 
  8 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
  9 | use Graycore\Cors\Response\HeaderProvider\CorsAllowMethodsHeaderProvider;
 10 | use Graycore\Cors\Validator\CorsValidatorInterface;
 11 | 
 12 | /**
 13 |  * Tests that the CORS AllowMethods header
 14 |  * is properly applied to a response
 15 |  * @author    Graycore <damien@graycore.io>
 16 |  * @copyright Graycore, LLC (https://www.graycore.io/)
 17 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
 18 |  * @link      https://github.com/graycoreio/magento2-cors
 19 |  */
 20 | class CorsAllowMethodsHeaderProviderTest extends \PHPUnit\Framework\TestCase
 21 | {
 22 |     /** Access-Control-Allow-Methods Header name */
 23 |     const HEADER_NAME = 'Access-Control-Allow-Methods';
 24 | 
 25 |     /**
 26 |      * Access-Control-Allow-Methods Header value
 27 |      */
 28 |     const HEADER_VALUE = 'GET,POST,OPTIONS';
 29 | 
 30 |     /**
 31 |      * @var CorsAllowMethodsHeaderProvider
 32 |      */
 33 |     protected $provider;
 34 | 
 35 |     /**
 36 |      * @var CorsValidatorInterface|\PHPUnit_Framework_MockObject_MockObject
 37 |      */
 38 |     protected $corsValidatorMock;
 39 | 
 40 |     /**
 41 |      * @var CorsConfigurationInterface|\PHPUnit_Framework_MockObject_MockObject
 42 |      */
 43 |     protected $corsConfigurationMock;
 44 | 
 45 |     protected function setUp(): void
 46 |     {
 47 |         $this->corsValidatorMock = $this->createMock(CorsValidatorInterface::class);
 48 |         $this->corsConfigurationMock = $this->createMock(CorsConfigurationInterface::class);
 49 |         $this->provider = new CorsAllowMethodsHeaderProvider($this->corsConfigurationMock, $this->corsValidatorMock);
 50 |     }
 51 | 
 52 |     public function testGetName()
 53 |     {
 54 |         $this->assertEquals($this::HEADER_NAME, $this->provider->getName(), 'Wrong header name');
 55 |     }
 56 | 
 57 |     public function testGetDefaultHeaderValue()
 58 |     {
 59 |         $this->assertEquals($this::HEADER_VALUE, $this->provider->getValue(), 'Wrong default header value');
 60 |     }
 61 | 
 62 |     public function testGetValueWillReturnTheDefaultValueIfTheConfigurationIsEmpty()
 63 |     {
 64 |         $stubMethods = [];
 65 |         $this->corsConfigurationMock->method('getAllowedMethods')->willReturn($stubMethods);
 66 |         $this->assertEquals('GET,POST,OPTIONS', $this->provider->getValue());
 67 |     }
 68 | 
 69 |     public function testItUsesTheValueDefinedByScope()
 70 |     {
 71 |         $stubMethods = ['GET'];
 72 |         $this->corsConfigurationMock->method('getAllowedMethods')->willReturn($stubMethods);
 73 |         $this->assertEquals('GET', $this->provider->getValue());
 74 |     }
 75 | 
 76 |     public function testItWillReturnACommaSeparatedListOfHeadersIfThereAreMultipleHeadersConfigured()
 77 |     {
 78 |         $stubMethods = ['GET', 'POST', 'OPTIONS'];
 79 |         $this->corsConfigurationMock->method('getAllowedMethods')->willReturn($stubMethods);
 80 |         $this->assertEquals('GET,POST,OPTIONS', $this->provider->getValue());
 81 |     }
 82 | 
 83 |     /**
 84 |      * @dataProvider canApplyDataProvider
 85 |      */
 86 |     public function testCanApply($methods, $originResult, $isPreflightRequest, $expected)
 87 |     {
 88 |         $this->corsConfigurationMock->method('getAllowedMethods')->willReturn($methods);
 89 |         $this->corsValidatorMock->method('originIsValid')->willReturn($originResult);
 90 |         $this->corsValidatorMock->method('isPreflightRequest')->willReturn($isPreflightRequest);
 91 |         $this->assertEquals($expected, $this->provider->canApply(), 'Incorrect canApply result');
 92 |     }
 93 | 
 94 |     public function canApplyDataProvider()
 95 |     {
 96 |         return [
 97 |             'invalid origin, cors request' => [
 98 |                 ['GET', 'POST', 'OPTIONS'],
 99 |                 false,
100 |                 false,
101 |                 false,
102 |             ],
103 |             'invalid origin, preflight request' => [
104 |                 ['GET', 'POST', 'OPTIONS'],
105 |                 false,
106 |                 true,
107 |                 false,
108 |             ],
109 |             'valid origin, cors request, without configured methods' => [
110 |                 [],
111 |                 true,
112 |                 false,
113 |                 false,
114 |             ],
115 |             'valid origin, preflight request, without configured methods' => [
116 |                 [],
117 |                 true,
118 |                 true,
119 |                 true,
120 |             ],
121 |             'valid origin, cors request, with configured methods' => [
122 |                 ['GET', 'POST', 'OPTIONS'],
123 |                 true,
124 |                 false,
125 |                 false,
126 |             ],
127 |             'valid origin, preflight request, with configured methods' => [
128 |                 ['GET', 'POST', 'OPTIONS'],
129 |                 true,
130 |                 true,
131 |                 true,
132 |             ],
133 |         ];
134 |     }
135 | }
136 | 


