Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php declare(strict_types=1); /** * This file is part of CodeIgniter 4 framework. * ..

Decoded Output download

<?php

declare(strict_types=1);

/**
 * This file is part of CodeIgniter 4 framework.
 *
 * (c) CodeIgniter Foundation <[email protected]>
 *
 * For the full copyright and license information, please view
 * the LICENSE file that was distributed with this source code.
 */

namespace CodeIgniter\Filters;

use CodeIgniter\Exceptions\ConfigException;
use CodeIgniter\HTTP\CLIRequest;
use CodeIgniter\HTTP\IncomingRequest;
use CodeIgniter\HTTP\RequestInterface;
use CodeIgniter\HTTP\ResponseInterface;
use CodeIgniter\HTTP\SiteURI;
use CodeIgniter\HTTP\UserAgent;
use CodeIgniter\Test\CIUnitTestCase;
use CodeIgniter\Test\Mock\MockAppConfig;
use Config\Services;
use PHPUnit\Framework\Attributes\Group;

/**
 * This test case is based on:
 *   https://github.com/asm89/stack-cors/blob/master/tests/CorsTest.php
 *   https://github.com/asm89/stack-cors/blob/b6920bd8996449400ac976e083b55fb45f035467/tests/CorsTest.php
 *
 * @internal
 */
#[Group('Others')]
final class CorsTest extends CIUnitTestCase
{
    private Cors $cors;
    private ResponseInterface $response;

    protected function tearDown(): void
    {
        parent::tearDown();

        $this->resetServices();
    }

    private function createRequest(): IncomingRequest
    {
        $config    = new MockAppConfig();
        $uri       = new SiteURI($config);
        $userAgent = new UserAgent();
        $request   = $this->getMockBuilder(IncomingRequest::class)
            ->setConstructorArgs([$config, $uri, null, $userAgent])
            ->onlyMethods(['isCLI'])
            ->getMock();
        $request->method('isCLI')->willReturn(false);

        return $request;
    }

    private function createValidPreflightRequest(): IncomingRequest
    {
        $request = $this->createRequest();

        return $request->setHeader('Origin', 'http://localhost')
            ->setHeader('Access-Control-Request-Method', 'GET')
            ->withMethod('OPTIONS');
    }

    private function createValidActualRequest(): IncomingRequest
    {
        $request = $this->createRequest();
        $request->setHeader('Origin', 'http://localhost');

        return $request;
    }

    /**
     * @param array<string, mixed> $options
     */
    private function createCors(array $options = []): Cors
    {
        $passedOptions = array_merge(
            [
                'allowedHeaders'      => ['x-allowed-header', 'x-other-allowed-header'],
                'allowedMethods'      => ['DELETE', 'GET', 'POST', 'PUT'],
                'allowedOrigins'      => ['http://localhost'],
                'exposedHeaders'      => [],
                'maxAge'              => 0,
                'supportsCredentials' => false,
            ],
            $options
        );

        return new Cors($passedOptions);
    }

    public function testBeforeDoesNothingWhenCliRequest(): void
    {
        $this->cors = $this->createCors();
        $cliRequest = new CLIRequest(new MockAppConfig());

        $return = $this->cors->before($cliRequest);

        $this->assertNull($return);
    }

    private function assertHeader(string $name, string $value): void
    {
        $this->assertSame($value, $this->response->getHeaderLine($name));
    }

    public function testItDoesModifyOnARequestWithoutOrigin(): void
    {
        $this->cors = $this->createCors();
        $request    = $this->createRequest();

        $this->handle($request);

        $this->assertHeader(
            'Access-Control-Allow-Origin',
            'http://localhost'
        );
    }

    public function testItDoesNotModifyOnARequestWithoutOrigin(): void
    {
        $this->cors = $this->createCors([
            'allowedOrigins' => ['https://www.example.com', 'https://app.example.com'],
        ]);
        $request = $this->createRequest();

        $response = $this->handle($request);

        $this->assertFalse($response->hasHeader('Access-Control-Allow-Origin'));
    }

    private function handle(RequestInterface $request): ResponseInterface
    {
        $response = $this->cors->before($request);
        if ($response instanceof ResponseInterface) {
            $this->response = $response;

            return $response;
        }

        $response ??= Services::response();

