From 4acbed15f248cb16dc915da697f18e61c5a00b45 Mon Sep 17 00:00:00 2001
From: flashwave <me@flash.moe>
Date: Tue, 14 Jan 2025 04:10:32 +0000
Subject: [PATCH] Attempt CORS fixes.

---
 src/EEPROMContext.php               |  2 +-
 src/RoutingContext.php              | 20 ++++++++++++++++++--
 src/Uploads/UploadsLegacyRoutes.php |  9 ---------
 src/Uploads/UploadsViewRoutes.php   |  3 ---
 4 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/src/EEPROMContext.php b/src/EEPROMContext.php
index 2eb61cb..6fd662b 100644
--- a/src/EEPROMContext.php
+++ b/src/EEPROMContext.php
@@ -36,7 +36,7 @@ class EEPROMContext {
     }
 
     public function createRouting(bool $isApiDomain): RoutingContext {
-        $routingCtx = new RoutingContext;
+        $routingCtx = new RoutingContext($this->config->scopeTo('cors'));
         $routingCtx->register($this->database);
 
         $routingCtx->register($uploadsViewsRoutes = new Uploads\UploadsViewRoutes(
diff --git a/src/RoutingContext.php b/src/RoutingContext.php
index 86069b5..5b0048a 100644
--- a/src/RoutingContext.php
+++ b/src/RoutingContext.php
@@ -8,7 +8,7 @@ use Index\Http\Routing\{HttpRouter,Router,RouteHandler};
 class RoutingContext {
     private HttpRouter $router;
 
-    public function __construct() {
+    public function __construct(private Config $config) {
         $this->router = new HttpRouter(
             errorHandler: new EEPROMErrorHandler,
         );
@@ -17,7 +17,23 @@ class RoutingContext {
 
     private function middleware($response, $request) {
         $response->setPoweredBy('EEPROM');
-        $response->setHeader('Access-Control-Allow-Origin', '*');
+
+        if($request->hasHeader('Origin')) {
+            $origin = $request->getHeaderLine('Origin');
+            $response->setHeader('Access-Control-Allow-Origin', $origin);
+            $response->setHeader('Vary', 'Origin');
+            $host = parse_url($origin, PHP_URL_HOST);
+            if(is_string($host)) {
+                $host = '.' . $host;
+                $allowCookieOrigins = $this->config->getArray('origins');
+                foreach($allowCookieOrigins as $allowCookieOrigin)
+                    if(str_ends_with($host, '.' . $allowCookieOrigin)) {
+                        $response->setHeader('Access-Control-Allow-Credentials', 'true');
+                        break;
+                    }
+            }
+        } else
+            $response->setHeader('Access-Control-Allow-Origin', '*');
     }
 
     public function getRouter(): Router {
diff --git a/src/Uploads/UploadsLegacyRoutes.php b/src/Uploads/UploadsLegacyRoutes.php
index b425d62..104fc40 100644
--- a/src/Uploads/UploadsLegacyRoutes.php
+++ b/src/Uploads/UploadsLegacyRoutes.php
@@ -22,9 +22,6 @@ class UploadsLegacyRoutes implements RouteHandler {
 
     #[HttpOptions('/uploads')]
     public function optionsUpload($response, $request): int {
-        if($request->hasHeader('Origin'))
-            $response->setHeader('Access-Control-Allow-Credentials', 'true');
-
         $response->setHeader('Access-Control-Allow-Headers', 'Authorization');
         $response->setHeader('Access-Control-Allow-Methods', 'POST');
 
@@ -33,9 +30,6 @@ class UploadsLegacyRoutes implements RouteHandler {
 
     #[HttpPost('/uploads')]
     public function postUpload($response, $request) {
-        if($request->hasHeader('Origin'))
-            $response->setHeader('Access-Control-Allow-Credentials', 'true');
-
         if(!$request->isFormContent())
             return 400;
 
@@ -195,9 +189,6 @@ class UploadsLegacyRoutes implements RouteHandler {
 
     #[HttpDelete('/uploads/([A-Za-z0-9]+|[A-Za-z0-9\-_]{32})')]
     public function deleteUpload($response, $request, string $uploadId) {
-        if($request->hasHeader('Origin'))
-            $response->setHeader('Access-Control-Allow-Credentials', 'true');
-
         if(!$this->authCtx->info->authed) {
             $response->setStatusCode(401);
             return [
diff --git a/src/Uploads/UploadsViewRoutes.php b/src/Uploads/UploadsViewRoutes.php
index 7efb2b5..c77e739 100644
--- a/src/Uploads/UploadsViewRoutes.php
+++ b/src/Uploads/UploadsViewRoutes.php
@@ -28,9 +28,6 @@ class UploadsViewRoutes implements RouteHandler {
     #[HttpOptions('/([A-Za-z0-9]+|[A-Za-z0-9\-_]{32})(?:\.([a-z0-9]+))?')]
     public function optionsUpload($response, $request, string $uploadId, string $uploadVariant = ''): int {
         if($this->isApiDomain && $uploadVariant === '') {
-            if($request->hasHeader('Origin'))
-                $response->setHeader('Access-Control-Allow-Credentials', 'true');
-
             $response->setHeader('Access-Control-Allow-Headers', 'Authorization, Content-Type, Content-Length');
             $response->setHeader('Access-Control-Allow-Methods', 'HEAD, GET, PUT, DELETE');
             $response->setHeader('Access-Control-Max-Age', '300');