#28561: GraphQL added CORS headers

Author: michalderlatka

app/code/Magento/GraphQl/Controller/HttpResponse/Cors/CorsAllowCredentialsHeaderProvider.php

@@ -0,0 +1,38 @@
+<?php
+
+namespace Magento\GraphQl\Controller\HttpResponse\Cors;
+
+use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
+use Magento\GraphQl\Model\Cors\ConfigurationInterface;
+
+class CorsAllowCredentialsHeaderProvider implements HeaderProviderInterface
+{
+    protected $headerName = 'Access-Control-Allow-Credentials';
+
+    /**
+     * CORS configuration provider
+     *
+     * @var \Magento\GraphQl\Model\Cors\ConfigurationInterface
+     */
+    private $corsConfiguration;
+
+    public function __construct(ConfigurationInterface $corsConfiguration)
+    {
+        $this->corsConfiguration = $corsConfiguration;
+    }
+
+    public function getName()
+    {
+        return $this->headerName;
+    }
+
+    public function getValue()
+    {
+        return true;
+    }
+
+    public function canApply() : bool
+    {
+        return $this->corsConfiguration->isEnabled() && $this->corsConfiguration->isCredentialsAllowed();
+    }
+}

app/code/Magento/GraphQl/Controller/HttpResponse/Cors/CorsAllowHeadersHeaderProvider.php

@@ -0,0 +1,43 @@
+<?php
+
+
+namespace Magento\GraphQl\Controller\HttpResponse\Cors;
+
+use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
+use Magento\GraphQl\Model\Cors\ConfigurationInterface;
+
+class CorsAllowHeadersHeaderProvider implements HeaderProviderInterface
+{
+    protected $headerName = 'Access-Control-Allow-Headers';
+
+    protected $headerValue = '';
+
+    /**
+     * CORS configuration provider
+     *
+     * @var \Magento\GraphQl\Model\Cors\ConfigurationInterface
+     */
+    private $corsConfiguration;
+
+    public function __construct(ConfigurationInterface $corsConfiguration)
+    {
+        $this->corsConfiguration = $corsConfiguration;
+    }
+
+    public function getName()
+    {
+        return $this->headerName;
+    }
+
+    public function canApply() : bool
+    {
+        return $this->corsConfiguration->isEnabled() && $this->getValue();
+    }
+
+    public function getValue()
+    {
+        return $this->corsConfiguration->getAllowedHeaders()
+            ? $this->corsConfiguration->getAllowedHeaders()
+            : $this->headerValue;
+    }
+}

app/code/Magento/GraphQl/Controller/HttpResponse/Cors/CorsAllowMethodsHeaderProvider.php

@@ -0,0 +1,44 @@
+<?php
+
+
+namespace Magento\GraphQl\Controller\HttpResponse\Cors;
+
+
+use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
+use Magento\GraphQl\Model\Cors\ConfigurationInterface;
+
+class CorsAllowMethodsHeaderProvider implements HeaderProviderInterface
+{
+    protected $headerName = 'Access-Control-Allow-Methods';
+
+    protected $headerValue = 'GET,POST,OPTIONS';
+
+    /**
+     * CORS configuration provider
+     *
+     * @var \Magento\GraphQl\Model\Cors\ConfigurationInterface
+     */
+    private $corsConfiguration;
+
+    public function __construct(ConfigurationInterface $corsConfiguration)
+    {
+        $this->corsConfiguration = $corsConfiguration;
+    }
+
+    public function getName()
+    {
+        return $this->headerName;
+    }
+
+    public function canApply() : bool
+    {
+        return $this->corsConfiguration->isEnabled() && $this->getValue();
+    }
+
+    public function getValue()
+    {
+        return $this->corsConfiguration->getAllowedMethods()
+            ? $this->corsConfiguration->getAllowedMethods()
+            : $this->headerValue;
+    }
+}

app/code/Magento/GraphQl/Controller/HttpResponse/Cors/CorsAllowOriginHeaderProvider.php

@@ -0,0 +1,39 @@
+<?php
+
+
+namespace Magento\GraphQl\Controller\HttpResponse\Cors;
+
+use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
+use Magento\GraphQl\Model\Cors\ConfigurationInterface;
+
+class CorsAllowOriginHeaderProvider implements HeaderProviderInterface
+{
+    protected $headerName = 'Access-Control-Allow-Origin';
+
+    /**
+     * CORS configuration provider
+     *
+     * @var \Magento\GraphQl\Model\Cors\ConfigurationInterface
+     */
+    private $corsConfiguration;
+
+    public function __construct(ConfigurationInterface $corsConfiguration)
+    {
+        $this->corsConfiguration = $corsConfiguration;
+    }
+
+    public function getName()
+    {
+        return $this->headerName;
+    }
+
+    public function canApply() : bool
+    {
+        return $this->corsConfiguration->isEnabled() && $this->getValue();
+    }
+
+    public function getValue()
+    {
+        return $this->corsConfiguration->getAllowedOrigins();
+    }
+}

app/code/Magento/GraphQl/Controller/HttpResponse/Cors/CorsMaxAgeHeaderProvider.php

