Ugrade neomerx/cors-psr7 to 2.0 (#67)

* Ugrade neomerx/cors-psr7 to 2.0

This upgrades the internal dependency `neomerx/cors-psr7` to its latest
major version 2. This includes the following changes:

- Use `Settings::init()` to populate the Settings properties with sane
  defaults. This avoids type errors in unset options (like the host
  check)
- Add `CorsMiddleware::determineServerOrigin()` for usage in the
  settings initialization
- Adapt setter calls in `CorsMiddleware::buildSettings()` to the updated settings api
- Adapt `Settings` to the updated settings api

And some minor changes:
- Rename `CorsTest` to `CorseMiddlewareTest`
- Simplify `CorsMiddlewareTest::wildcardOriginDataProvider()`

Fixes #33

Author: usox

composer.json

@@ -22,7 +22,7 @@
     },
     "require": {
         "php": "^7.2|^8.0",
-        "neomerx/cors-psr7": "^1.0.4",
+        "neomerx/cors-psr7": "^2",
         "psr/http-message": "^1.0.1",
         "psr/http-server-middleware": "^1.0",
         "tuupola/callable-handler": "^1.0",

src/CorsMiddleware.php

@@ -39,10 +39,10 @@
 use Neomerx\Cors\Analyzer as CorsAnalyzer;
 use Neomerx\Cors\Contracts\AnalysisResultInterface as CorsAnalysisResultInterface;
 use Neomerx\Cors\Contracts\Constants\CorsResponseHeaders;
-use Psr\Http\Server\MiddlewareInterface;
-use Psr\Http\Server\RequestHandlerInterface;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
 use Psr\Log\LoggerInterface;
 use Tuupola\Http\Factory\ResponseFactory;
 use Tuupola\Middleware\Settings as CorsSettings;
@@ -56,16 +56,20 @@
  *  "origin.server"?: null|string|array<string>,
  *  cache?: int,
  *  error?: null|callable,
- *  logger?: null|LoggerInterface
+ *  logger?: null|LoggerInterface,
  * }
  */
 final class CorsMiddleware implements MiddlewareInterface
 {
     use DoublePassTrait;
 
-    /**
-     * @var LoggerInterface|null
-     */
+    /** @var int */
+    private const PORT_HTTP = 80;
+
+    /** @var int */
+    private const PORT_HTTPS = 443;
+
+    /** @var LoggerInterface|null */
     private $logger;
 
     /**
@@ -78,7 +82,7 @@ final class CorsMiddleware implements MiddlewareInterface
      *  "origin.server": null|string|array<string>,
      *  cache: int,
      *  error: null|callable,
-     *  logger: null|LoggerInterface
+     *  logger: null|LoggerInterface,
      * }
      */
     private $options = [
@@ -102,7 +106,7 @@ final class CorsMiddleware implements MiddlewareInterface
      *  "origin.server"?: null|string|array<string>,
      *  cache?: int,
      *  error?: null|callable,
-     *  logger?: null|LoggerInterface
+     *  logger?: null|LoggerInterface,
      * } $options
      */
     public function __construct(array $options = [])
@@ -216,32 +220,33 @@ private function buildSettings(ServerRequestInterface $request, ResponseInterfac
     {
         $settings = new CorsSettings();
 
-        $origin = array_fill_keys($this->options["origin"], true);
-        $settings->setRequestAllowedOrigins($origin);
+        $serverOrigin = $this->determineServerOrigin();
+
+        $settings->init(
+            $serverOrigin['scheme'],
+            $serverOrigin['host'],
+            $serverOrigin['port']
+        );
+
+        $settings->setAllowedOrigins($this->options["origin"]);
 
         if (is_callable($this->options["methods"])) {
             $methods = (array) $this->options["methods"]($request, $response);
         } else {
             $methods = (array) $this->options["methods"];
         }
 
-        $methods = array_fill_keys($methods, true);
-        $settings->setRequestAllowedMethods($methods);
-
-        $headers = array_fill_keys($this->options["headers.allow"], true);
+        $settings->setAllowedMethods($methods);
 
         /* transform all headers to lowercase */
-        $headers = array_change_key_case($headers);
-
-        $settings->setRequestAllowedHeaders($headers);
+        $headers = array_change_key_case($this->options["headers.allow"]);
 