--------------------------------------------------------------------------------
/Test/Unit/HeaderProvider/CorsAllowOriginHeaderProviderTest.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | /**
  4 |  * Copyright © Graycore, LLC. All rights reserved.
  5 |  * See LICENSE.md for details.
  6 |  */
  7 | 
  8 | namespace Graycore\Cors\Test\Unit\HeaderProvider;
  9 | 
 10 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
 11 | use Graycore\Cors\Response\HeaderProvider\CorsAllowOriginHeaderProvider;
 12 | use Magento\Framework\App\Request\Http;
 13 | use Graycore\Cors\Validator\CorsValidatorInterface;
 14 | 
 15 | /**
 16 |  * Tests that the CORS AllowOrigin header is properly applied to a response
 17 |  *
 18 |  * @author    Graycore <damien@graycore.io>
 19 |  * @copyright Graycore, LLC (https://www.graycore.io/)
 20 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
 21 |  * @link      https://github.com/graycoreio/magento2-cors
 22 |  */
 23 | class CorsAllowOriginHeaderProviderTest extends \PHPUnit\Framework\TestCase
 24 | {
 25 |     /** Access-Control-Allow-Origin Header name */
 26 |     const HEADER_NAME = 'Access-Control-Allow-Origin';
 27 | 
 28 |     /**
 29 |      * Access-Control-Allow-Origin value
 30 |      */
 31 |     const HEADER_VALUE = '';
 32 | 
 33 |     /**
 34 |      * @var CorsAllowOriginHeaderProvider
 35 |      */
 36 |     protected $provider;
 37 | 
 38 |     /**
 39 |      * @var CorsValidatorInterface|\PHPUnit_Framework_MockObject_MockObject
 40 |      */
 41 |     protected $corsValidatorMock;
 42 | 
 43 |     /**
 44 |      * @var CorsConfigurationInterface|\PHPUnit_Framework_MockObject_MockObject
 45 |      */
 46 |     protected $corsConfigurationMock;
 47 | 
 48 |     /**
 49 |      * @var Http|\PHPUnit_Framework_MockObject_MockObject
 50 |      */
 51 |     protected $requestMock;
 52 | 
 53 |     protected function setUp(): void
 54 |     {
 55 |         $this->corsValidatorMock = $this->createMock(CorsValidatorInterface::class);
 56 |         $this->requestMock = $this->createMock(Http::class);
 57 |         $this->corsConfigurationMock = $this->createMock(CorsConfigurationInterface::class);
 58 | 
 59 |         $this->provider = new CorsAllowOriginHeaderProvider(
 60 |             $this->corsValidatorMock,
 61 |             $this->corsConfigurationMock,
 62 |             $this->requestMock
 63 |         );
 64 |     }
 65 | 
 66 |     public function testGetName()
 67 |     {
 68 |         $this->assertEquals($this::HEADER_NAME, $this->provider->getName(), 'Wrong header name');
 69 |     }
 70 | 
 71 |     public function testGetDefaultHeaderValue()
 72 |     {
 73 |         $this->assertEquals($this::HEADER_VALUE, $this->provider->getValue(), 'Wrong default header value');
 74 |     }
 75 | 
 76 |     /**
 77 |      * @dataProvider getValueDataProvider
 78 |      */
 79 |     public function testGetValue($allowedOrigins, $originHeader, $expected)
 80 |     {
 81 |         $this->corsConfigurationMock->method('getAllowedOrigins')->willReturn($allowedOrigins);
 82 |         $this->requestMock->method('getHeader')->willReturn($originHeader);
 83 |         $this->assertEquals($expected, $this->provider->getValue());
 84 |     }
 85 | 
 86 |     public function getValueDataProvider()
 87 |     {
 88 |         return [
 89 |             'valid origin' => [
 90 |                 ['https://www.google.com', 'https://www.example.com'],
 91 |                 'https://www.example.com',
 92 |                 'https://www.example.com',
 93 |             ],
 94 |             'wildcard origin' => [
 95 |                 ['*'],
 96 |                 'https://www.example.com',
 97 |                 '*',
 98 |             ],
 99 |         ];
100 |     }
101 | 
102 |     /**
103 |      * @dataProvider canApplyDataProvider
104 |      */
105 |     public function testCanApply($originIsValid, $requestOrigin, $expected)
106 |     {
107 |         $this->requestMock->method('getHeader')->willReturn($requestOrigin);
108 |         $this->corsValidatorMock->method('originIsValid')->willReturn($originIsValid);
109 | 
110 |         $this->assertEquals($expected, $this->provider->canApply(), 'Incorrect canApply result');
111 |     }
112 | 
113 |     public function canApplyDataProvider()
114 |     {
115 |         return [
116 |             'invalid origin' => [
117 |                 false,
118 |                 'https://www.someorigin.com',
119 |                 false,
120 |             ],
121 |             'valid origin' => [
122 |                 true,
123 |                 'https://www.someorigin.com',
124 |                 true,
125 |             ],
126 |         ];
127 |     }
128 | 
129 |     public function testWildcardOriginWithAllowCredentials()
130 |     {
131 |         $this->corsConfigurationMock->method('getAllowedOrigins')->willReturn(["*"]);
132 |         $this->corsConfigurationMock->method('getAllowCredentials')->willReturn(true);
133 |         $this->requestMock->method('getHeader')->willReturn("www.example.com");
134 |         $this->assertEquals("www.example.com", $this->provider->getValue());
135 |     }
136 | }
137 | 


--------------------------------------------------------------------------------
/Test/Unit/HeaderProvider/CorsMaxAgeHeaderProviderTest.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | /**
  3 |  * Copyright © Graycore, LLC. All rights reserved.
  4 |  * See LICENSE.md for details.
  5 |  */
  6 | namespace Graycore\Cors\Test\Unit\HeaderProvider;
  7 | 
  8 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
  9 | use Graycore\Cors\Response\HeaderProvider\CorsMaxAgeHeaderProvider;
 10 | use Graycore\Cors\Validator\CorsValidator;
 11 | use Graycore\Cors\Validator\CorsValidatorInterface;
 12 | 
 13 | /**
 14 |  * Tests that the CORS MaxAge header
 15 |  * is properly applied to a response
 16 |  * @author    Graycore <damien@graycore.io>
 17 |  * @copyright Graycore, LLC (https://www.graycore.io/)
 18 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
 19 |  * @link      https://github.com/graycoreio/magento2-cors
 20 |  */
 21 | class CorsMaxAgeHeaderProviderTest extends \PHPUnit\Framework\TestCase
 22 | {
 23 |     /** Access-Control-Max-Age Header name */
 24 |     const HEADER_NAME = 'Access-Control-Max-Age';
 25 | 
 26 |     /**
 27 |      * Access-Control-Max-Age Header value
 28 |      */
 29 |     const HEADER_VALUE = '86400';
 30 | 
 31 |     /**
 32 |      * @var CorsMaxAgeHeaderProvider
 33 |      */
 34 |     protected $provider;
 35 | 
 36 |     /**
 37 |      * @var CorsValidatorInterface|\PHPUnit_Framework_MockObject_MockObject
 38 |      */
 39 |     protected $corsValidatorMock;
 40 | 
 41 |     /**
 42 |      * @var CorsConfigurationInterface|\PHPUnit_Framework_MockObject_MockObject
 43 |      */
 44 |     protected $corsConfigurationMock;
 45 | 
 46 |     protected function setUp(): void
 47 |     {
 48 |         $this->corsValidatorMock = $this->createMock(CorsValidatorInterface::class);
 49 |         $this->corsConfigurationMock = $this->createMock(CorsConfigurationInterface::class);
 50 |         $this->provider = new CorsMaxAgeHeaderProvider($this->corsConfigurationMock, $this->corsValidatorMock);
 51 |     }
 52 | 
 53 |     public function testGetName()
 54 |     {
 55 |         $this->assertEquals($this::HEADER_NAME, $this->provider->getName(), 'Wrong header name');
 56 |     }
 57 | 
 58 |     public function testGetValue()
 59 |     {
 60 |         $this->assertEquals($this::HEADER_VALUE, $this->provider->getValue(), 'Wrong default header value');
 61 |     }
 62 | 
 63 |     /**
 64 |      * @dataProvider canApplyDataProvider
 65 |      */
 66 |     public function testCanApply($maxAge, $originResult, $isPreflightRequest, $expected)
 67 |     {
 68 |         $this->corsConfigurationMock->method('getMaxAge')->willReturn($maxAge);
 69 |         $this->corsValidatorMock->method('originIsValid')->willReturn($originResult);
 70 |         $this->corsValidatorMock->method('isPreflightRequest')->willReturn($isPreflightRequest);
 71 |         $this->assertEquals($expected, $this->provider->canApply(), 'Incorrect canApply result');
 72 |     }
 73 | 
 74 |     public function canApplyDataProvider()
 75 |     {
 76 |         return [
 77 |             'invalid origin, cors request' => [
 78 |                 '1000',
 79 |                 false,
 80 |                 false,
 81 |                 false,
 82 |             ],
 83 |             'invalid origin, preflight request' => [
 84 |                 '1000',
 85 |                 false,
 86 |                 true,
 87 |                 false,
 88 |             ],
 89 |             'valid origin, cors request with null configured maxAge' => [
 90 |                 null,
 91 |                 true,
 92 |                 false,
 93 |                 false,
 94 |             ],
 95 |             'valid origin, preflight request with null configured maxAge' => [
 96 |                 null,
 97 |                 true,
 98 |                 true,
 99 |                 true,
100 |             ],
101 |             'valid origin, cors request with empty configured maxAge' => [
102 |                 '',
103 |                 true,
104 |                 false,
105 |                 false,
106 |             ],
107 |             'valid origin, preflight request with empty configured maxAge' => [
108 |                 '',
109 |                 true,
110 |                 true,
111 |                 true,
112 |             ],
113 |             'valid origin, cors request with configured age' => [
114 |                 '86400',
115 |                 true,
116 |                 false,
117 |                 false,
118 |             ],
119 |             'valid origin, preflight request with configured age' => [
120 |                 '86400',
121 |                 true,
122 |                 true,
123 |                 true,
124 |             ],
125 |         ];
126 |     }
127 | }
128 | 


