/**
* User agents can discover via a preflight request whether a cross-origin resource is prepared to
* accept requests, using a non-simple method, from a given origin.
* @param Request $request
* @param IApiEndpoint $endpoint
* @return Response
*/
private function makePreflightResponse(Request $request, IApiEndpoint $endpoint)
{
$response = new Response();
$allow_credentials = Config::get('cors.AllowCredentials', '');
if (!empty($allow_credentials)) {
// The Access-Control-Allow-Credentials header indicates whether the response to request
// can be exposed when the omit credentials flag is unset. When part of the response to a preflight request
// it indicates that the actual request can include user credentials.
$response->headers->set('Access-Control-Allow-Credentials', $allow_credentials);
}
if (Config::get('cors.UsePreflightCaching', false)) {
// The Access-Control-Max-Age header indicates how long the response can be cached, so that for
// subsequent requests, within the specified time, no preflight request has to be made.
$response->headers->set('Access-Control-Max-Age', Config::get('cors.MaxAge', 32000));
}
// The Access-Control-Allow-Headers header indicates, as part of the response to a preflight request,
// which header field names can be used during the actual request
$response->headers->set('Access-Control-Allow-Headers', $this->allowed_headers);
if (!$this->checkOrigin($request)) {
$response->headers->set('Access-Control-Allow-Origin', 'null');
$response->setStatusCode(403);
return $response;
}
$response->headers->set('Access-Control-Allow-Origin', $request->headers->get('Origin'));
// The Access-Control-Request-Method header indicates which method will be used in the actual
// request as part of the preflight request
// check request method
if ($request->headers->get('Access-Control-Request-Method') != $endpoint->getHttpMethod()) {
$response->setStatusCode(405);
return $response;
}
//The Access-Control-Allow-Methods header indicates, as part of the response to a preflight request,
// which methods can be used during the actual request.
$response->headers->set('Access-Control-Allow-Methods', $this->allowed_methods);
// The Access-Control-Request-Headers header indicates which headers will be used in the actual request
// as part of the preflight request.
$headers = $request->headers->get('Access-Control-Request-Headers');
if ($headers) {
$headers = trim(strtolower($headers));
$allow_headers = explode(', ', $this->allowed_headers);
foreach (preg_split('{, *}', $headers) as $header) {
//if they are simple headers then skip them
if (in_array($header, self::$simple_headers, true)) {
continue;
}
//check is the requested header is on the list of allowed headers
if (!in_array($header, $allow_headers, true)) {
$response->setStatusCode(400);
$response->setContent('Unauthorized header ' . $header);
break;
}
}
}
//OK - No Content
$response->setStatusCode(204);
return $response;
}
public function save(IApiEndpoint $api_endpoint)
{
if (!$api_endpoint->exists() || count($api_endpoint->getDirty()) > 0) {
return $api_endpoint->Save();
}
return true;
}