-        $headers = array_fill_keys($this->options["headers.expose"], true);
-        $settings->setResponseExposedHeaders($headers);
+        $settings->setAllowedHeaders($headers);
 
-        $settings->setRequestCredentialsSupported($this->options["credentials"]);
+        $settings->setExposedHeaders($this->options["headers.expose"]);
 
-        if (is_string($this->options["origin.server"])) {
-            $settings->setServerOrigin($this->options["origin.server"]);
+        if ($this->options["credentials"]) {
+            $settings->setCredentialsSupported();
         }
 
         $settings->setPreFlightCacheMaxAge($this->options["cache"]);
@@ -250,13 +255,48 @@ private function buildSettings(ServerRequestInterface $request, ResponseInterfac
     }
 
     /**
-     * Edge cannot handle multiple Access-Control-Expose-Headers headers
+     * Try to determine the server origin uri fragments
+     *
+     * @return array{scheme: string, host: string, port: int}
+     */
+    private function determineServerOrigin(): array
+    {
+        // set some default
+        $url = [
+            'scheme' => 'https',
+            'host' => '',
+            'port' => self::PORT_HTTPS,
+        ];
+
+        // load details from server origin
+        if (is_string($this->options["origin.server"])) {
+            /** @var false|array{scheme: string, host: string, port?: int} $url_chunks */
+            $url_chunks = parse_url($this->options["origin.server"]);
+            if ($url_chunks !== false) {
+                $url = $url_chunks;
+            }
+
+            if (!array_key_exists('port', $url)) {
+                $url['port'] = $url['scheme'] === 'https' ? self::PORT_HTTPS : self::PORT_HTTP;
+            }
+        }
+
+        return $url;
+    }
+
+    /**
+     * Edge cannot handle Access-Control-Expose-Headers having a trailing whitespace after the comma
+     *
+     * @see https://github.com/tuupola/cors-middleware/issues/40
      */
     private function fixHeaders(array $headers): array
     {
         if (isset($headers[CorsResponseHeaders::EXPOSE_HEADERS])) {
-            $headers[CorsResponseHeaders::EXPOSE_HEADERS] =
-                implode(",", $headers[CorsResponseHeaders::EXPOSE_HEADERS]);
+            $headers[CorsResponseHeaders::EXPOSE_HEADERS] = str_replace(
+                ' ',
+                '',
+                $headers[CorsResponseHeaders::EXPOSE_HEADERS]
+            );
         }
 
         return $headers;

src/Settings.php

@@ -28,25 +28,34 @@
 
 namespace Tuupola\Middleware;
 
-use Neomerx\Cors\Contracts\Http\ParsedUrlInterface;
 use Neomerx\Cors\Strategies\Settings as BaseSettings;
 
 class Settings extends BaseSettings
 {
-    public function isRequestOriginAllowed(ParsedUrlInterface $requestOrigin): bool
+    /** @var array<string> */
+    private $allowedOrigins = [];
+
+    public function setAllowedOrigins(array $origins): BaseSettings
+    {
+        $this->allowedOrigins = $origins;
+
+        return parent::setAllowedOrigins($origins);
+    }
+
+    public function isRequestOriginAllowed(string $requestOrigin): bool
     {
         $isAllowed = parent::isRequestOriginAllowed($requestOrigin);
 
         if (!$isAllowed) {
-            $isAllowed = $this->wildcardOriginAllowed($requestOrigin->getOrigin());
+            $isAllowed = $this->wildcardOriginAllowed($requestOrigin);
         }
 
         return $isAllowed;
     }
 
     private function wildcardOriginAllowed(string $origin): bool
     {
-        foreach ($this->settings[self::KEY_ALLOWED_ORIGINS] as $allowedOrigin => $value) {
+        foreach ($this->allowedOrigins as $allowedOrigin) {
             if (fnmatch($allowedOrigin, $origin)) {
                 return true;
             }

tests/CorsTest.php renamed to tests/CorsMiddlewareTest.php

@@ -41,7 +41,7 @@
 use Tuupola\Http\Factory\ResponseFactory;
 use Tuupola\Http\Factory\ServerRequestFactory;
 
-class CorsTest extends TestCase
+class CorsMiddlewareTest extends TestCase
 {
     public function testShouldBeTrue(): void
     {
@@ -63,7 +63,6 @@ public function testShouldReturn200ByDefault(): void
 