--------------------------------------------------------------------------------
/Test/Unit/HeaderProvider/CorsVaryHeaderProviderTest.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * Copyright © Graycore, LLC. All rights reserved.
 5 |  * See LICENSE.md for details.
 6 |  */
 7 | 
 8 | namespace Graycore\Cors\Response\HeaderProvider;
 9 | 
10 | use Graycore\Cors\Validator\CorsValidatorInterface;
11 | use PHPUnit\Framework\MockObject\MockObject;
12 | 
13 | /**
14 |  * Tests that the Vary header is properly applied to a response
15 |  * @author    Graycore <damien@graycore.io>
16 |  * @copyright Graycore, LLC (https://www.graycore.io/)
17 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
18 |  * @link      https://github.com/graycoreio/magento2-cors
19 |  */
20 | class CorsVaryHeaderProviderTest extends \PHPUnit\Framework\TestCase
21 | {
22 |     /** Vary Header name */
23 |     const HEADER_NAME = 'Vary';
24 | 
25 |     /**
26 |      * Vary Header value
27 |      */
28 |     const HEADER_VALUE = 'Origin';
29 | 
30 |     /**
31 |      * @var CorsVaryHeaderProvider
32 |      */
33 |     protected $provider;
34 | 
35 |     /**
36 |      * @var CorsValidatorInterface|MockObject
37 |      */
38 |     protected $corsValidatorMock;
39 | 
40 |     protected function setUp(): void
41 |     {
42 |         $this->provider = new CorsVaryHeaderProvider();
43 |     }
44 | 
45 |     public function testGetName()
46 |     {
47 |         $this->assertEquals($this::HEADER_NAME, $this->provider->getName(), 'Wrong header name');
48 |     }
49 | 
50 |     public function testGetValue()
51 |     {
52 |         $this->assertEquals($this::HEADER_VALUE, $this->provider->getValue(), 'Wrong default header value');
53 |     }
54 | 
55 |     public function testCanApply()
56 |     {
57 |         $this->assertEquals(true, $this->provider->canApply(), 'Incorrect canApply result');
58 |     }
59 | }
60 | 


