/**
* Attach a CORS origin header to the given response, if allowed.
* Returns true if an origin header was set; false, otherwise.
*
* @param Response $response
* @param string $origin
*
* @return bool
*/
public static function attachOriginHeader($response, $origin)
{
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
$response->headers->set('Access-Control-Allow-Origin', $origin);
return true;
}
if ('*' == config('api.cors_allowed_origin', 'client')) {
$response->headers->set('Access-Control-Allow-Origin', '*');
return true;
}
if ('client' == config('api.cors_allowed_origin', 'client')) {
$client = Authentication::instance()->client();
if (empty($client) || empty($client->endpoints())) {
return false;
}
foreach ($client->endpoints() as $endpoint) {
$parts = parse_url($endpoint);
if (empty($parts['scheme']) || empty($parts['host'])) {
continue;
}
$port = '';
if (array_get($parts, 'port')) {
$port = ':' . array_get($parts, 'port');
}
$url = $parts['scheme'] . '://' . $parts['host'] . $port;
if ($origin == $url) {
$response->headers->set('Access-Control-Allow-Origin', $url);
return true;
}
}
}
return false;
}
/**
* Make the current resource owner (access_token or Authorization header)
* the current authenticated user in Laravel.
*
* @return void
*/
protected function bootAuthResourceOwner()
{
if (config('api.auth_resource_owner', true) && !Auth::check() && Request::input('access_token', Request::header('Authorization'))) {
if ($user_id = Authentication::instance()->userId()) {
Auth::onceUsingId($user_id);
}
}
}
/**
* Ensure the current client has access to the requested scope.
*
* @param string $scope
*
* @return void
*/
public static function checkScope($scope)
{
if (!Authentication::instance()->checkScope($scope)) {
static::abort(403, "Access denied to scope: {$scope}");
}
}
