/**
* Shortcut for testing expected headers of a response
* @param array $expected an array with the expected headers
* @param Response $response the response which we want to test for headers
*/
protected function assertHeaders(array $expected = array(), Response $response)
{
$headers = $response->getHeaders();
foreach ($expected as $header) {
$this->assertTrue(in_array($header, $headers));
}
}
public function testChainability()
{
$lastModified = new \DateTime(null, new \DateTimeZone('GMT'));
$lastModified->setTimestamp(1);
$this->childResponse->setEtag('hi')->setStatus(Http::STATUS_NOT_FOUND)->setLastModified($lastModified)->cacheFor(33)->addHeader('hello', 'world');
$headers = $this->childResponse->getHeaders();
$this->assertEquals('world', $headers['hello']);
$this->assertEquals(Http::STATUS_NOT_FOUND, $this->childResponse->getStatus());
$this->assertEquals('hi', $this->childResponse->getEtag());
$this->assertEquals('Thu, 01 Jan 1970 00:00:01 +0000', $headers['Last-Modified']);
$this->assertEquals('max-age=33, must-revalidate', $headers['Cache-Control']);
}
/**
* This is being run after a successful controllermethod call and allows
* the manipulation of a Response object. The middleware is run in reverse order
*
* @param Controller $controller the controller that is being called
* @param string $methodName the name of the method that will be called on
* the controller
* @param Response $response the generated response from the controller
* @return Response a Response object
*/
public function afterController($controller, $methodName, Response $response)
{
// only react if its a CORS request and if the request sends origin and
if (isset($this->request->server['HTTP_ORIGIN']) && $this->reflector->hasAnnotation('CORS')) {
// allow credentials headers must not be true or CSRF is possible
// otherwise
foreach ($response->getHeaders() as $header => $value) {
if (strtolower($header) === 'access-control-allow-credentials' && strtolower(trim($value)) === 'true') {
$msg = 'Access-Control-Allow-Credentials must not be ' . 'set to true in order to prevent CSRF';
throw new SecurityException($msg);
}
}
$origin = $this->request->server['HTTP_ORIGIN'];
$response->addHeader('Access-Control-Allow-Origin', $origin);
}
return $response;
}