--------------------------------------------------------------------------------
/Test/Unit/Validator/CorsValidatorTest.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | /**
  4 |  * Copyright © Graycore, LLC. All rights reserved.
  5 |  * See LICENSE.md for details.
  6 |  */
  7 | 
  8 | namespace Graycore\Cors\Test\Unit\Validator;
  9 | 
 10 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
 11 | use Graycore\Cors\Validator\CorsValidator;
 12 | use Magento\Framework\App\Request\Http;
 13 | use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
 14 | 
 15 | /**
 16 |  * Tests the request validation that verifies
 17 |  * that the CORS headers should be added to a request.
 18 |  * @author    Graycore <damien@graycore.io>
 19 |  * @copyright Graycore, LLC (https://www.graycore.io/)
 20 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
 21 |  * @link      https://github.com/graycoreio/magento2-cors
 22 |  */
 23 | class CorsValidatorTest extends \PHPUnit\Framework\TestCase
 24 | {
 25 |     /**
 26 |      * @var CorsValidator
 27 |      */
 28 |     protected $validator;
 29 | 
 30 |     /**
 31 |      * @var CorsConfigurationInterface|\PHPUnit_Framework_MockObject_MockObject
 32 |      */
 33 |     protected $configurationMock;
 34 | 
 35 |     /**
 36 |      * @var Http|\PHPUnit_Framework_MockObject_MockObject
 37 |      */
 38 |     protected $requestMock;
 39 | 
 40 |     protected function setUp(): void
 41 |     {
 42 |         $this->configurationMock = $this->createMock(CorsConfigurationInterface::class);
 43 |         $this->requestMock = $this->createMock(Http::class);
 44 |         $this->validator = new CorsValidator($this->configurationMock, $this->requestMock);
 45 |     }
 46 | 
 47 |     /**
 48 |      * @dataProvider originIsValidDataProvider
 49 |      */
 50 |     public function testOriginIsValid($allowedOrigins, $requestOrigin, $expected)
 51 |     {
 52 |         $this->configurationMock->method('getAllowedOrigins')->willReturn($allowedOrigins);
 53 |         $this->requestMock->method('getHeader')->willReturn($requestOrigin);
 54 |         return $this->assertEquals($expected, $this->validator->originIsValid());
 55 |     }
 56 | 
 57 |     public function testInvalidOriginScheme()
 58 |     {
 59 |         $this->configurationMock->method('getAllowedOrigins')->willReturn(['*']);
 60 |         $this->requestMock->method('getHeader')->willThrowException(
 61 |             new \InvalidArgumentException
 62 |         );
 63 |         return $this->assertEquals(false, $this->validator->originIsValid());
 64 |     }
 65 | 
 66 |     public function originIsValidDataProvider()
 67 |     {
 68 |         return [
 69 |             'valid origin' => [
 70 |                 ['https://www.example.com'],
 71 |                 'https://www.example.com',
 72 |                 true,
 73 |             ],
 74 |             'valid origin with multiple configured origins' => [
 75 |                 ['https://www.example.com', 'https://www.myotherexample.com'],
 76 |                 'https://www.example.com',
 77 |                 true,
 78 |             ],
 79 |             'invalid origin with configured origins' => [
 80 |                 ['https://www.example.com', 'https://www.myotherexample.com'],
 81 |                 'https://www.amalicicousdomain.com',
 82 |                 false,
 83 |             ],
 84 |             'valid origin domain with invalid origin protocol (http)' => [
 85 |                 ['https://www.example.com'],
 86 |                 'http://www.example.com',
 87 |                 false,
 88 |             ],
 89 |             'valid origin domain with invalid origin protocol (https)' => [
 90 |                 ['http://www.example.com'],
 91 |                 'https://www.example.com',
 92 |                 false,
 93 |             ],
 94 |             'invalid origin with no configured origins' => [
 95 |                 [],
 96 |                 'https://www.amalicicousdomain.com',
 97 |                 false,
 98 |             ],
 99 |             'any origin with a wildcard configured' => [
100 |                 ['*'],
101 |                 'https://some.random.domain',
102 |                 true,
103 |             ],
104 |         ];
105 |     }
106 | 
107 |     /**
108 |      * @dataProvider preflightTestDataProvider
109 |      */
110 |     public function testIsPreflightRequest($allowedOrigins, $requestOrigin, $method, $result)
111 |     {
112 |         $this->configurationMock->method('getAllowedOrigins')->willReturn($allowedOrigins);
113 |         $this->requestMock->method('getHeader')->willReturn($requestOrigin);
114 |         $this->requestMock->method('getMethod')->willReturn($method);
115 | 
116 |         return $this->assertEquals($result, $this->validator->isPreflightRequest());
117 |     }
118 | 
119 |     public function preflightTestDataProvider()
120 |     {
121 |         return [
122 |             'valid origin as GET' => [
123 |                 ['https://www.example.com'],
124 |                 'https://www.example.com',
125 |                 'GET',
126 |                 false,
127 |             ],
128 |             'valid origin as OPTIONS' => [
129 |                 ['https://www.example.com', 'https://www.myotherexample.com'],
130 |                 'https://www.example.com',
131 |                 'OPTIONS',
132 |                 true,
133 |             ],
134 |             'invalid origin as GET' => [
135 |                 ['https://www.example.com'],
136 |                 'https://www.anotherdomain.com',
137 |                 'GET',
138 |                 false,
139 |             ],
140 |             'invalid origin as OPTIONS' => [
141 |                 ['https://www.example.com', 'https://www.myotherexample.com'],
142 |                 'https://www.anotherdomain.com',
143 |                 'OPTIONS',
144 |                 true,
145 |             ],
146 |         ];
147 |     }
148 | }
149 | 


--------------------------------------------------------------------------------
/Validator/CorsValidator.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | namespace Graycore\Cors\Validator;
  4 | 
  5 | use Graycore\Cors\Configuration\CorsConfigurationInterface;
  6 | use Magento\Framework\App\Config\ScopeConfigInterface;
  7 | use Magento\Framework\App\RequestInterface;
  8 | use Magento\Framework\App\Request\Http as HttpRequest;
  9 | 
 10 | /**
 11 |  * CorsValidator is responsible for validating that a request should
 12 |  * apply CORS headers to its response.
 13 |  * @author    Graycore <damien@graycore.io>
 14 |  * @copyright Graycore, LLC (https://www.graycore.io/)
 15 |  * @license   MIT https://github.com/graycoreio/magento2-cors/license
 16 |  * @link      https://github.com/graycoreio/magento2-cors
 17 |  */
 18 | class CorsValidator implements CorsValidatorInterface
 19 | {
 20 | 
 21 |     /** @var CorsConfigurationInterface */
 22 |     protected $configuration;
 23 | 
 24 |     /** @var HttpRequest */
 25 |     protected $request;
 26 | 
 27 |     /**
 28 |      * CorsAllowHeadersHeaderProvider constructor.
 29 |      *
 30 |      * @param CorsConfigurationInterface $configuration
 31 |      * @param RequestInterface $request
 32 |      */
 33 |     public function __construct(CorsConfigurationInterface $configuration, RequestInterface $request)
 34 |     {
 35 |         $this->configuration = $configuration;
 36 |         $this->request = $request;
 37 |     }
 38 | 
 39 |     /**
 40 |      * Determines whether or not the request origin
 41 |      * is one of the origins configured for the application.
 42 |      * @return bool
 43 |      */
 44 |     private function requestOriginExistsInConfiguration()
 45 |     {
 46 |         return in_array($this->request->getHeader('Origin'), $this->configuration->getAllowedOrigins());
 47 |     }
 48 | 
 49 |     /**
 50 |      * Determines whether or the configuration specifies that
 51 |      * all origins should be allowed.
 52 |      * @return bool
 53 |      */
 54 |     private function configurationIsWildcard(): bool
 55 |     {
 56 |         return in_array('*', $this->configuration->getAllowedOrigins());
 57 |     }
 58 | 
 59 |     /**
 60 |      * Determines whether or not the origin of a request is valid
 61 |      * and should have CORS headers applied.
 62 |      * @return bool
 63 |      */
 64 |     public function originIsValid(): bool
 65 |     {
 66 |         if ($this->request instanceof HttpRequest) {
 67 |             //Validate that we're working with something that cares about CORS
 68 |             if (!$this->originHeaderExists()) {
 69 |                 return false;
 70 |             }
 71 | 
 72 |             return $this->configurationIsWildcard() || $this->requestOriginExistsInConfiguration();
 73 |         }
 74 | 
 75 |         return false;
 76 |     }
 77 | 
 78 |     /**
 79 |      * @inheritdoc
 80 |      */
 81 |     public function isPreflightRequest(): bool
 82 |     {
 83 |         if ($this->request instanceof HttpRequest) {
 84 |             return $this->request->getMethod() == "OPTIONS" && $this->originHeaderExists();
 85 |         }
 86 | 
 87 |         return false;
 88 |     }
 89 | 
 90 |     /**
 91 |      * Determines whether an origin header exists with a valid scheme.
 92 |      * @return bool
 93 |      */
 94 |     private function originHeaderExists(): bool
 95 |     {
 96 |         try {
 97 |             return $this->request->getHeader('Origin') ? true : false;
 98 |         } catch (\InvalidArgumentException $exception) {
 99 |             // In the event of an invalid URI scheme, e.g. chrome-extension://
100 |             return false;
101 |         }
102 |     }
103 | }
104 | 