        $response = $this->cors->after($request, $response);
        $response ??= Services::response();

        $this->response = $response;

        return $response;
    }

    public function testItDoesModifyOnARequestWithSameOrigin(): void
    {
        $this->cors = $this->createCors(['allowedOrigins' => ['*']]);
        $request    = $this->createRequest();
        $request->setHeader('Host', 'foo.com');
        $request->setHeader('Origin', 'http://foo.com');

        $this->handle($request);

        $this->assertHeader('Access-Control-Allow-Origin', '*');
    }

    public function testItReturnsAllowOriginHeaderOnValidActualRequest(): void
    {
        $this->cors = $this->createCors();
        $request    = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Allow-Origin'));
        $this->assertHeader('Access-Control-Allow-Origin', 'http://localhost');
    }

    public function testItReturnsAllowOriginHeaderOnAllowAllOriginRequest(): void
    {
        $this->cors = $this->createCors(['allowedOrigins' => ['*']]);
        $request    = $this->createRequest();
        $request->setHeader('Origin', 'http://localhost');

        $response = $this->handle($request);

        $this->assertSame(200, $response->getStatusCode());
        $this->assertTrue($response->hasHeader('Access-Control-Allow-Origin'));
        $this->assertHeader('Access-Control-Allow-Origin', '*');
    }

    public function testItReturnsAllowHeadersHeaderOnAllowAllHeadersRequest(): void
    {
        $this->cors = $this->createCors(['allowedHeaders' => ['*']]);
        $request    = $this->createValidPreflightRequest();
        $request->setHeader('Access-Control-Request-Headers', 'Foo, BAR');

        $response = $this->handle($request);

        $this->assertSame(204, $response->getStatusCode());
        $this->assertHeader('Access-Control-Allow-Headers', '*');
        // Always adds `Vary: Access-Control-Request-Method` header.
        $this->assertHeader('Vary', 'Access-Control-Request-Method');
    }

    public function testItDoesntPermitWildcardAllowedHeadersAndSupportsCredentials(): void
    {
        $this->expectException(ConfigException::class);
        $this->expectExceptionMessage(
            'When responding to a credentialed request, the server must not specify the "*" wildcard for the Access-Control-Allow-Headers response-header value.'
        );

        $this->cors = $this->createCors(['allowedHeaders' => ['*'], 'supportsCredentials' => true]);
        $request    = $this->createValidPreflightRequest();
        $request->setHeader('Access-Control-Request-Headers', 'Foo, BAR');

        $this->handle($request);
    }

    public function testItSetsAllowCredentialsHeaderWhenFlagIsSetOnValidActualRequest(): void
    {
        $this->cors = $this->createCors(['supportsCredentials' => true]);
        $request    = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Allow-Credentials'));
        $this->assertHeader('Access-Control-Allow-Credentials', 'true');
    }

    public function testItDoesNotSetAllowCredentialsHeaderWhenFlagIsNotSetOnValidActualRequest(): void
    {
        $this->cors = $this->createCors();
        $request    = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertFalse($response->hasHeader('Access-Control-Allow-Credentials'));
    }

    public function testItSetsExposedHeadersWhenConfiguredOnActualRequest(): void
    {
        $this->cors = $this->createCors(['exposedHeaders' => ['x-exposed-header', 'x-another-exposed-header']]);
        $request    = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Expose-Headers'));
        $this->assertHeader(
            'Access-Control-Expose-Headers',
            'x-exposed-header, x-another-exposed-header'
        );
    }

    public function testItDoesNotPermitWildcardAllowedOriginsAndSupportsCredentials(): void
    {
        $this->expectException(ConfigException::class);
        $this->expectExceptionMessage(
            'When responding to a credentialed request, the server must not specify the "*" wildcard for the Access-Control-Allow-Origin response-header value.'
        );

        $this->cors = $this->createCors([
            'allowedOrigins'      => ['*'],
            'supportsCredentials' => true,
        ]);
        $request = $this->createValidActualRequest();

