MediaWiki master
CorsUtils.php
Go to the documentation of this file.
1<?php
2
3namespace MediaWiki\Rest;
4
10
16 public const CONSTRUCTOR_OPTIONS = [
23 ];
24
26 private $options;
27
29 private $responseFactory;
30
32 private $user;
33
39 public function __construct(
40 ServiceOptions $options,
41 ResponseFactory $responseFactory,
42 UserIdentity $user
43 ) {
44 $options->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS );
45 $this->options = $options;
46 $this->responseFactory = $responseFactory;
47 $this->user = $user;
48 }
49
58 public function authorize( RequestInterface $request, Handler $handler ) {
59 // Handlers that need write access are by definition a cache-miss, therefore there is no
60 // need to vary by the origin.
61 if (
62 $handler->needsWriteAccess()
63 && $request->hasHeader( 'Origin' )
64 && !$this->user->isRegistered()
65 ) {
66 $origin = Origin::parseHeaderList( $request->getHeader( 'Origin' ) );
67
68 if ( !$this->allowOrigin( $origin ) ) {
69 return 'rest-cross-origin-anon-write';
70 }
71 }
72
73 return null;
74 }
75
80 private function allowOrigin( Origin $origin ): bool {
81 $allowed = array_merge( [ $this->getCanonicalDomain() ],
82 $this->options->get( MainConfigNames::CrossSiteAJAXdomains ) );
83 $excluded = $this->options->get( MainConfigNames::CrossSiteAJAXdomainExceptions );
84
85 return $origin->match( $allowed, $excluded );
86 }
87
91 private function getCanonicalDomain(): string {
92 $res = parse_url( $this->options->get( MainConfigNames::CanonicalServer ) );
93 '@phan-var array $res';
94
95 $host = $res['host'] ?? '';
96 $port = $res['port'] ?? null;
97
98 return $port ? "$host:$port" : $host;
99 }
100
111 public function modifyResponse( RequestInterface $request, ResponseInterface $response ): ResponseInterface {
112 if ( !$this->options->get( MainConfigNames::AllowCrossOrigin ) ) {
113 return $response;
114 }
115
116 $allowedOrigin = '*';
117
118 if ( $this->options->get( MainConfigNames::RestAllowCrossOriginCookieAuth ) ) {
119 // @TODO Since we only Vary the response if (1) the method is OPTIONS or (2) the user is
120 // registered, it is safe to only add the Vary: Origin when those two conditions
121 // are met since a response to a logged-in user's request is not cachable.
122 // Therefore, logged out users should always get `Access-Control-Allow-Origin: *`
123 // on all non-OPTIONS request and logged-in users *may* get
124 // `Access-Control-Allow-Origin: <requested origin>`
125
126 // Vary All Requests by the Origin header.
127 $response->addHeader( 'Vary', 'Origin' );
128
129 // If the Origin header is missing, there is nothing to check against.
130 if ( $request->hasHeader( 'Origin' ) ) {
131 $origin = Origin::parseHeaderList( $request->getHeader( 'Origin' ) );
132 if ( $this->allowOrigin( $origin ) ) {
133 // Only set the allowed origin for preflight requests, or for main requests where a registered
134 // user is authenticated. This prevents having to Vary all requests by the Origin.
135 // Anonymous users will always get '*', registered users *may* get the requested origin back.
136 if ( $request->getMethod() === 'OPTIONS' || $this->user->isRegistered() ) {
137 $allowedOrigin = $origin->getSingleOrigin();
138 }
139 }
140 }
141 }
142
143 // If the Origin was determined to be something other than *any* allow the session
144 // cookies to be sent with the main request. If this is the main request, allow the
145 // response to be read.
146 //
147 // If the client includes the credentials on a simple request (HEAD, GET, etc.), but
148 // they do not pass this check, the browser will refuse to allow the client to read the
149 // response. The client may resolve this by repeating the request without the
150 // credentials.
151 if ( $allowedOrigin !== '*' ) {
152 $response->setHeader( 'Access-Control-Allow-Credentials', 'true' );
153 }
154
155 $response->setHeader( 'Access-Control-Allow-Origin', $allowedOrigin );
156
157 return $response;
158 }
159
166 public function createPreflightResponse( array $allowedMethods ): Response {
167 $response = $this->responseFactory->createNoContent();
168 $response->setHeader( 'Access-Control-Allow-Methods', $allowedMethods );
169
170 $allowedHeaders = $this->options->get( MainConfigNames::AllowedCorsHeaders );
171 $allowedHeaders = array_merge( $allowedHeaders, array_diff( [
172 // Authorization header must be explicitly listed which prevent the use of '*'
173 'Authorization',
174 // REST must allow Content-Type to be operational
175 'Content-Type',
176 // REST relies on conditional requests for some endpoints
177 'If-Mach',
178 'If-None-Match',
179 'If-Modified-Since',
180 ], $allowedHeaders ) );
181 $response->setHeader( 'Access-Control-Allow-Headers', $allowedHeaders );
182
183 return $response;
184 }
185}
if(!defined('MW_SETUP_CALLBACK'))
Definition WebStart.php:81
A class for passing options to services.
assertRequiredOptions(array $expectedKeys)
Assert that the list of options provided in this instance exactly match $expectedKeys,...
A class containing constants representing the names of configuration variables.
const CrossSiteAJAXdomainExceptions
Name constant for the CrossSiteAJAXdomainExceptions setting, for use with Config::get()
const CanonicalServer
Name constant for the CanonicalServer setting, for use with Config::get()
const AllowCrossOrigin
Name constant for the AllowCrossOrigin setting, for use with Config::get()
const AllowedCorsHeaders
Name constant for the AllowedCorsHeaders setting, for use with Config::get()
const CrossSiteAJAXdomains
Name constant for the CrossSiteAJAXdomains setting, for use with Config::get()
const RestAllowCrossOriginCookieAuth
Name constant for the RestAllowCrossOriginCookieAuth setting, for use with Config::get()
__construct(ServiceOptions $options, ResponseFactory $responseFactory, UserIdentity $user)
Definition CorsUtils.php:39
createPreflightResponse(array $allowedMethods)
Create a CORS preflight response.
authorize(RequestInterface $request, Handler $handler)
Only allow registered users to make unsafe cross-origin requests.
Definition CorsUtils.php:58
modifyResponse(RequestInterface $request, ResponseInterface $response)
Modify response to allow for CORS.
Base class for REST route handlers.
Definition Handler.php:23
needsWriteAccess()
Indicates whether this route requires write access.
Definition Handler.php:1026
A class to assist with the parsing of Origin header according to the RFC 6454 https://tools....
Definition Origin.php:12
match(array $allowList, array $excludeList)
Check whether all the origins match at least one of the rules in $allowList.
Definition Origin.php:77
Generates standardized response objects.
setHeader( $name, $value)
Set or replace the specified header.
Definition Response.php:94
An interface used by Router to ensure that the client has "basic" access, i.e.
A request interface similar to PSR-7's ServerRequestInterface.
hasHeader( $name)
Checks if a header exists by the given case-insensitive name.
getHeader( $name)
Retrieves a message header value by the given case-insensitive name.
An interface similar to PSR-7's ResponseInterface, the primary difference being that it is mutable.
addHeader( $name, $value)
Append the given value to the specified header.
Interface for objects representing user identity.