Merge pull request #3265 from dunglas/fix_3262

Prevent adding Link headers for CORS preflight requets

Author: teohhanhui

src/Hydra/EventListener/AddLinkHeaderListener.php

@@ -15,6 +15,7 @@
 
 use ApiPlatform\Core\Api\UrlGeneratorInterface;
 use ApiPlatform\Core\JsonLd\ContextBuilder;
+use ApiPlatform\Core\Util\CorsTrait;
 use Fig\Link\GenericLinkProvider;
 use Fig\Link\Link;
 use Symfony\Component\HttpKernel\Event\ResponseEvent;
@@ -26,6 +27,8 @@
  */
 final class AddLinkHeaderListener
 {
+    use CorsTrait;
+
     private $urlGenerator;
 
     public function __construct(UrlGeneratorInterface $urlGenerator)
@@ -38,15 +41,20 @@ public function __construct(UrlGeneratorInterface $urlGenerator)
      */
     public function onKernelResponse(ResponseEvent $event): void
     {
+        $request = $event->getRequest();
+        // Prevent issues with NelmioCorsBundle
+        if ($this->isPreflightRequest($request)) {
+            return;
+        }
+
         $apiDocUrl = $this->urlGenerator->generate('api_doc', ['_format' => 'jsonld'], UrlGeneratorInterface::ABS_URL);
         $link = new Link(ContextBuilder::HYDRA_NS.'apiDocumentation', $apiDocUrl);
 
-        $attributes = $event->getRequest()->attributes;
-        if (null === $linkProvider = $attributes->get('_links')) {
-            $attributes->set('_links', new GenericLinkProvider([$link]));
+        if (null === $linkProvider = $request->attributes->get('_links')) {
+            $request->attributes->set('_links', new GenericLinkProvider([$link]));
 
             return;
         }
-        $attributes->set('_links', $linkProvider->withLink($link));
+        $request->attributes->set('_links', $linkProvider->withLink($link));
     }
 }

src/Mercure/EventListener/AddLinkHeaderListener.php

@@ -14,6 +14,7 @@
 namespace ApiPlatform\Core\Mercure\EventListener;
 
 use ApiPlatform\Core\Metadata\Resource\Factory\ResourceMetadataFactoryInterface;
+use ApiPlatform\Core\Util\CorsTrait;
 use Fig\Link\GenericLinkProvider;
 use Fig\Link\Link;
 use Symfony\Component\HttpKernel\Event\ResponseEvent;
@@ -25,6 +26,8 @@
  */
 final class AddLinkHeaderListener
 {
+    use CorsTrait;
+
     private $resourceMetadataFactory;
     private $hub;
 
@@ -39,22 +42,27 @@ public function __construct(ResourceMetadataFactoryInterface $resourceMetadataFa
      */
     public function onKernelResponse(ResponseEvent $event): void
     {
+        $request = $event->getRequest();
+        // Prevent issues with NelmioCorsBundle
+        if ($this->isPreflightRequest($request)) {
+            return;
+        }
+
         $link = new Link('mercure', $this->hub);
 
-        $attributes = $event->getRequest()->attributes;
         if (
-            null === ($resourceClass = $attributes->get('_api_resource_class')) ||
+            null === ($resourceClass = $request->attributes->get('_api_resource_class')) ||
             false === $this->resourceMetadataFactory->create($resourceClass)->getAttribute('mercure', false)
         ) {
             return;
         }
 
-        if (null === $linkProvider = $attributes->get('_links')) {
-            $attributes->set('_links', new GenericLinkProvider([$link]));
+        if (null === $linkProvider = $request->attributes->get('_links')) {
+            $request->attributes->set('_links', new GenericLinkProvider([$link]));
 
             return;
         }
 
-        $attributes->set('_links', $linkProvider->withLink($link));
+        $request->attributes->set('_links', $linkProvider->withLink($link));
     }
 }

src/Util/CorsTrait.php

@@ -0,0 +1,33 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Core\Util;
+
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * CORS utils.
+ *
+ * To be removed when https://github.com/symfony/symfony/pull/34391 wil be merged.
+ *
+ * @internal
+ *
+ * @author Kévin Dunglas <[email protected]>
+ */
+trait CorsTrait
+{
+    public function isPreflightRequest(Request $request): bool
+    {
+        return $request->isMethod('OPTIONS') && $request->headers->has('Access-Control-Request-Method');
+    }
+}

tests/Hydra/EventListener/AddLinkHeaderListenerTest.php

@@ -50,4 +50,20 @@ public function provider(): array
             ['<https://demo.mercure.rocks/hub>; rel="mercure",<http://example.com/docs>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation"', new Request([], [], ['_links' => new GenericLinkProvider([new Link('mercure', 'https://demo.mercure.rocks/hub')])])],
         ];
     }
+
+    public function testSkipWhenPreflightRequest(): void
+    {
+        $request = new Request();
+        $request->setMethod('OPTIONS');
+        $request->headers->set('Access-Control-Request-Method', 'POST');
+
+        $event = $this->prophesize(ResponseEvent::class);
+        $event->getRequest()->willReturn($request)->shouldBeCalled();
+
+        $urlGenerator = $this->prophesize(UrlGeneratorInterface::class);
+        $listener = new AddLinkHeaderListener($urlGenerator->reveal());
+        $listener->onKernelResponse($event->reveal());
+
+        $this->assertFalse($request->attributes->has('_links'));
+    }
 }

tests/Mercure/EventListener/AddLinkHeaderListenerTest.php

@@ -80,4 +80,20 @@ public function doNotAddProvider(): array
             [new Request([], [], ['_api_resource_class' => Dummy::class])],
         ];
     }
+
+    public function testSkipWhenPreflightRequest(): void
+    {
+        $request = new Request();
+        $request->setMethod('OPTIONS');
+        $request->headers->set('Access-Control-Request-Method', 'POST');
+
+        $event = $this->prophesize(ResponseEvent::class);
+        $event->getRequest()->willReturn($request)->shouldBeCalled();
+
+        $resourceMetadataFactory = $this->prophesize(ResourceMetadataFactoryInterface::class);
+        $listener = new AddLinkHeaderListener($resourceMetadataFactory->reveal(), 'http://example.com/.well-known/mercure');
+        $listener->onKernelResponse($event->reveal());
+
+        $this->assertFalse($request->attributes->has('_links'));
+    }
 }