        $this->handle($request);
    }

    public function testItDoesNotPermitWildcardAllowedOriginsAllowedMethodAndSupportsCredentials(): void
    {
        $this->expectException(ConfigException::class);
        $this->expectExceptionMessage(
            'When responding to a credentialed request, the server must not specify the "*" wildcard for the Access-Control-Allow-Origin response-header value.'
        );

        $this->cors = $this->createCors([
            'allowedOrigins'      => ['*'],
            'allowedMethods'      => ['*'],
            'supportsCredentials' => true,
        ]);
        $request = $this->createValidPreflightRequest();

        $this->handle($request);
    }

    public function testItAddsAVaryHeaderWhenHasOriginPatterns(): void
    {
        $this->cors = $this->createCors([
            'allowedOriginsPatterns' => ['http://l(o|0)calh(o|0)st'],
        ]);
        $request = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Vary'));
        $this->assertHeader('Vary', 'Origin');
    }

    public function testItDoesntPermitWildcardAndOrigin(): void
    {
        $this->expectException(ConfigException::class);
        $this->expectExceptionMessage(
            "If wildcard is specified, you must set `'allowedOrigins' => ['*']`. But using wildcard is not recommended."
        );

        $this->cors = $this->createCors([
            'allowedOrigins' => ['*', 'http://localhost'],
        ]);
        $request = $this->createValidActualRequest();

        $this->handle($request);
    }

    public function testItDoesntAddAVaryHeaderWhenSimpleOrigins(): void
    {
        $this->cors = $this->createCors([
            'allowedOrigins' => ['http://localhost'],
        ]);
        $request = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertHeader('Access-Control-Allow-Origin', 'http://localhost');
        $this->assertFalse($response->hasHeader('Vary'));
    }

    public function testItAddsAVaryHeaderWhenMultipleOrigins(): void
    {
        $this->cors = $this->createCors([
            'allowedOrigins' => ['http://localhost', 'http://example.com'],
        ]);
        $request = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertHeader('Access-Control-Allow-Origin', 'http://localhost');
        $this->assertTrue($response->hasHeader('Vary'));
    }

    public function testItReturnsAccessControlHeadersOnCorsRequest(): void
    {
        $this->cors = $this->createCors();
        $request    = $this->createRequest();
        $request->setHeader('Origin', 'http://localhost');

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Allow-Origin'));
        $this->assertHeader('Access-Control-Allow-Origin', 'http://localhost');
    }

    public function testItReturnsAccessControlHeadersOnCorsRequestWithPatternOrigin(): void
    {
        $this->cors = $this->createCors([
            'allowedOrigins'         => [],
            'allowedOriginsPatterns' => ['http://l(o|0)calh(o|0)st'],
        ]);
        $request = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Allow-Origin'));
        $this->assertHeader('Access-Control-Allow-Origin', 'http://localhost');
        $this->assertTrue($response->hasHeader('Vary'));
        $this->assertHeader('Vary', 'Origin');
    }

    public function testItReturnsAccessControlHeadersOnValidPreflightRequest(): void
    {
        $this->cors = $this->createCors();
        $request    = $this->createValidPreflightRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Allow-Origin'));
        $this->assertHeader('Access-Control-Allow-Origin', 'http://localhost');
    }

    public function testItReturnsOkOnValidPreflightRequestWithRequestedHeadersAllowed(): void
    {
        $this->cors     = $this->createCors();
        $requestHeaders = 'X-Allowed-Header, x-other-allowed-header';
        $request        = $this->createValidPreflightRequest();
        $request->setHeader('Access-Control-Request-Headers', $requestHeaders);

        $response = $this->handle($request);

        $this->assertSame(204, $response->getStatusCode());

        $this->assertTrue($response->hasHeader('Access-Control-Allow-Headers'));
        // the response will have the "allowedHeaders" value passed to Cors rather than the request one
        $this->assertHeader('Access-Control-Allow-Headers', 'x-allowed-header, x-other-allowed-header');
    }

    public function testItSetsAllowCredentialsHeaderWhenFlagIsSetOnValidPreflightRequest(): void
    {
        $this->cors = $this->createCors(['supportsCredentials' => true]);
        $request    = $this->createValidPreflightRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Allow-Credentials'));
        $this->assertHeader('Access-Control-Allow-Credentials', 'true');
    }

    public function testItDoesNotSetAllowCredentialsHeaderWhenFlagIsNotSetOnValidPreflightRequest(): void
    {
        $this->cors = $this->createCors();
        $request    = $this->createValidPreflightRequest();

