Esempio n. 1
0
 /**
  * User agents can discover via a preflight request whether a cross-origin resource is prepared to
  * accept requests, using a non-simple method, from a given origin.
  * @param Request $request
  * @param IApiEndpoint $endpoint
  * @return Response
  */
 private function makePreflightResponse(Request $request, IApiEndpoint $endpoint)
 {
     $response = new Response();
     $allow_credentials = Config::get('cors.AllowCredentials', '');
     if (!empty($allow_credentials)) {
         // The Access-Control-Allow-Credentials header indicates whether the response to request
         // can be exposed when the omit credentials flag is unset. When part of the response to a preflight request
         // it indicates that the actual request can include user credentials.
         $response->headers->set('Access-Control-Allow-Credentials', $allow_credentials);
     }
     if (Config::get('cors.UsePreflightCaching', false)) {
         // The Access-Control-Max-Age header indicates how long the response can be cached, so that for
         // subsequent requests, within the specified time, no preflight request has to be made.
         $response->headers->set('Access-Control-Max-Age', Config::get('cors.MaxAge', 32000));
     }
     // The Access-Control-Allow-Headers header indicates, as part of the response to a preflight request,
     // which header field names can be used during the actual request
     $response->headers->set('Access-Control-Allow-Headers', $this->allowed_headers);
     if (!$this->checkOrigin($request)) {
         $response->headers->set('Access-Control-Allow-Origin', 'null');
         $response->setStatusCode(403);
         return $response;
     }
     $response->headers->set('Access-Control-Allow-Origin', $request->headers->get('Origin'));
     // The Access-Control-Request-Method header indicates which method will be used in the actual
     // request as part of the preflight request
     // check request method
     if ($request->headers->get('Access-Control-Request-Method') != $endpoint->getHttpMethod()) {
         $response->setStatusCode(405);
         return $response;
     }
     //The Access-Control-Allow-Methods header indicates, as part of the response to a preflight request,
     // which methods can be used during the actual request.
     $response->headers->set('Access-Control-Allow-Methods', $this->allowed_methods);
     // The Access-Control-Request-Headers header indicates which headers will be used in the actual request
     // as part of the preflight request.
     $headers = $request->headers->get('Access-Control-Request-Headers');
     if ($headers) {
         $headers = trim(strtolower($headers));
         $allow_headers = explode(', ', $this->allowed_headers);
         foreach (preg_split('{, *}', $headers) as $header) {
             //if they are simple headers then skip them
             if (in_array($header, self::$simple_headers, true)) {
                 continue;
             }
             //check is the requested header is on the list of allowed headers
             if (!in_array($header, $allow_headers, true)) {
                 $response->setStatusCode(400);
                 $response->setContent('Unauthorized header ' . $header);
                 break;
             }
         }
     }
     //OK - No Content
     $response->setStatusCode(204);
     return $response;
 }
Esempio n. 2
0
 public function save(IApiEndpoint $api_endpoint)
 {
     if (!$api_endpoint->exists() || count($api_endpoint->getDirty()) > 0) {
         return $api_endpoint->Save();
     }
     return true;
 }