--------------------------------------------------------------------------------
/Validator/CorsValidatorInterface.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | namespace Graycore\Cors\Validator;
 4 | 
 5 | /**
 6 |  * CorsValidator is responsible for validating that a request should
 7 |  * apply CORS headers to its response.
 8 |  */
 9 | interface CorsValidatorInterface
10 | {
11 | 
12 |     /**
13 |      * Determines whether or not the origin of a request is valid
14 |      * and should have CORS headers applied.
15 |      * @api
16 |      * @return bool
17 |      */
18 |     public function originIsValid(): bool;
19 | 
20 |     /**
21 |      * Determines whether or not the current request is a preflight request.
22 |      * @api
23 |      */
24 |     public function isPreflightRequest(): bool;
25 | }
26 | 


--------------------------------------------------------------------------------
/composer.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "name": "graycore/magento2-cors",
 3 |     "description": "A Magento 2 module that enables CORS on the GraphQL and REST Apis",
 4 |     "type": "magento2-module",
 5 |     "license": "MIT",
 6 |     "authors": [
 7 |         {
 8 |             "name": "Damien Retzinger",
 9 |             "email": "damienwebdev@gmail.com"
10 |         }
11 |     ],
12 |     "scripts": {
13 |         "test": "phpunit --bootstrap vendor/autoload.php test",
14 |         "unit-test": "vendor/bin/phpunit ./Test/Unit",
15 |         "lint": "phpcs . --standard=Magento2 --ignore='vendor/*'",
16 |         "post-install-cmd": [
17 |             "([ $COMPOSER_DEV_MODE -eq 0 ] || vendor/bin/phpcs --config-set installed_paths ../../magento/magento-coding-standard/)"
18 |         ],
19 |         "post-update-cmd": [
20 |             "([ $COMPOSER_DEV_MODE -eq 0 ] || vendor/bin/phpcs --config-set installed_paths ../../magento/magento-coding-standard/)"
21 |         ]
22 |     },
23 |     "archive": {
24 |         "exclude": [
25 |             "/docs",
26 |             "/Test",
27 |             "README.md"
28 |         ]
29 |     },
30 |     "minimum-stability": "stable",
31 |     "autoload": {
32 |         "psr-4": {
33 |             "Graycore\\Cors\\": ""
34 |         },
35 |         "files": [
36 |             "registration.php"
37 |         ]
38 |     },
39 |     "require": {
40 |         "magento/framework": "^102.0 || ^103.0"
41 |     },
42 |     "require-dev": {
43 |         "magento/magento-coding-standard": ">=6.0",
44 |         "phpunit/phpunit": "^8.2 || ^9.0",
45 |         "squizlabs/php_codesniffer": "^3.4"
46 |     },
47 |     "repositories": {
48 |         "0": {
49 |             "type": "composer",
50 |             "url": "https://repo.magento.com/"
51 |         }
52 |     },
53 |     "config": {
54 |         "preferred-install": "dist",
55 |         "sort-packages": true,
56 |         "allow-plugins": {
57 |             "magento/composer-dependency-version-audit-plugin": true,
58 |             "dealerdirect/phpcodesniffer-composer-installer": true
59 |         }
60 |     }
61 | }
62 | 


--------------------------------------------------------------------------------
/docs/DEVELOPER.md:
--------------------------------------------------------------------------------
 1 | # Developer Documentation
 2 | 
 3 | ## Contributing
 4 | Please read the [contributing guidelines here](https://github.com/graycoreio/magento2-cors/blob/develop/CONTRIBUTING.md).
 5 | 
 6 | ## Building the Project
 7 | This project is intended to be installed as a composer dependency for a Magento application, so if you're working with it as a custom module, you'll need to install your own Magento instance and then this project as a dependency.
 8 | 
 9 | ### Prerequisites
10 | * [Git](https://git-scm.com/)
11 | * PHP 7.2+
12 | * [Magento](https://github.com/magento/magento2)
13 |     * Check the versions supported by the project in the README
14 | * [Composer](https://getcomposer.org/)
15 | 
16 | 
17 | ## Testing
18 | Tests help us ensure code quality and backwards compatibility across various Magento and PHP versions. Please make sure you write clear and concise tests BEFORE you write your code, otherwise there will be no way to verify that your tests achieve the intended goals.
19 | 
20 | ### Unit Tests
21 | You can run the unit tests by defined by the `composer` script.
22 | 
23 | ```bash 
24 | composer run-script unit-test
25 | ```
26 | 
27 | ## Integration Tests
28 | These must be run from the Magento application's `dev/tests/integration` directory.
29 | 
30 | ```bash
31 | ../../../vendor/bin/phpunit --testsuite "Graycore_Magento2Cors"
32 | ```


--------------------------------------------------------------------------------
/docs/build/README.md:
--------------------------------------------------------------------------------
1 | # Build Environment
2 | 
3 | We run the Unit and Integration tests on Azure DevOps. The container that runs the tests has [certain capabilities](https://github.com/actions/virtual-environments/blob/master/images/linux/Ubuntu1604-README.md).


--------------------------------------------------------------------------------
/docs/faq/faqs.md:
--------------------------------------------------------------------------------
1 | # FAQ
2 | 
3 | ## Can I configure this package from the admin panel?
4 | No. We will never merge a PR that allows an administrator to modify CORS headers from the admin panel. CORS Headers
5 | should only be configured by qualified developers and security administrators. CORS is fundamentally a security relaxation protocol with significant ramifications when misconfigured. Allowing access from the admin panel circumvents the **critical** knowledge pathway and will put user information at risk, which we will not allow under any circumstances.
6 | 