        $response = $this->handle($request);

        $this->assertFalse($response->hasHeader('Access-Control-Allow-Credentials'));
    }

    public function testItSetsMaxAgeWhenSet(): void
    {
        $this->cors = $this->createCors(['maxAge' => 42]);
        $request    = $this->createValidPreflightRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Max-Age'));
        $this->assertHeader('Access-Control-Max-Age', '42');
    }

    public function testItSetsMaxAgeWhenZero(): void
    {
        $this->cors = $this->createCors(['maxAge' => 0]);
        $request    = $this->createValidPreflightRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Max-Age'));
        $this->assertHeader('Access-Control-Max-Age', '0');
    }

    public function testItSkipsEmptyAccessControlRequestHeader(): void
    {
        $this->cors = $this->createCors();
        $request    = $this->createValidPreflightRequest();
        $request->setHeader('Access-Control-Request-Headers', '');

        $response = $this->handle($request);

        $this->assertSame(204, $response->getStatusCode());
    }

    public function testItAddsVaryAccessControlRequestMethodHeaderEvenIfItIsNormalOptionsRequest(): void
    {
        $this->cors = $this->createCors(['allowedHeaders' => ['*']]);
        $request    = $this->createRequest()->withMethod('OPTIONS');

        $response = $this->handle($request);

        $this->assertSame(200, $response->getStatusCode());
        $this->assertFalse($response->hasHeader('Access-Control-Allow-Headers'));
        // Always adds `Vary: Access-Control-Request-Method` header.
        $this->assertHeader('Vary', 'Access-Control-Request-Method');
    }
}
 ?>

Did this file decode correctly?

Original Code

<?php

declare(strict_types=1);

/**
 * This file is part of CodeIgniter 4 framework.
 *
 * (c) CodeIgniter Foundation <[email protected]>
 *
 * For the full copyright and license information, please view
 * the LICENSE file that was distributed with this source code.
 */

namespace CodeIgniter\Filters;

use CodeIgniter\Exceptions\ConfigException;
use CodeIgniter\HTTP\CLIRequest;
use CodeIgniter\HTTP\IncomingRequest;
use CodeIgniter\HTTP\RequestInterface;
use CodeIgniter\HTTP\ResponseInterface;
use CodeIgniter\HTTP\SiteURI;
use CodeIgniter\HTTP\UserAgent;
use CodeIgniter\Test\CIUnitTestCase;
use CodeIgniter\Test\Mock\MockAppConfig;
use Config\Services;
use PHPUnit\Framework\Attributes\Group;

/**
 * This test case is based on:
 *   https://github.com/asm89/stack-cors/blob/master/tests/CorsTest.php
 *   https://github.com/asm89/stack-cors/blob/b6920bd8996449400ac976e083b55fb45f035467/tests/CorsTest.php
 *
 * @internal
 */
#[Group('Others')]
final class CorsTest extends CIUnitTestCase
{
    private Cors $cors;
    private ResponseInterface $response;

    protected function tearDown(): void
    {
        parent::tearDown();

        $this->resetServices();
    }

    private function createRequest(): IncomingRequest
    {
        $config    = new MockAppConfig();
        $uri       = new SiteURI($config);
        $userAgent = new UserAgent();
        $request   = $this->getMockBuilder(IncomingRequest::class)
            ->setConstructorArgs([$config, $uri, null, $userAgent])
            ->onlyMethods(['isCLI'])
            ->getMock();
        $request->method('isCLI')->willReturn(false);

        return $request;
    }

    private function createValidPreflightRequest(): IncomingRequest
    {
        $request = $this->createRequest();

        return $request->setHeader('Origin', 'http://localhost')
            ->setHeader('Access-Control-Request-Method', 'GET')
            ->withMethod('OPTIONS');
    }

