create-prisma-php-app 3.6.3 → 3.6.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -6,29 +6,22 @@ namespace Lib\Middleware;
|
|
|
6
6
|
|
|
7
7
|
final class CorsMiddleware
|
|
8
8
|
{
|
|
9
|
-
/** Entry point */
|
|
10
9
|
public static function handle(?array $overrides = null): void
|
|
11
10
|
{
|
|
12
|
-
// Not a CORS request
|
|
13
11
|
$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
|
|
14
12
|
if ($origin === '') {
|
|
15
13
|
return;
|
|
16
14
|
}
|
|
17
15
|
|
|
18
|
-
// Resolve config (env → overrides)
|
|
19
16
|
$cfg = self::buildConfig($overrides);
|
|
20
17
|
|
|
21
|
-
// Not allowed? Do nothing (browser will block)
|
|
22
18
|
if (!self::isAllowedOrigin($origin, $cfg['allowedOrigins'])) {
|
|
23
19
|
return;
|
|
24
20
|
}
|
|
25
21
|
|
|
26
|
-
// Compute which value to send for Access-Control-Allow-Origin
|
|
27
|
-
// If credentials are disabled and '*' is in list, we can send '*'
|
|
28
22
|
$sendWildcard = (!$cfg['allowCredentials'] && self::listHasWildcard($cfg['allowedOrigins']));
|
|
29
23
|
$allowOriginValue = $sendWildcard ? '*' : self::normalize($origin);
|
|
30
24
|
|
|
31
|
-
// Vary for caches
|
|
32
25
|
header('Vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers');
|
|
33
26
|
|
|
34
27
|
header('Access-Control-Allow-Origin: ' . $allowOriginValue);
|
|
@@ -37,7 +30,6 @@ final class CorsMiddleware
|
|
|
37
30
|
}
|
|
38
31
|
|
|
39
32
|
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
|
|
40
|
-
// Preflight response
|
|
41
33
|
$requestedHeaders = $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'] ?? '';
|
|
42
34
|
$allowedHeaders = $cfg['allowedHeaders'] !== ''
|
|
43
35
|
? $cfg['allowedHeaders']
|
|
@@ -49,7 +41,6 @@ final class CorsMiddleware
|
|
|
49
41
|
header('Access-Control-Max-Age: ' . (string) $cfg['maxAge']);
|
|
50
42
|
}
|
|
51
43
|
|
|
52
|
-
// Optional: Private Network Access preflights (Chrome)
|
|
53
44
|
if (!empty($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_PRIVATE_NETWORK'])) {
|
|
54
45
|
header('Access-Control-Allow-Private-Network: true');
|
|
55
46
|
}
|
|
@@ -59,13 +50,11 @@ final class CorsMiddleware
|
|
|
59
50
|
exit;
|
|
60
51
|
}
|
|
61
52
|
|
|
62
|
-
// Simple/actual request
|
|
63
53
|
if ($cfg['exposeHeaders'] !== '') {
|
|
64
54
|
header('Access-Control-Expose-Headers: ' . $cfg['exposeHeaders']);
|
|
65
55
|
}
|
|
66
56
|
}
|
|
67
57
|
|
|
68
|
-
/** Read env + normalize + apply overrides */
|
|
69
58
|
private static function buildConfig(?array $overrides): array
|
|
70
59
|
{
|
|
71
60
|
$allowed = self::parseList($_ENV['CORS_ALLOWED_ORIGINS'] ?? '');
|
|
@@ -86,12 +75,10 @@ final class CorsMiddleware
|
|
|
86
75
|
}
|
|
87
76
|
}
|
|
88
77
|
|
|
89
|
-
// Normalize patterns
|
|
90
78
|
$cfg['allowedOrigins'] = array_map([self::class, 'normalize'], $cfg['allowedOrigins']);
|
|
91
79
|
return $cfg;
|
|
92
80
|
}
|
|
93
81
|
|
|
94
|
-
/** CSV or JSON array → array<string> */
|
|
95
82
|
private static function parseList(string $raw): array
|
|
96
83
|
{
|
|
97
84
|
$raw = trim($raw);
|
|
@@ -118,13 +105,10 @@ final class CorsMiddleware
|
|
|
118
105
|
foreach ($list as $pattern) {
|
|
119
106
|
$p = self::normalize($pattern);
|
|
120
107
|
|
|
121
|
-
// literal "*"
|
|
122
108
|
if ($p === '*') return true;
|
|
123
109
|
|
|
124
|
-
// allow literal "null" for file:// or sandboxed if explicitly listed
|
|
125
110
|
if ($o === 'null' && strtolower($p) === 'null') return true;
|
|
126
111
|
|
|
127
|
-
// wildcard like https://*.example.com
|
|
128
112
|
if (strpos($p, '*') !== false) {
|
|
129
113
|
$regex = '/^' . str_replace('\*', '[^.]+', preg_quote($p, '/')) . '$/i';
|
|
130
114
|
if (preg_match($regex, $o)) return true;
|