/** * Attach a CORS origin header to the given response, if allowed. * Returns true if an origin header was set; false, otherwise. * * @param Response $response * @param string $origin * * @return bool */ public static function attachOriginHeader($response, $origin) { if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') { $response->headers->set('Access-Control-Allow-Origin', $origin); return true; } if ('*' == config('api.cors_allowed_origin', 'client')) { $response->headers->set('Access-Control-Allow-Origin', '*'); return true; } if ('client' == config('api.cors_allowed_origin', 'client')) { $client = Authentication::instance()->client(); if (empty($client) || empty($client->endpoints())) { return false; } foreach ($client->endpoints() as $endpoint) { $parts = parse_url($endpoint); if (empty($parts['scheme']) || empty($parts['host'])) { continue; } $port = ''; if (array_get($parts, 'port')) { $port = ':' . array_get($parts, 'port'); } $url = $parts['scheme'] . '://' . $parts['host'] . $port; if ($origin == $url) { $response->headers->set('Access-Control-Allow-Origin', $url); return true; } } } return false; }
/** * Make the current resource owner (access_token or Authorization header) * the current authenticated user in Laravel. * * @return void */ protected function bootAuthResourceOwner() { if (config('api.auth_resource_owner', true) && !Auth::check() && Request::input('access_token', Request::header('Authorization'))) { if ($user_id = Authentication::instance()->userId()) { Auth::onceUsingId($user_id); } } }
/** * Ensure the current client has access to the requested scope. * * @param string $scope * * @return void */ public static function checkScope($scope) { if (!Authentication::instance()->checkScope($scope)) { static::abort(403, "Access denied to scope: {$scope}"); } }