    private function createValidActualRequest(): IncomingRequest
    {
        $request = $this->createRequest();
        $request->setHeader('Origin', 'http://localhost');

        return $request;
    }

    /**
     * @param array<string, mixed> $options
     */
    private function createCors(array $options = []): Cors
    {
        $passedOptions = array_merge(
            [
                'allowedHeaders'      => ['x-allowed-header', 'x-other-allowed-header'],
                'allowedMethods'      => ['DELETE', 'GET', 'POST', 'PUT'],
                'allowedOrigins'      => ['http://localhost'],
                'exposedHeaders'      => [],
                'maxAge'              => 0,
                'supportsCredentials' => false,
            ],
            $options
        );

        return new Cors($passedOptions);
    }

    public function testBeforeDoesNothingWhenCliRequest(): void
    {
        $this->cors = $this->createCors();
        $cliRequest = new CLIRequest(new MockAppConfig());

        $return = $this->cors->before($cliRequest);

        $this->assertNull($return);
    }

    private function assertHeader(string $name, string $value): void
    {
        $this->assertSame($value, $this->response->getHeaderLine($name));
    }

    public function testItDoesModifyOnARequestWithoutOrigin(): void
    {
        $this->cors = $this->createCors();
        $request    = $this->createRequest();

        $this->handle($request);

        $this->assertHeader(
            'Access-Control-Allow-Origin',
            'http://localhost'
        );
    }

    public function testItDoesNotModifyOnARequestWithoutOrigin(): void
    {
        $this->cors = $this->createCors([
            'allowedOrigins' => ['https://www.example.com', 'https://app.example.com'],
        ]);
        $request = $this->createRequest();

        $response = $this->handle($request);

        $this->assertFalse($response->hasHeader('Access-Control-Allow-Origin'));
    }

    private function handle(RequestInterface $request): ResponseInterface
    {
        $response = $this->cors->before($request);
        if ($response instanceof ResponseInterface) {
            $this->response = $response;

            return $response;
        }

        $response ??= Services::response();

        $response = $this->cors->after($request, $response);
        $response ??= Services::response();

        $this->response = $response;

        return $response;
    }

    public function testItDoesModifyOnARequestWithSameOrigin(): void
    {
        $this->cors = $this->createCors(['allowedOrigins' => ['*']]);
        $request    = $this->createRequest();
        $request->setHeader('Host', 'foo.com');
        $request->setHeader('Origin', 'http://foo.com');

        $this->handle($request);

        $this->assertHeader('Access-Control-Allow-Origin', '*');
    }

    public function testItReturnsAllowOriginHeaderOnValidActualRequest(): void
    {
        $this->cors = $this->createCors();
        $request    = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Allow-Origin'));
        $this->assertHeader('Access-Control-Allow-Origin', 'http://localhost');
    }

    public function testItReturnsAllowOriginHeaderOnAllowAllOriginRequest(): void
    {
        $this->cors = $this->createCors(['allowedOrigins' => ['*']]);
        $request    = $this->createRequest();
        $request->setHeader('Origin', 'http://localhost');

        $response = $this->handle($request);

        $this->assertSame(200, $response->getStatusCode());
        $this->assertTrue($response->hasHeader('Access-Control-Allow-Origin'));
        $this->assertHeader('Access-Control-Allow-Origin', '*');
    }

    public function testItReturnsAllowHeadersHeaderOnAllowAllHeadersRequest(): void
    {
        $this->cors = $this->createCors(['allowedHeaders' => ['*']]);
        $request    = $this->createValidPreflightRequest();
        $request->setHeader('Access-Control-Request-Headers', 'Foo, BAR');

        $response = $this->handle($request);

        $this->assertSame(204, $response->getStatusCode());
        $this->assertHeader('Access-Control-Allow-Headers', '*');
        // Always adds `Vary: Access-Control-Request-Method` header.
        $this->assertHeader('Vary', 'Access-Control-Request-Method');
    }

    public function testItDoesntPermitWildcardAllowedHeadersAndSupportsCredentials(): void
    {
        $this->expectException(ConfigException::class);
        $this->expectExceptionMessage(
            'When responding to a credentialed request, the server must not specify the "*" wildcard for the Access-Control-Allow-Headers response-header value.'
        );

