fix: add more proper CORS implementation

Author: lefuturiste

App/Middlewares/CorsMiddleware.php

@@ -5,21 +5,53 @@
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\RequestHandlerInterface;
+use Slim\Http\Factory\DecoratedResponseFactory;
+use Slim\Http\Response;
+use Slim\Psr7\Factory\ResponseFactory;
+use Slim\Psr7\Factory\StreamFactory;
+use Psr\Container\ContainerInterface;
 
 class CorsMiddleware
 {
+    public function __construct(
+        private ContainerInterface $container
+    )
+    {
+    }
+
     public function __invoke(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
-        $response = $handler->handle($request);
-        $response = $response
-            ->withHeader('Access-Control-Allow-Origin', '*')
-            ->withHeader('Access-Control-Allow-Methods', 'POST, PUT, GET, OPTIONS')
-            ->withHeader('Access-Control-Allow-Headers', 'Origin, Content-Type, Authorization');
+        $allowedOrigins = [
+            $this->container->get('services')['web_endpoint'],
+            $this->container->get('services')['admin_endpoint']
+        ];
+        if (!$request->hasHeader('Origin')) {
+            // do not treat this request with CORS
+            return $handler->handle($request);
+        }
+        $origin = $request->getHeader('Origin')[0];
+        if (in_array($origin, $allowedOrigins) === False) {
+            // this origin is not allowed, skip CORS
+            return $handler->handle($request);
+        }
 
-        if ($request->getMethod() == "OPTIONS") {
-            return $response->withJson(true);
+        if ($request->getMethod() === "OPTIONS") {
+            $response = (new DecoratedResponseFactory(new ResponseFactory(), new StreamFactory()))->createResponse();
+            return $this
+                ->alterResponse($origin, $response)
+                ->withJson(true);
         }
+        
+        $response = $handler->handle($request);
+
+        return $this->alterResponse($origin, $response);
+    }
 
-        return $response;
+    private function alterResponse(string $origin, ResponseInterface $response): Response
+    {
+        return $response
+            ->withHeader('Access-Control-Allow-Origin', $origin)
+            ->withHeader('Access-Control-Allow-Methods', 'POST, PUT, GET, OPTIONS')
+            ->withHeader('Access-Control-Allow-Headers', 'Origin, Content-Type, Authorization');
     }
 }

App/Middlewares/JWTMiddleware.php

@@ -26,7 +26,7 @@ public function __construct(
     public function __invoke(ServerRequestInterface $request, RequestHandlerInterface $handler)
     {
         $response = (new DecoratedResponseFactory(new ResponseFactory(), new StreamFactory()))->createResponse();
-
+        
         if (!$request->hasHeader('Authorization')) {
             return $response->withStatus(401)->withJson([
                 'success' => false,

App/routes.php

@@ -4,9 +4,10 @@
 
 use Slim\Routing\RouteCollectorProxy;
 
-function addRoutes(\Slim\App $app)
+function addRoutes(\Slim\App $app): void
 {
-    $app->add(new Middlewares\CorsMiddleware());
+    $container = $app->getContainer();
+    $app->add(new Middlewares\CorsMiddleware($container));
 
     $app->get('/', [Controllers\PagesController::class, 'getHome']);
     $app->get('/ping', [Controllers\PagesController::class, 'getPing']);
@@ -16,28 +17,28 @@ function addRoutes(\Slim\App $app)
     $app->post('/newsletter/event', [Controllers\NewsletterController::class, 'postEvent']);
 
     $app->map(['POST', 'OPTIONS'], '/graphql', [Controllers\GraphQlController::class, 'newRequest'])
-        ->add(new Middlewares\JWTMiddleware($app->getContainer()));
+        ->add(new Middlewares\JWTMiddleware($container));
 