--------------------------------------------------------------------------------
/docs/stories/configuring-the-headers.md:
--------------------------------------------------------------------------------
 1 | # Configuring CORS Headers
 2 | 
 3 | ## Available Configurations
 4 | We provide several configuration keys for you to configure. The configurations between REST and GraphQL are split to accomodate the "Security by Default" mentality.  
 5 | 
 6 | * `web/graphql/cors_allowed_origins` - A comma separated list of the origins allowed to the access the GraphQL API
 7 | * `web/graphql/cors_allowed_methods` - A comma separated list of the allowed request methods
 8 | * `web/graphql/cors_allowed_headers` - A comma separated list of the allowed response headers
 9 | * `web/graphql/cors_max_age` - The duration that the CORS policy should be cached for.
10 | * `web/graphql/cors_expose_headers` - A comma separated list that indicates which headers can be exposed as part of the response.
11 | * `web/graphql/cors_allow_credentials` - Whether to allow credentials on CORS requests
12 | 
13 | * `web/api_rest/cors_allowed_origins` - A comma separated list of the origins allowed to the access the REST API
14 | * `web/api_rest/cors_allowed_methods` - A comma separated list of the allowed request methods
15 | * `web/api_rest/cors_allowed_headers` - A comma separated list of the allowed response headers
16 | * `web/api_rest/cors_max_age` - The duration that the CORS policy should be cached for.
17 | * `web/api_rest/cors_expose_headers` - A comma separated list that indicates which headers can be exposed as part of the response.
18 | * `web/api_rest/cors_allow_credentials` - Whether to allow credentials on CORS requests
19 | 
20 | ### Configuring for local or on-premises installations
21 | 
22 | You can add the following to your `app/etc/env.php` to configure the package.
23 | 
24 | ```php
25 | <?php
26 | return [
27 |     ...
28 |     'system' => [
29 |         'default' => [
30 |             'web' => [
31 |                 'graphql' => [
32 |                     'cors_allowed_origins' => 'https://www.graphql.com, https://www.myotherallowedorigin',
33 |                     'cors_allowed_methods' => 'POST, OPTIONS',
34 |                     'cors_allowed_headers' => '',
35 |                     'cors_max_age' => '86400',
36 |                     'cors_allow_credentials' => 1
37 |                 ],
38 |                 'api_rest' => [
39 |                     'cors_allowed_origins' => 'https://www.restapi.com, https://www.myotherallowedorigin',
40 |                     'cors_allowed_methods' => 'GET, POST, OPTIONS',
41 |                     'cors_allowed_headers' => '',
42 |                     'cors_max_age' => '86400',
43 |                     'cors_allow_credentials' => 0
44 |                 ]
45 |             ]
46 |         ]
47 |     ]
48 |     ...
49 | ];
50 | ```
51 | 
52 | > You can also optionally set the `cors_allowed_origins` key to `*` if you want to allow ALL origins access to the resource, but we strongly suggest you [understand the ramifications of this before doing so.](/docs/stories/no-wild-card.md)
53 | Note also that the CORS specification disallows a wildcard for Allowed Origins if the `cors_allow_credentials` flag is enabled. If this is the case, the server will instead echo the request Origin back as the Allow-Origin value. 
54 | 
55 | ### Configuring for Commerce Cloud
56 | 
57 | In Commerce Cloud environments, the app/etc/env.php file is unavailable for configuring this module. Instead, use the cloud UI to set ENV settings, as documented at https://experienceleague.adobe.com/docs/commerce-cloud-service/user-guide/configure/env/variable-levels.html and https://experienceleague.adobe.com/en/docs/commerce-operations/configuration-guide/paths/override-config-settings.
58 | Here's an example of syntax for the cors_allowed_methods value:
59 | ![Image from Commerce Cloud UI](./examples/cors_allowed_methods-in-cloud.jpg)
60 | 
61 | ## Examples
62 | * [PWAs (Angular, PWA Studio, etc)](./examples/pwa-configuration.php)
63 | 


--------------------------------------------------------------------------------
/docs/stories/examples/cors_allowed_methods-in-cloud.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/graycoreio/magento2-cors/62bd00bba77ab690ae75a6516f7707d4b2d4cb03/docs/stories/examples/cors_allowed_methods-in-cloud.jpg


--------------------------------------------------------------------------------
/docs/stories/examples/pwa-configuration.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | return [
 4 |     'system' => [
 5 |         'default' => [
 6 |             'web' => [
 7 |                 'graphql' => [
 8 |                     'cors_max_age' => 86400,
 9 |                     'cors_allow_credentials' => 1,
10 |                     'cors_allowed_methods' => 'POST, OPTIONS, GET',
11 |                     'cors_expose_headers' => 'X-Magento-Cache-Id',
12 |                     'cors_allowed_headers' =>
13 |                         'Content-Currency, Store, X-Magento-Cache-Id, X-Captcha, Content-Type, Authorization, DNT, TE',
14 |                     // Angular
15 |                     'cors_allowed_origins' =>
16 |                         'http://localhost:4200, https://localhost:4200',
17 |                     // Angular + Universal
18 |                     'cors_allowed_origins' =>
19 |                         'http://localhost:4200, https://localhost:4200, http://localhost:4000, https://localhost:4000',
20 |                     // Express
21 |                     'cors_allowed_origins' =>
22 |                         'https://frontend.example.com, http://localhost:3000, https://localhost:3000',
23 |                     // PWA Studio (PWA Studio Generates a random port, so we can't provide a configuration)
24 |                 ]
25 |             ]
26 |         ]
27 |     ]
28 | ];


--------------------------------------------------------------------------------
/docs/stories/no-wild-card.md:
--------------------------------------------------------------------------------
 1 | The `Access-Control-Allow-Origin` header (a key piece of the CORS protocol) plays a crucial role in determining which websites are allowed to access resources from a server. This header allows a server to specify which origins are allowed to access its resources, thereby providing a security layer to protect against unauthorized access.
 2 | 
 3 | However, there is a particular case where developers sometimes use the wildcard `*` value for the `Access-Control-Allow-Origin` header, which means that any origin is allowed to access the server's resources. While this might seem like a convenient shortcut, it is a particularly bad idea to use this approach. It is even more unfortunate that many documentation websites and articles geared toward developers broadly recommend this.
 4 | 
 5 | The primary reason why using the wildcard `*` value for `Access-Control-Allow-Origin` is not recommended is that it opens up the server to potential security risks. By allowing any website to access its resources, the server becomes vulnerable to cross-site scripting (XSS) attacks, where malicious code can be injected into the server's response and executed in the user's browser. This can result in sensitive user data being stolen or manipulated, and the attacker gaining unauthorized access to the server's resources. Moreover, when any origin is allowed to access its resources, anyone can replicate the HTML/CSS/JS that exists on a website, copy it to another domain, `www.hackerwebsite.com` for instance. Now, to the end user, everything not only looks the same, but it also allows them to access their information on a potentially malicious client that may not only look exactly the way they expect, but also act exactly the same.
 6 | 
 7 | For an example, let's say there is a server with the URL "https://example.com" that allows any origin to access its resources by setting the `Access-Control-Allow-Origin` header to "*". An attacker can create a fake website with the URL "https://malicious.com" and inject a script that sends a request to the server using the user's credentials.
 8 | 
 9 | Here are some example cURL commands that demonstrate the attack:
10 | 
11 | A legitimate request to the server as if made by a client that respects the CORS protocol (A web browser for example):
12 | 
13 | ```bash
14 | curl https://example.com/api/data \
15 |   -H 'Origin: https://example.com' \
16 |   -H 'Authorization: Bearer <access_token>'
17 | ```
18 | 
19 | This request sends an authorization token to the server and retrieves data from the API.
20 | 
21 | An attack using the malicious website:
22 | 
23 | ```bash
24 | curl https://example.com/api/data \
25 |   -H 'Origin: https://malicious.com' \
26 |   -H 'Authorization: Bearer <access_token>'
27 | ```
28 | 
29 | This request sends the same authorization token to the server but with a different origin, which is the malicious website. Since the server allows any origin to access its resources, the request will be accepted, and the attacker can retrieve sensitive data from the server's API.
30 | 
31 | In conclusion, using the wildcard (*) value for Access-Control-Allow-Origin is not recommended due to the potential security risks and privacy violations. Instead, developers should take the time to specify the appropriate origins that are allowed to access their server's resources, ensuring that their website is secure, compliant, and provides a good user experience.
32 | 