        $this->cors = $this->createCors(['allowedHeaders' => ['*'], 'supportsCredentials' => true]);
        $request    = $this->createValidPreflightRequest();
        $request->setHeader('Access-Control-Request-Headers', 'Foo, BAR');

        $this->handle($request);
    }

    public function testItSetsAllowCredentialsHeaderWhenFlagIsSetOnValidActualRequest(): void
    {
        $this->cors = $this->createCors(['supportsCredentials' => true]);
        $request    = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Allow-Credentials'));
        $this->assertHeader('Access-Control-Allow-Credentials', 'true');
    }

    public function testItDoesNotSetAllowCredentialsHeaderWhenFlagIsNotSetOnValidActualRequest(): void
    {
        $this->cors = $this->createCors();
        $request    = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertFalse($response->hasHeader('Access-Control-Allow-Credentials'));
    }

    public function testItSetsExposedHeadersWhenConfiguredOnActualRequest(): void
    {
        $this->cors = $this->createCors(['exposedHeaders' => ['x-exposed-header', 'x-another-exposed-header']]);
        $request    = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Expose-Headers'));
        $this->assertHeader(
            'Access-Control-Expose-Headers',
            'x-exposed-header, x-another-exposed-header'
        );
    }

    public function testItDoesNotPermitWildcardAllowedOriginsAndSupportsCredentials(): void
    {
        $this->expectException(ConfigException::class);
        $this->expectExceptionMessage(
            'When responding to a credentialed request, the server must not specify the "*" wildcard for the Access-Control-Allow-Origin response-header value.'
        );

        $this->cors = $this->createCors([
            'allowedOrigins'      => ['*'],
            'supportsCredentials' => true,
        ]);
        $request = $this->createValidActualRequest();

        $this->handle($request);
    }

    public function testItDoesNotPermitWildcardAllowedOriginsAllowedMethodAndSupportsCredentials(): void
    {
        $this->expectException(ConfigException::class);
        $this->expectExceptionMessage(
            'When responding to a credentialed request, the server must not specify the "*" wildcard for the Access-Control-Allow-Origin response-header value.'
        );

        $this->cors = $this->createCors([
            'allowedOrigins'      => ['*'],
            'allowedMethods'      => ['*'],
            'supportsCredentials' => true,
        ]);
        $request = $this->createValidPreflightRequest();

        $this->handle($request);
    }

    public function testItAddsAVaryHeaderWhenHasOriginPatterns(): void
    {
        $this->cors = $this->createCors([
            'allowedOriginsPatterns' => ['http://l(o|0)calh(o|0)st'],
        ]);
        $request = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Vary'));
        $this->assertHeader('Vary', 'Origin');
    }

    public function testItDoesntPermitWildcardAndOrigin(): void
    {
        $this->expectException(ConfigException::class);
        $this->expectExceptionMessage(
            "If wildcard is specified, you must set `'allowedOrigins' => ['*']`. But using wildcard is not recommended."
        );

        $this->cors = $this->createCors([
            'allowedOrigins' => ['*', 'http://localhost'],
        ]);
        $request = $this->createValidActualRequest();

        $this->handle($request);
    }

    public function testItDoesntAddAVaryHeaderWhenSimpleOrigins(): void
    {
        $this->cors = $this->createCors([
            'allowedOrigins' => ['http://localhost'],
        ]);
        $request = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertHeader('Access-Control-Allow-Origin', 'http://localhost');
        $this->assertFalse($response->hasHeader('Vary'));
    }

    public function testItAddsAVaryHeaderWhenMultipleOrigins(): void
    {
        $this->cors = $this->createCors([
            'allowedOrigins' => ['http://localhost', 'http://example.com'],
        ]);
        $request = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertHeader('Access-Control-Allow-Origin', 'http://localhost');
        $this->assertTrue($response->hasHeader('Vary'));
    }

    public function testItReturnsAccessControlHeadersOnCorsRequest(): void
    {
        $this->cors = $this->createCors();
        $request    = $this->createRequest();
        $request->setHeader('Origin', 'http://localhost');