 // STRIPE
     $app->map(['POST', 'OPTIONS'], '/stripe/create', [Controllers\Payment\StripeController::class, 'postCreateSession'])
-        ->add(new Middlewares\JWTMiddleware($app->getContainer()));
+        ->add(new Middlewares\JWTMiddleware($container));
     $app->map(['POST', 'OPTIONS'], '/stripe/execute', [Controllers\Payment\StripeController::class, 'postExecute']);
 
 // PAYPAL
     $app->map(['POST', 'OPTIONS'], '/paypal/get-url', [Controllers\Payment\PaypalController::class, 'postGetUrl'])
-        ->add(new Middlewares\JWTMiddleware($app->getContainer()));
+        ->add(new Middlewares\JWTMiddleware($container));
 //$app->get('/paypal/execute', [Controllers\Payment\PaypalController::class, 'postExecute']);
     $app->map(['POST', 'OPTIONS'], '/paypal/execute', [Controllers\Payment\PaypalController::class, 'postExecute']);
 
-    $app->group('/account', function (RouteCollectorProxy $group) use ($app) {
+    $app->group('/account', function (RouteCollectorProxy $group) use ($container) {
         $group->get('/login', [Controllers\AccountController::class, 'getLogin']);
         $group->get('/register', [Controllers\AccountController::class, 'getLogin']);
         $group->get('/login-desktop', [Controllers\AccountController::class, 'getLoginDesktop']);
         $group->post('/login-desktop', [Controllers\AccountController::class, 'postLoginDesktop'])
-            ->add(new Middlewares\JWTMiddleware($app->getContainer()));
+            ->add(new Middlewares\JWTMiddleware($container));
 
         $group->map(['GET', 'OPTIONS'], '/info', [Controllers\AccountController::class, 'getInfo'])
-            ->add(new Middlewares\JWTMiddleware($app->getContainer()));
+            ->add(new Middlewares\JWTMiddleware($container));
 
         $group->map(['POST', 'OPTIONS'], '/execute', [Controllers\AccountController::class, 'execute']);
     });
@@ -46,7 +47,7 @@ function addRoutes(\Slim\App $app)
         $group->map(['GET', 'OPTIONS'], '[/]', [Controllers\DashboardController::class, 'getDashboard']);
         $group->map(['POST', 'OPTIONS'], '/upload', [Controllers\UploadController::class, 'postUpload']);
         $group->map(['GET', 'OPTIONS'], '/delete', [Controllers\DashboardController::class, 'getDelete']);
-    })->add(new Middlewares\JWTMiddleware($app->getContainer()));
+    })->add(new Middlewares\JWTMiddleware($container));
 
     $app->group('/shop', function (RouteCollectorProxy $group) {
         $group->get('/address', [Controllers\ShopController::class, 'getQueryAddress'])
@@ -66,17 +67,17 @@ function addRoutes(\Slim\App $app)
 // });
 
     $app->get('/cache/shop/generate', [Controllers\PagesController::class, 'generateShopCache'])
-        ->add(new Middlewares\JWTMiddleware($app->getContainer()));
+        ->add(new Middlewares\JWTMiddleware($container));
     $app->get('/websocket/connexions', [Controllers\PagesController::class, 'getWebSocketConnexions'])
-        ->add(new Middlewares\JWTMiddleware($app->getContainer()));
+        ->add(new Middlewares\JWTMiddleware($container));
     $app->get('/test-send-email-event', [Controllers\PagesController::class, 'testSendEmailEvent'])
-        ->add(new Middlewares\JWTMiddleware($app->getContainer()));
+        ->add(new Middlewares\JWTMiddleware($container));
 
     $app->get('/countries/{locale}', [Controllers\CountriesController::class, 'getCountries']);
 
     $app->get('/health', [Controllers\HealthController::class, 'getHealth']);
     $app->get('/dangerously-truncate-table', [Controllers\IntegrationTestController::class, 'getDangerouslyTruncateTables']);
     $app->get('/jwt', [Controllers\IntegrationTestController::class, 'getUserToken'])
-        ->add(new Middlewares\JWTMiddleware($app->getContainer()));
+        ->add(new Middlewares\JWTMiddleware($container));
 
 }