         $response = $cors($request, $response, $next);
         $this->assertEquals(200, $response->getStatusCode());
-        //$this->assertEquals("", $response->getBody());
     }
 
     public function testShouldAcceptWildcardSettings(): void

tests/SettingsTest.php

@@ -28,7 +28,7 @@
 
 namespace Tuupola\Middleware;
 
-use Neomerx\Cors\Http\ParsedUrl;
+use Generator;
 use PHPUnit\Framework\TestCase;
 
 class SettingsTest extends TestCase
@@ -47,73 +47,47 @@ protected function setUp(): void
     /**
      * @dataProvider wildcardOriginDataProvider
      */
-    public function testIsRequestOriginAllowed(string $origin, array $allowedOrigins, bool $expected): void
+    public function testIsRequestOriginAllowed(string $origin, string $allowedOrigins, bool $expected): void
     {
-        $requestOriginMock = $this->createMock(ParsedUrl::class);
-        $requestOriginMock->method("getOrigin")
-            ->willReturn($origin);
-
-        $this->testObject->setRequestAllowedOrigins($allowedOrigins);
-        $result = $this->testObject->isRequestOriginAllowed($requestOriginMock);
+        $this->testObject->setAllowedOrigins([$allowedOrigins]);
+        $result = $this->testObject->isRequestOriginAllowed($origin);
 
         $this->assertSame($expected, $result);
     }
 
-    public function wildcardOriginDataProvider(): iterable
+    public function wildcardOriginDataProvider(): Generator
     {
         // Allow subdomain without wildcard
-        $origin = "https://www.example.com";
-        $allowedOrigins = ["https://www.example.com" => true];
-        yield [$origin, $allowedOrigins, true];
+        yield ["https://www.example.com", "https://www.example.com", true];
 
         // Disallow wrong subdomain
-        $origin = "https://ws.example.com";
-        $allowedOrigins = ["https://www.example.com" => true];
-        yield [$origin, $allowedOrigins, false];
+        yield ["https://ws.example.com", "https://www.example.com", false];
 
         // Allow all
-        $origin = "https://ws.example.com";
-        $allowedOrigins = ["*" => true];
-        yield [$origin, $allowedOrigins, true];
+        yield ["https://ws.example.com", "*", true];
 
         // Allow subdomain wildcard
-        $origin = "https://ws.example.com";
-        $allowedOrigins = ["https://*.example.com" => true];
-        yield [$origin, $allowedOrigins, true];
+        yield ["https://ws.example.com", "https://*.example.com", true];
 
         // Allow without specifying protocol
-        $origin = "https://ws.example.com";
-        $allowedOrigins = ["*.example.com" => true];
-        yield [$origin, $allowedOrigins, true];
+        yield ["https://ws.example.com", "*.example.com", true];
 
         // Allow double subdomain for wildcard
-        $origin = "https://a.b.example.com";
-        $allowedOrigins = ["*.example.com" => true];
-        yield [$origin, $allowedOrigins, true];
+        yield ["https://a.b.example.com", "*.example.com", true];
 
         // Disallow for incorrect domain wildcard
-        $origin = "https://a.example.com.evil.com";
-        $allowedOrigins = ["*.example.com" => true];
-        yield [$origin, $allowedOrigins, false];
+        yield ["https://a.example.com.evil.com", "*.example.com", false];
 
         // Allow subdomain in the middle
-        $origin = "a.b.example.com";
-        $allowedOrigins = ["a.*.example.com" => true];
-        yield [$origin, $allowedOrigins, true];
+        yield ["a.b.example.com", "a.*.example.com", true];
 
         // Disallow wrong subdomain
-        $origin = "b.bc.example.com";
-        $allowedOrigins = ["a.*.example.com" => true];
-        yield [$origin, $allowedOrigins, false];
+        yield ["b.bc.example.com", "a.*.example.com", false];
 
         // Correctly handle dots
-        $origin = "exampleXcom";
-        $allowedOrigins = ["example.com" => true];
-        yield [$origin, $allowedOrigins, false];
+        yield ["exampleXcom", "example.com", false];
 
         // Allow subdomain and domain with one rule
-        $origin = "test.example.com";
-        $allowedOrigins = ["*example*" => true];
-        yield [$origin, $allowedOrigins, true];
+        yield ["test.example.com", "*example*", true];
     }
 }