Merge branch 'cors'

pdsinterop · Nov 30, 2021 · 243cfe1 · 243cfe1
2 parents 1fd0999 + d4ec5b4
commit 243cfe1
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 13 deletions.
diff --git a/solid/lib/Controller/ProfileController.php b/solid/lib/Controller/ProfileController.php
@@ -246,7 +246,10 @@ private function respond($response) {
 				$result->addHeader($header, $value);
 			}
 		}
-
+		$origin = $_SERVER['HTTP_ORIGIN'];
+		$result->addHeader('Access-Control-Allow-Credentials', 'true');
+		$result->addHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+		$result->addHeader('Access-Control-Allow-Origin', $origin);
 		$result->setStatus($statusCode);
 		return $result;
 	}

diff --git a/solid/lib/Controller/ServerController.php b/solid/lib/Controller/ServerController.php
@@ -105,7 +105,13 @@ private function createAuthServerConfig() {
 	 * @NoCSRFRequired
 	 */
 	public function cors($path) {
-		return true;
+		$origin = $_SERVER['HTTP_ORIGIN'];
+		error_log('Allowing in OPTIONS:' . $origin);
+		return (new DataResponse('OK'))
+		->addHeader('Access-Control-Allow-Origin', $origin)
+		->addHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization')
+		->addHeader('Access-Control-Allow-Methods', 'POST')
+		->addHeader('Access-Control-Allow-Credentials', 'true');
 	}
 
 	/**
@@ -117,7 +123,7 @@ public function openid() {
 		$response = new \Laminas\Diactoros\Response();
 		$server	= new \Pdsinterop\Solid\Auth\Server($this->authServerFactory, $this->authServerConfig, $response);
 		$response = $server->respondToOpenIdMetadataRequest();
-		return $this->respond($response);
+		return $this->respond($response->addHeader('Access-Control-Allow-Origin', '*'));
 	}
 
 	/**
@@ -129,7 +135,7 @@ public function authorize() {
 		if (!$this->userManager->userExists($this->userId)) {
 			$result = new JSONResponse('Authorization required');
 			$result->setStatus(401);
-			return $result;
+			return $result->addHeader('Access-Control-Allow-Origin', '*');
 		}
 
 		$parser = new \Lcobucci\JWT\Parser();
@@ -154,7 +160,7 @@ public function authorize() {
 			} catch(\Exception $e) {
 				$result = new JSONResponse('Bad request, missing redirect uri');
 				$result->setStatus(400);
-				return $result;
+				return $result->addHeader('Access-Control-Allow-Origin', '*');
 			}
 		}
 		$clientId = $getVars['client_id'];
@@ -164,7 +170,7 @@ public function authorize() {
 			$result->setStatus(302);
 			$approvalUrl = $this->urlGenerator->getAbsoluteURL($this->urlGenerator->linkToRoute("solid.page.approval", array("clientId" => $clientId, "returnUrl" => $_SERVER['REQUEST_URI'])));
 			$result->addHeader("Location", $approvalUrl);
-			return $result;
+			return $result->addHeader('Access-Control-Allow-Origin', '*');
 		}
 
 		$user = new \Pdsinterop\Solid\Auth\Entity\User();
@@ -177,7 +183,7 @@ public function authorize() {
 		$response = $server->respondToAuthorizationRequest($request, $user, $approval);
 		$response = $this->tokenGenerator->addIdTokenToResponse($response, $clientId, $this->getProfilePage(), $this->session->get("nonce"), $this->config->getPrivateKey());
 
-		return $this->respond($response);
+		return $this->respond($response)->addHeader('Access-Control-Allow-Origin', '*');
 	}
 
 	private function checkApproval($clientId) {
@@ -250,7 +256,7 @@ public function token() {
 		$codeInfo = $this->tokenGenerator->getCodeInfo($code);
 		$response = $this->tokenGenerator->addIdTokenToResponse($response, $clientId, $codeInfo['user_id'], $_SESSION['nonce'], $this->config->getPrivateKey(), $dpopKey);
 
-		return $this->respond($response);
+		return $this->respond($response)->addHeader('Access-Control-Allow-Origin', '*');
 	}
 
 	/**
@@ -271,7 +277,7 @@ public function logout() {
 		$this->userService->logout();
 		return new JSONResponse("ok");
 	}
-				
+
 	/**
 	 * @PublicPage
 	 * @NoAdminRequired
@@ -285,7 +291,7 @@ public function register() {
 		}
 		$clientData['client_id_issued_at'] = time();
 		$parsedOrigin = parse_url($clientData['redirect_uris'][0]);
-		$origin = $parsedOrigin['host'];
+		$origin = 'https://' . $parsedOrigin['host'];
 
 		$clientId = $this->config->saveClientRegistration($origin, $clientData);
 		$registration = array(
@@ -294,10 +300,11 @@ public function register() {
 			'client_id_issued_at' => $clientData['client_id_issued_at'],
 			'redirect_uris' => $clientData['redirect_uris'],
 		);
-
+		error_log('allowingin POST:' . $origin);
 		$registration = $this->tokenGenerator->respondToRegistration($registration, $this->config->getPrivateKey());
-
-		return new JSONResponse($registration);
+		return (new JSONResponse($registration))
+		->addHeader('Access-Control-Allow-Origin', $origin)
+		->addHeader('Access-Control-Allow-Methods', 'POST');
 	}
 
 	/**
@@ -348,6 +355,7 @@ private function respond($response) {
 			}
 		}
 		$result->setStatus($statusCode);
+		$result->addHeader('Access-Control-Allow-Origin', '*');
 		return $result;
 	}
 

diff --git a/solid/lib/Controller/StorageController.php b/solid/lib/Controller/StorageController.php
@@ -388,6 +388,11 @@ private function respond($response) {
 				$result->addHeader($header, $value);
 			}
 		}
+		$origin = $_SERVER['HTTP_ORIGIN'];
+		$result->addHeader('Access-Control-Allow-Credentials', 'true');
+		$result->addHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+		$result->addHeader('Access-Control-Allow-Origin', $origin);
+
 
 		$result->setStatus($statusCode);
 		return $result;