CorsUtils.php

Go to the documentation of this file.

<?php
 
namespace MediaWiki\Rest;
 
use MediaWiki\Config\ServiceOptions;
use MediaWiki\MainConfigNames;
use MediaWiki\Rest\BasicAccess\BasicAuthorizerInterface;
use MediaWiki\Rest\HeaderParser\Origin;
use MediaWiki\User\UserIdentity;
 
class CorsUtils implements BasicAuthorizerInterface {
 
    public const CONSTRUCTOR_OPTIONS = [
        MainConfigNames::AllowedCorsHeaders,
        MainConfigNames::AllowCrossOrigin,
        MainConfigNames::RestAllowCrossOriginCookieAuth,
        MainConfigNames::CanonicalServer,
        MainConfigNames::CrossSiteAJAXdomains,
        MainConfigNames::CrossSiteAJAXdomainExceptions,
    ];
 
    private ServiceOptions $options;
    private ResponseFactory $responseFactory;
    private UserIdentity $user;
 
    public function __construct(
        ServiceOptions $options,
        ResponseFactory $responseFactory,
        UserIdentity $user
    ) {
        $options->assertRequiredOptions( self::CONSTRUCTOR_OPTIONS );
        $this->options = $options;
        $this->responseFactory = $responseFactory;
        $this->user = $user;
    }
 
    public function authorize( RequestInterface $request, Handler $handler ) {
        // Handlers that need write access are by definition a cache-miss, therefore there is no
        // need to vary by the origin.
        if (
            $handler->needsWriteAccess()
            && $request->hasHeader( 'Origin' )
            && !$this->user->isRegistered()
        ) {
            $origin = Origin::parseHeaderList( $request->getHeader( 'Origin' ) );
 
            if ( !$this->allowOrigin( $origin ) ) {
                return 'rest-cross-origin-anon-write';
            }
        }
 
        return null;
    }
 
    private function allowOrigin( Origin $origin ): bool {
        $allowed = array_merge( [ $this->getCanonicalDomain() ],
            $this->options->get( MainConfigNames::CrossSiteAJAXdomains ) );
        $excluded = $this->options->get( MainConfigNames::CrossSiteAJAXdomainExceptions );
 
        return $origin->match( $allowed, $excluded );
    }
 
    private function getCanonicalDomain(): string {
        $res = parse_url( $this->options->get( MainConfigNames::CanonicalServer ) );
        '@phan-var array $res';
 
        $host = $res['host'] ?? '';
        $port = $res['port'] ?? null;
 
        return $port ? "$host:$port" : $host;
    }
 
    public function modifyResponse( RequestInterface $request, ResponseInterface $response ): ResponseInterface {
        if ( !$this->options->get( MainConfigNames::AllowCrossOrigin ) ) {
            return $response;
        }
 
        $allowedOrigin = '*';
 
        if ( $this->options->get( MainConfigNames::RestAllowCrossOriginCookieAuth ) ) {
            // @TODO Since we only Vary the response if (1) the method is OPTIONS or (2) the user is
            //       registered, it is safe to only add the Vary: Origin when those two conditions
            //       are met since a response to a logged-in user's request is not cachable.
            //       Therefore, logged out users should always get `Access-Control-Allow-Origin: *`
            //       on all non-OPTIONS request and logged-in users *may* get
            //      `Access-Control-Allow-Origin: <requested origin>`
 
            // Vary All Requests by the Origin header.
            $response->addHeader( 'Vary', 'Origin' );
 
            // If the Origin header is missing, there is nothing to check against.
            if ( $request->hasHeader( 'Origin' ) ) {
                $origin = Origin::parseHeaderList( $request->getHeader( 'Origin' ) );
                if ( $this->allowOrigin( $origin ) ) {
                    // Only set the allowed origin for preflight requests, or for main requests where a registered
                    // user is authenticated. This prevents having to Vary all requests by the Origin.
                    // Anonymous users will always get '*', registered users *may* get the requested origin back.
                    if ( $request->getMethod() === 'OPTIONS' || $this->user->isRegistered() ) {
                        $allowedOrigin = $origin->getSingleOrigin();
                    }
                }
            }
        }
 
        // If the Origin was determined to be something other than *any* allow the session
        // cookies to be sent with the main request. If this is the main request, allow the
        // response to be read.
        //
        // If the client includes the credentials on a simple request (HEAD, GET, etc.), but
        // they do not pass this check, the browser will refuse to allow the client to read the
        // response. The client may resolve this by repeating the request without the
        // credentials.
        if ( $allowedOrigin !== '*' ) {
            $response->setHeader( 'Access-Control-Allow-Credentials', 'true' );
        }
 
        $response->setHeader( 'Access-Control-Allow-Origin', $allowedOrigin );
 
        return $response;
    }
 
    public function createPreflightResponse( array $allowedMethods ): Response {
        $response = $this->responseFactory->createNoContent();
        $response->setHeader( 'Access-Control-Allow-Methods', $allowedMethods );
 
        $allowedHeaders = $this->options->get( MainConfigNames::AllowedCorsHeaders );
        $allowedHeaders = array_merge( $allowedHeaders, array_diff( [
            // Authorization header must be explicitly listed which prevent the use of '*'
            'Authorization',
            // REST must allow Content-Type to be operational
            'Content-Type',
            // REST relies on conditional requests for some endpoints
            'If-Match',
            'If-None-Match',
            'If-Modified-Since',
        ], $allowedHeaders ) );
        $response->setHeader( 'Access-Control-Allow-Headers', $allowedHeaders );
 
        return $response;
    }
}