ByJG\RestServer\Middleware\CorsMiddleware::preFlight()

Complexity

Conditions	5
Paths	6

Size

Total Lines	28
Code Lines	16

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	17
CRAP Score	5

Importance

Changes

0

<?php
    protected function preFlight(HttpResponse $response, HttpRequest $request)
    {
        // TODO: Still missing some headers
        // https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
        $corsStatus = self::CORS_OK;

        if (!empty($request->server('HTTP_ORIGIN'))) {
            $corsStatus = self::CORS_FAILED;

            foreach ((array)$this->corsOrigins as $origin) {
                if (preg_match("~^.*//$origin$~", $request->server('HTTP_ORIGIN'))) {

It seems like $request->server('HTTP_ORIGIN') can also be of type boolean; however, parameter $subject of preg_match() does only seem to accept string, maybe add an additional type check?

                    $response->addHeader("Access-Control-Allow-Origin", $request->server('HTTP_ORIGIN'));
                    $response->addHeader('Access-Control-Allow-Credentials', 'true');
                    $response->addHeader('Access-Control-Max-Age', '86400');    // cache for 1 day

                    // Access-Control headers are received during OPTIONS requests
                    if ($request->server('REQUEST_METHOD') == 'OPTIONS') {
                        $response->setResponseCode(204, 'No Content');
                        $response->addHeader("Access-Control-Allow-Methods", implode(",", array_merge(['OPTIONS'], $this->corsMethods)));
                        $response->addHeader("Access-Control-Allow-Headers", implode(",", $this->corsHeaders));
                        return self::CORS_OPTIONS;
                    }
                    $corsStatus = self::CORS_OK;
                    break;
                }
            }
        }
        return $corsStatus;
    }