Removed Access-Control-Expose-Headers header from CrossDomainM;iddleware, as it's actually not correct

2025-03-14 04:00:57 +03:00 · 2020-12-31 15:41:02 +01:00 · 2020-12-31 15:41:02 +01:00 · 850a5b412c
commit 850a5b412c
parent 84331135f7
3 changed files with 4 additions and 9 deletions
--- a/module/Rest/src/Middleware/CrossDomainMiddleware.php
+++ b/module/Rest/src/Middleware/CrossDomainMiddleware.php
@ -32,8 +32,7 @@ class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterfa
        }

        // Add Allow-Origin header
-        $response = $response->withHeader('Access-Control-Allow-Origin', $request->getHeader('Origin'))
-                             ->withHeader('Access-Control-Expose-Headers', AuthenticationMiddleware::API_KEY_HEADER);
+        $response = $response->withHeader('Access-Control-Allow-Origin', $request->getHeader('Origin'));
        if ($request->getMethod() !== self::METHOD_OPTIONS) {
            return $response;
        }
@ -43,6 +42,8 @@ class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterfa

    private function addOptionsHeaders(ServerRequestInterface $request, ResponseInterface $response): ResponseInterface
    {
+        // TODO This won't work. The route has to be matched from the router as this middleware needs to be executed
+        //      before trying to match the route
        /** @var RouteResult|null $matchedRoute */
        $matchedRoute = $request->getAttribute(RouteResult::class);
        $matchedMethods = $matchedRoute !== null ? $matchedRoute->getAllowedMethods() : [
@ -55,8 +56,8 @@ class CrossDomainMiddleware implements MiddlewareInterface, RequestMethodInterfa
        ];
        $corsHeaders = [
            'Access-Control-Allow-Methods' => implode(',', $matchedMethods),
-            'Access-Control-Max-Age' => $this->config['max_age'],
            'Access-Control-Allow-Headers' => $request->getHeaderLine('Access-Control-Request-Headers'),
+            'Access-Control-Max-Age' => $this->config['max_age'],
        ];

        // Options requests should always be empty and have a 204 status code
--- a/module/Rest/test-api/Middleware/CorsTest.php
+++ b/module/Rest/test-api/Middleware/CorsTest.php
@ -16,7 +16,6 @@ class CorsTest extends ApiTestCase

        self::assertEquals(200, $resp->getStatusCode());
        self::assertFalse($resp->hasHeader('Access-Control-Allow-Origin'));
-        self::assertFalse($resp->hasHeader('Access-Control-Expose-Headers'));
        self::assertFalse($resp->hasHeader('Access-Control-Allow-Methods'));
        self::assertFalse($resp->hasHeader('Access-Control-Max-Age'));
        self::assertFalse($resp->hasHeader('Access-Control-Allow-Headers'));
@ -37,7 +36,6 @@ class CorsTest extends ApiTestCase

        self::assertEquals($expectedStatusCode, $resp->getStatusCode());
        self::assertEquals($origin, $resp->getHeaderLine('Access-Control-Allow-Origin'));
-        self::assertEquals('X-Api-Key', $resp->getHeaderLine('Access-Control-Expose-Headers'));
        self::assertFalse($resp->hasHeader('Access-Control-Allow-Methods'));
        self::assertFalse($resp->hasHeader('Access-Control-Max-Age'));
        self::assertFalse($resp->hasHeader('Access-Control-Allow-Headers'));
@ -66,7 +64,6 @@ class CorsTest extends ApiTestCase

        self::assertEquals(204, $resp->getStatusCode());
        self::assertTrue($resp->hasHeader('Access-Control-Allow-Origin'));
-        self::assertTrue($resp->hasHeader('Access-Control-Expose-Headers'));
        self::assertTrue($resp->hasHeader('Access-Control-Max-Age'));
        self::assertEquals($expectedAllowedMethods, $resp->getHeaderLine('Access-Control-Allow-Methods'));
        self::assertEquals($allowedHeaders, $resp->getHeaderLine('Access-Control-Allow-Headers'));
--- a/module/Rest/test/Middleware/CrossDomainMiddlewareTest.php
+++ b/module/Rest/test/Middleware/CrossDomainMiddlewareTest.php
@ -42,7 +42,6 @@ class CrossDomainMiddlewareTest extends TestCase
        self::assertSame($originalResponse, $response);
        self::assertEquals(404, $response->getStatusCode());
        self::assertArrayNotHasKey('Access-Control-Allow-Origin', $headers);
-        self::assertArrayNotHasKey('Access-Control-Expose-Headers', $headers);
        self::assertArrayNotHasKey('Access-Control-Allow-Methods', $headers);
        self::assertArrayNotHasKey('Access-Control-Max-Age', $headers);
        self::assertArrayNotHasKey('Access-Control-Allow-Headers', $headers);
@ -63,7 +62,6 @@ class CrossDomainMiddlewareTest extends TestCase
        $headers = $response->getHeaders();

        self::assertEquals('local', $response->getHeaderLine('Access-Control-Allow-Origin'));
-        self::assertEquals('X-Api-Key', $response->getHeaderLine('Access-Control-Expose-Headers'));
        self::assertArrayNotHasKey('Access-Control-Allow-Methods', $headers);
        self::assertArrayNotHasKey('Access-Control-Max-Age', $headers);
        self::assertArrayNotHasKey('Access-Control-Allow-Headers', $headers);
@ -85,7 +83,6 @@ class CrossDomainMiddlewareTest extends TestCase
        $headers = $response->getHeaders();

        self::assertEquals('local', $response->getHeaderLine('Access-Control-Allow-Origin'));
-        self::assertEquals('X-Api-Key', $response->getHeaderLine('Access-Control-Expose-Headers'));
        self::assertArrayHasKey('Access-Control-Allow-Methods', $headers);
        self::assertEquals('1000', $response->getHeaderLine('Access-Control-Max-Age'));
        self::assertEquals('foo, bar, baz', $response->getHeaderLine('Access-Control-Allow-Headers'));