--------------------------------------------------------------------------------
/docs/stories/security.md:
--------------------------------------------------------------------------------
1 | # Security
2 | 
3 | ## Security By Default
4 | By default this extension will do nothing! This is entirely by design. In order for you to add CORS headers, we HIGHLY recommend [understanding the security risks involved with CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS).
5 | 
6 | We want to you configure the module to do precisely what you want. To make this process easier, you can [follow along with our configuration guide](/docs/stories/configuring-the-headers.md).


--------------------------------------------------------------------------------
/docs/stories/varnish.md:
--------------------------------------------------------------------------------
 1 | # CORS Support with Varnish
 2 | 
 3 | In order to work with Varish and have Varnish served the cache response to an OPTIONS request, you'll need to make some minor adjustments to your `.vcl`.
 4 | 
 5 | ## Varnish 6
 6 | ```VCL
 7 | sub vcl_recv {
 8 |     ...
 9 |     # We only deal with GET, HEAD and OPTIONS by default
10 |     if (req.method != "GET" && req.method != "HEAD" && req.method != "OPTIONS") {
11 |         return (pass);
12 |     }
13 | 
14 |     # Since "OPTIONS" are cached differently, we need to store a special "x-method" for later
15 |     # swapping otherwise, varnish will turn our "OPTIONS" into a "GET".
16 |     # REF: CORS-OPTIONS
17 |     if (req.method ~ "OPTIONS") {
18 |         set req.http.x-method = req.method;
19 |     }
20 |     ...
21 | }
22 | 
23 | sub vcl_backend_fetch {
24 |     # Since "OPTIONS" are cached differently, we need to store a special "x-method" for later
25 |     # swapping otherwise, varnish will turn our "OPTIONS" into a "GET".
26 |     # REF: CORS-OPTIONS
27 |     if (bereq.http.x-method ~ "OPTIONS") {
28 |         set bereq.method = bereq.http.x-method;
29 |     }
30 | }
31 | 
32 | sub vcl_hash {
33 |     ...
34 | 
35 |     # Ensure that Varnish caches per method type.
36 |     if (req.method ~ "OPTIONS") {
37 |         hash_data(req.method);
38 |     }
39 |     ...
40 | }
41 | 
42 | sub vcl_backend_response {
43 |     ...
44 | 
45 |     # validate if we need to cache it and prevent from setting cookie
46 |     if (beresp.ttl > 0s && (bereq.method == "GET" || bereq.method == "HEAD" || bereq.method == "OPTIONS")) {
47 |         unset beresp.http.set-cookie;
48 |     }
49 | 
50 |     ...
51 | }
52 | ```


--------------------------------------------------------------------------------
/docs/upgrading/guide.md:
--------------------------------------------------------------------------------
 1 | # Upgrade Guide
 2 | 
 3 | When we make breaking changes, we will post the breaking changes here.
 4 | 
 5 | ## v1.* to v2.0
 6 | 
 7 | The layer in which we compute whether or not an incoming preflight request receives CORS headers has changed in v2.0.0. Previously, we leveraged a plugin around the relevant native Magento 2 Controller (webapi_rest/graphql) and as a result, we incurred significant overhead from Magento code when computing CORS headers. 
 8 | 
 9 | In v2.0, we no longer incur this overhead by adding a plugin around application launch and creating our own custom controller. It is **very possible** that we broke expectations of anything that plugs-in around this plugin or adds additional CORS headers other than our own. 
10 | 
11 | For 99.99% of GraphQl/Rest API deployments, the API is used sessionlessly. As such, we can take the opportunity to improve performance for the majority at the expense of the minority. If this breaks your codebase, please submit an issue and we will see what can be done to remedy your specific use-case.
12 | 
13 | In theory, most dependents simply need to upgrade to v2.0 and there are no breaking changes. 
14 | 
15 | **However,** if you were expecting to use the native GraphQl/REST controller when computing CORS headers (and everything else that entails - like having a Magento session, for example) that guarantee is no-longer provided.
16 | 
17 | 


--------------------------------------------------------------------------------
/etc/config.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0"?>
 2 | <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 3 |         xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
 4 |     <default>
 5 |         <web>
 6 |             <api_rest>
 7 |                 <cors_allowed_origins></cors_allowed_origins>
 8 |                 <cors_allowed_methods></cors_allowed_methods>
 9 |                 <cors_allowed_headers></cors_allowed_headers>
10 |                 <cors_max_age>86400</cors_max_age>
11 |                 <cors_allow_credentials>0</cors_allow_credentials>
12 |             </api_rest>
13 |             <graphql>
14 |                 <cors_allowed_origins></cors_allowed_origins>
15 |                 <cors_allowed_methods></cors_allowed_methods>
16 |                 <cors_allowed_headers></cors_allowed_headers>
17 |                 <cors_max_age>86400</cors_max_age>
18 |                 <cors_allow_credentials>0</cors_allow_credentials>
19 |             </graphql>
20 |         </web>
21 |     </default>
22 | </config>


--------------------------------------------------------------------------------
/etc/di.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0"?>
2 | <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
3 |     <type name="Magento\Framework\AppInterface">
4 |         <plugin name="graycoreCorsLauncher" type="Graycore\Cors\Plugin\FastLauncher"/>
5 |     </type>
6 | </config>
7 | 


