From 24d67f56d8514f2857ffae9e1c3507fb64b09b58 Mon Sep 17 00:00:00 2001 From: Roland Schneider Date: Fri, 25 Feb 2022 22:59:01 +0100 Subject: [PATCH] add cors filter for mobileapi --- common/manager/MobileDeviceManager.php | 8 +-- docker/service/ub-php/000-default.conf | 14 ++-- mobileapi/components/ActivatedFilter.php | 5 +- mobileapi/components/CorsFilter.php | 89 ++++++++++++++++++++++++ mobileapi/controllers/RestController.php | 8 ++- 5 files changed, 109 insertions(+), 15 deletions(-) create mode 100644 mobileapi/components/CorsFilter.php diff --git a/common/manager/MobileDeviceManager.php b/common/manager/MobileDeviceManager.php index 28a8069..38743a3 100644 --- a/common/manager/MobileDeviceManager.php +++ b/common/manager/MobileDeviceManager.php @@ -53,10 +53,10 @@ class MobileDeviceManager extends BaseObject throw new NotFoundHttpException(); } - if ( - in_array($device->status, [MobileDevice::STATUS_ACTIVE, MobileDevice::STATUS_INACTIVE], true) === false ){ - throw new NotFoundHttpException(); - } +// if ( +// in_array($device->status, [MobileDevice::STATUS_ACTIVE, MobileDevice::STATUS_INACTIVE], true) === false ){ +// throw new NotFoundHttpException(); +// } return $device; diff --git a/docker/service/ub-php/000-default.conf b/docker/service/ub-php/000-default.conf index da2537a..62dbceb 100644 --- a/docker/service/ub-php/000-default.conf +++ b/docker/service/ub-php/000-default.conf @@ -28,15 +28,15 @@ #Include conf-available/serve-cgi-bin.conf # Always set these headers. - Header always set Access-Control-Allow-Origin "*" - Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT" - Header always set Access-Control-Max-Age "1000" - Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token" + # Header always set Access-Control-Allow-Origin "*" + # Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT" + # Header always set Access-Control-Max-Age "1000" + #Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token" # Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request. - RewriteEngine On - RewriteCond %{REQUEST_METHOD} OPTIONS - RewriteRule ^(.*)$ $1 [R=200,L] + # RewriteEngine On + # RewriteCond %{REQUEST_METHOD} OPTIONS + # RewriteRule ^(.*)$ $1 [R=200,L] diff --git a/mobileapi/components/ActivatedFilter.php b/mobileapi/components/ActivatedFilter.php index 18c0f05..2a8afb5 100644 --- a/mobileapi/components/ActivatedFilter.php +++ b/mobileapi/components/ActivatedFilter.php @@ -31,15 +31,16 @@ class ActivatedFilter extends ActionFilter // get the device /** @var MobileDevice $mobileDevice */ $mobileDevice = \Yii::$app->user->getIdentity(); + $deviceId = null; if (isset($mobileDevice)) { + $deviceId = $mobileDevice->id; $idCard = $mobileDevice->id_card; // find out if the device is activated $activated = $mobileDevice->status === MobileDevice::STATUS_ACTIVE; } - // if device is not activated, throw exception with http status 412 if ($activated === false) { - throw new HttpException( HttpStatus::PRECONDITION_FAILED,"Device is not activated: " . $mobileDevice->id); + throw new HttpException( HttpStatus::PRECONDITION_FAILED,"Device is not activated: " . $deviceId); } } catch (HttpException $e) { if ($e->statusCode === HttpStatus::PRECONDITION_FAILED && $this->isOptional($action)) { diff --git a/mobileapi/components/CorsFilter.php b/mobileapi/components/CorsFilter.php new file mode 100644 index 0000000..48330b5 --- /dev/null +++ b/mobileapi/components/CorsFilter.php @@ -0,0 +1,89 @@ +isSkip($action)){ + return true; + } + $this->request = \Yii::$app->getRequest(); + $this->response = \Yii::$app->getResponse(); + $origin = $this->request->headers->get('origin'); + \Yii::error("origin", $origin); + + $isOriginAllowed = array_search($origin, $this->allowedOrigins, true); + if ($isOriginAllowed >= 0) { + $this->response->headers->set( + 'Access-Control-Allow-Origin', $origin + ); + + $headers = [ + 'Access-Control-Allow-Headers' => 'Content-Type, content-type, Authorization, Origin', + 'Access-Control-Allow-Credentials' => true, + ]; + foreach ($headers as $headerName => $headerValue ){ + if ( $headerValue === true ){ + $headerValue = 'true'; + } else if ( $headerValue === false ){ + $headerValue = 'false'; + } + $this->response->headers->set( + $headerName, $headerValue + ); + } + } + + if ($this->request->isOptions && $this->request->headers->has('Access-Control-Request-Method')) { + // it is CORS preflight request, respond with 200 OK without further processing + $this->response->setStatusCode(200); + return false; + } + return true; + } + + /** + * Checks, whether filter must be skipped for the given action. + * + * @param Action $action action to be checked. + * @return bool whether filter must be skipped. + * @see optional + * @since 2.0.7 + */ + protected function isSkip($action) + { + $id = $this->getActionId($action); + foreach ($this->skip as $pattern) { + if (StringHelper::matchWildcard($pattern, $id)) { + return true; + } + } + + return false; + } + + +} diff --git a/mobileapi/controllers/RestController.php b/mobileapi/controllers/RestController.php index a440e1e..a70bdbd 100644 --- a/mobileapi/controllers/RestController.php +++ b/mobileapi/controllers/RestController.php @@ -2,12 +2,11 @@ namespace mobileapi\controllers; - -use common\models\Customer; use common\models\MobileDevice; use Exception; use Lcobucci\JWT\Token; use mobileapi\components\ActivatedFilter; +use mobileapi\components\CorsFilter; use sizeg\jwt\JwtHttpBearerAuth; use Yii; use yii\filters\auth\AuthMethod; @@ -28,6 +27,11 @@ class RestController extends Controller 'class' => ActivatedFilter::class, 'optional' => $this->getOptionalActivatedActions() ]; + + $behaviors = array_merge([ 'cors' => [ + 'class' => CorsFilter::class + ]], $behaviors) ; + return $behaviors; }