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Allow-Origin'));
        $this->assertHeader('Access-Control-Allow-Origin', 'http://localhost');
    }

    public function testItReturnsAccessControlHeadersOnCorsRequestWithPatternOrigin(): void
    {
        $this->cors = $this->createCors([
            'allowedOrigins'         => [],
            'allowedOriginsPatterns' => ['http://l(o|0)calh(o|0)st'],
        ]);
        $request = $this->createValidActualRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Allow-Origin'));
        $this->assertHeader('Access-Control-Allow-Origin', 'http://localhost');
        $this->assertTrue($response->hasHeader('Vary'));
        $this->assertHeader('Vary', 'Origin');
    }

    public function testItReturnsAccessControlHeadersOnValidPreflightRequest(): void
    {
        $this->cors = $this->createCors();
        $request    = $this->createValidPreflightRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Allow-Origin'));
        $this->assertHeader('Access-Control-Allow-Origin', 'http://localhost');
    }

    public function testItReturnsOkOnValidPreflightRequestWithRequestedHeadersAllowed(): void
    {
        $this->cors     = $this->createCors();
        $requestHeaders = 'X-Allowed-Header, x-other-allowed-header';
        $request        = $this->createValidPreflightRequest();
        $request->setHeader('Access-Control-Request-Headers', $requestHeaders);

        $response = $this->handle($request);

        $this->assertSame(204, $response->getStatusCode());

        $this->assertTrue($response->hasHeader('Access-Control-Allow-Headers'));
        // the response will have the "allowedHeaders" value passed to Cors rather than the request one
        $this->assertHeader('Access-Control-Allow-Headers', 'x-allowed-header, x-other-allowed-header');
    }

    public function testItSetsAllowCredentialsHeaderWhenFlagIsSetOnValidPreflightRequest(): void
    {
        $this->cors = $this->createCors(['supportsCredentials' => true]);
        $request    = $this->createValidPreflightRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Allow-Credentials'));
        $this->assertHeader('Access-Control-Allow-Credentials', 'true');
    }

    public function testItDoesNotSetAllowCredentialsHeaderWhenFlagIsNotSetOnValidPreflightRequest(): void
    {
        $this->cors = $this->createCors();
        $request    = $this->createValidPreflightRequest();

        $response = $this->handle($request);

        $this->assertFalse($response->hasHeader('Access-Control-Allow-Credentials'));
    }

    public function testItSetsMaxAgeWhenSet(): void
    {
        $this->cors = $this->createCors(['maxAge' => 42]);
        $request    = $this->createValidPreflightRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Max-Age'));
        $this->assertHeader('Access-Control-Max-Age', '42');
    }

    public function testItSetsMaxAgeWhenZero(): void
    {
        $this->cors = $this->createCors(['maxAge' => 0]);
        $request    = $this->createValidPreflightRequest();

        $response = $this->handle($request);

        $this->assertTrue($response->hasHeader('Access-Control-Max-Age'));
        $this->assertHeader('Access-Control-Max-Age', '0');
    }

    public function testItSkipsEmptyAccessControlRequestHeader(): void
    {
        $this->cors = $this->createCors();
        $request    = $this->createValidPreflightRequest();
        $request->setHeader('Access-Control-Request-Headers', '');

        $response = $this->handle($request);

        $this->assertSame(204, $response->getStatusCode());
    }

    public function testItAddsVaryAccessControlRequestMethodHeaderEvenIfItIsNormalOptionsRequest(): void
    {
        $this->cors = $this->createCors(['allowedHeaders' => ['*']]);
        $request    = $this->createRequest()->withMethod('OPTIONS');

        $response = $this->handle($request);

        $this->assertSame(200, $response->getStatusCode());
        $this->assertFalse($response->hasHeader('Access-Control-Allow-Headers'));
        // Always adds `Vary: Access-Control-Request-Method` header.
        $this->assertHeader('Vary', 'Access-Control-Request-Method');
    }
}

Function Calls

None

Variables

None

Stats

MD5 e3cea079ad5f93077d3245f97a8903d5
Eval Count 0
Decode Time 121 ms