--------------------------------------------------------------------------------
/etc/graphql/di.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0"?>
 2 | <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
 3 |     <preference for="Graycore\Cors\Configuration\CorsConfigurationInterface" type="Graycore\Cors\Configuration\GraphQl\CorsConfiguration" />
 4 |     <preference for="Graycore\Cors\Validator\CorsValidatorInterface" type="Graycore\Cors\Validator\CorsValidator"/>
 5 |     <type name="Magento\Framework\App\Response\HeaderManager">
 6 |         <arguments>
 7 |             <argument name="headerProviderList" xsi:type="array">
 8 |                 <item name="CorsAllowHeaders" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsAllowHeadersHeaderProvider</item>
 9 |                 <item name="CorsAllowOrigin" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsAllowOriginHeaderProvider</item>
10 |                 <item name="CorsAllowMethods" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsAllowMethodsHeaderProvider</item>
11 |                 <item name="CorsMaxAge" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsMaxAgeHeaderProvider</item>
12 |                 <item name="CorsExposeHeaders" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsExposeHeadersProvider</item>
13 |                 <item name="CorsAllowCredentials" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsAllowCredentialsHeaderProvider</item>
14 |                 <item name="CorsVary" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsVaryHeaderProvider</item>
15 |             </argument>
16 |         </arguments>
17 |     </type>
18 |     <type name="Graycore\Cors\Response\HeaderManager">
19 |         <arguments>
20 |             <argument name="headerProviderList" xsi:type="array">
21 |                 <item name="CorsAllowHeaders" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsAllowHeadersHeaderProvider</item>
22 |                 <item name="CorsAllowOrigin" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsAllowOriginHeaderProvider</item>
23 |                 <item name="CorsAllowMethods" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsAllowMethodsHeaderProvider</item>
24 |                 <item name="CorsMaxAge" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsMaxAgeHeaderProvider</item>
25 |                 <item name="CorsExposeHeaders" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsExposeHeadersProvider</item>
26 |                 <item name="CorsAllowCredentials" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsAllowCredentialsHeaderProvider</item>
27 |                 <item name="CorsVary" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsVaryHeaderProvider</item>
28 |             </argument>
29 |         </arguments>
30 |     </type>
31 |     <type name="Magento\GraphQl\Controller\GraphQl">
32 |         <plugin name="graycoreCorsPreflightHandlerGraphQl" type="Graycore\Cors\Response\Preflight\GraphQl\PreflightRequestHandler" />
33 |     </type>
34 | </config>


--------------------------------------------------------------------------------
/etc/module.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0"?>
 2 | <config
 3 |     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"       xsi:noNamespaceSchemaLocation="urn:magento:framework:Module/etc/module.xsd">
 4 |     <module name="Graycore_Cors" setup_version="1.0.0">
 5 |         <sequence>
 6 |             <module name="Magento_Catalog"/>
 7 |             <module name="Magento_Store"/>
 8 |             <module name="Magento_GraphQl"/>
 9 |             <module name="Magento_Webapi"/>
10 |         </sequence>
11 |     </module>
12 | </config>


--------------------------------------------------------------------------------
/etc/webapi_rest/di.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0"?>
 2 | <config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:ObjectManager/etc/config.xsd">
 3 |     <preference for="Graycore\Cors\Configuration\CorsConfigurationInterface" type="Graycore\Cors\Configuration\Rest\CorsConfiguration" />
 4 |     <preference for="Graycore\Cors\Validator\CorsValidatorInterface" type="Graycore\Cors\Validator\CorsValidator"/>
 5 |     <type name="Graycore\Cors\Response\HeaderManager">
 6 |         <arguments>
 7 |             <argument name="headerProviderList" xsi:type="array">
 8 |                 <item name="CorsAllowHeaders" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsAllowHeadersHeaderProvider</item>
 9 |                 <item name="CorsAllowOrigin" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsAllowOriginHeaderProvider</item>
10 |                 <item name="CorsAllowMethods" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsAllowMethodsHeaderProvider</item>
11 |                 <item name="CorsMaxAge" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsMaxAgeHeaderProvider</item>
12 |                 <item name="CorsExposeHeaders" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsExposeHeadersProvider</item>
13 |                 <item name="CorsAllowCredentials" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsAllowCredentialsHeaderProvider</item>
14 |                 <item name="CorsVary" xsi:type="object">Graycore\Cors\Response\HeaderProvider\CorsVaryHeaderProvider</item>
15 |             </argument>
16 |         </arguments>
17 |     </type>
18 |     <type name="Magento\Webapi\Controller\Rest">
19 |         <plugin name="graycoreCorsPreflightHandlerRest" type="Graycore\Cors\Response\Preflight\Rest\PreflightRequestHandler" />
20 |     </type>
21 |     <type name="Magento\Framework\Webapi\Rest\Request">
22 |         <plugin name="cors_request_options" type="Graycore\Cors\Request\RestRequest" />
23 |     </type>
24 |     <type name="Magento\Framework\Webapi\Rest\Response">
25 |         <plugin name="genericWebApiHeaderPlugin" type="Graycore\Cors\Response\HeaderManager"/>
26 |     </type>
27 | </config>


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "@graycore/magento2-cors",
 3 |   "description": "A Magento 2 module that enables CORS on the GraphQL API",
 4 |   "version": "2.0.0",
 5 |   "directories": {
 6 |     "doc": "docs"
 7 |   },
 8 |   "private": true,
 9 |   "repository": {
10 |     "type": "git",
11 |     "url": "git+https://github.com/graycoreio/magento2-cors.git"
12 |   },
13 |   "scripts": {
14 |     "release": "standard-version"
15 |   },
16 |   "author": "Damien Retzinger<damienwebdev@gmail.com>",
17 |   "license": "MIT",
18 |   "bugs": {
19 |     "url": "https://github.com/graycoreio/magento2-cors/issues"
20 |   },
21 |   "homepage": "https://github.com/graycoreio/magento2-cors#readme",
22 |   "devDependencies": {
23 |     "standard-version": "^9.1.1"
24 |   }
25 | }
26 | 


--------------------------------------------------------------------------------
/registration.php:
--------------------------------------------------------------------------------
1 | <?php declare(strict_types=1);
2 | 
3 | use \Magento\Framework\Component\ComponentRegistrar;
4 | 
5 | ComponentRegistrar::register(ComponentRegistrar::MODULE, 'Graycore_Cors', __DIR__);
6 | 


--------------------------------------------------------------------------------
/release-please-config.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "bootstrap-sha": "e65e6708a9ac8cbe9835b99ffc60a8f307e1310f",
 3 |   "bump-minor-pre-major": true,
 4 |   "bump-patch-for-minor-pre-major": true,
 5 |   "draft-pull-request": true,
 6 |   "prerelease": true,
 7 |   "include-component-in-tag": false,
 8 |   "include-v-in-tag": true,
 9 |   "pull-request-title-pattern": "chore: release ${version}",
10 |   "packages": {
11 |     ".": {
12 |       "release-type": "php"
13 |     }
14 |   }
15 | }
16 | 


--------------------------------------------------------------------------------