@@ -0,0 +1,44 @@
+<?php
+
+
+namespace Magento\GraphQl\Controller\HttpResponse\Cors;
+
+
+use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
+use Magento\GraphQl\Model\Cors\ConfigurationInterface;
+
+class CorsMaxAgeHeaderProvider implements HeaderProviderInterface
+{
+    protected $headerName = 'Access-Control-Max-Age';
+
+    protected $headerValue = '86400';
+
+    /**
+     * CORS configuration provider
+     *
+     * @var \Magento\GraphQl\Model\Cors\ConfigurationInterface
+     */
+    private $corsConfiguration;
+
+    public function __construct(ConfigurationInterface $corsConfiguration)
+    {
+        $this->corsConfiguration = $corsConfiguration;
+    }
+
+    public function getName()
+    {
+        return $this->headerName;
+    }
+
+    public function canApply()
+    {
+        return $this->corsConfiguration->isEnabled() && $this->getValue();
+    }
+
+    public function getValue()
+    {
+        return $this->corsConfiguration->getMaxAge()
+            ? $this->corsConfiguration->getMaxAge()
+            : $this->headerValue;
+    }
+}

app/code/Magento/GraphQl/Model/Cors/Configuration.php

@@ -0,0 +1,58 @@
+<?php
+
+
+namespace Magento\GraphQl\Model\Cors;
+
+
+use Magento\Framework\App\Config\ScopeConfigInterface;
+
+class Configuration implements ConfigurationInterface
+{
+    const XML_PATH_CORS_HEADERS_ENABLED = 'graphql/cors/enabled';
+    const XML_PATH_CORS_ALLOWED_ORIGINS = 'graphql/cors/allowed_origins';
+    const XML_PATH_CORS_ALLOWED_HEADERS = 'graphql/cors/allowed_headers';
+    const XML_PATH_CORS_ALLOWED_METHODS = 'graphql/cors/allowed_methods';
+    const XML_PATH_CORS_MAX_AGE = 'graphql/cors/max_age';
+    const XML_PATH_CORS_ALLOW_CREDENTIALS = 'graphql/cors/allow_credentials';
+
+    /**
+     * @var ScopeConfigInterface
+     */
+    protected $scopeConfig;
+
+    public function __construct(ScopeConfigInterface $scopeConfig)
+    {
+        $this->scopeConfig = $scopeConfig;
+    }
+
+    public function isEnabled(): bool
+    {
+        return $this->scopeConfig->isSetFlag(self::XML_PATH_CORS_HEADERS_ENABLED);
+    }
+
+    public function getAllowedOrigins(): ?string
+    {
+        return $this->scopeConfig->getValue(self::XML_PATH_CORS_ALLOWED_ORIGINS);
+    }
+
+    public function getAllowedHeaders(): ?string
+    {
+        return $this->scopeConfig->getValue(self::XML_PATH_CORS_ALLOWED_HEADERS);
+    }
+
+    public function getAllowedMethods(): ?string
+    {
+        return $this->scopeConfig->getValue(self::XML_PATH_CORS_ALLOWED_METHODS);
+    }
+
+    public function getMaxAge(): int
+    {
+        return $this->scopeConfig->getValue(self::XML_PATH_CORS_MAX_AGE);
+    }
+
+    public function isCredentialsAllowed(): bool
+    {
+        return $this->scopeConfig->isSetFlag(self::XML_PATH_CORS_ALLOW_CREDENTIALS);
+    }
+
+}

app/code/Magento/GraphQl/Model/Cors/ConfigurationInterface.php

@@ -0,0 +1,20 @@
+<?php
+
+
+namespace Magento\GraphQl\Model\Cors;
+
+
+interface ConfigurationInterface
+{
+    public function isEnabled() : bool;
+
+    public function getAllowedOrigins() : ?string;
+
+    public function getAllowedHeaders() : ?string;
+
+    public function getAllowedMethods() : ?string;
+
+    public function getMaxAge() : int;
+
+    public function isCredentialsAllowed() : bool;
+}

app/code/Magento/GraphQl/etc/adminhtml/system.xml

@@ -0,0 +1,59 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Config:etc/system_file.xsd">
+    <system>
+        <section id="graphql" translate="label" type="text" sortOrder="300" showInDefault="1" showInWebsite="1" showInStore="1">
+            <label>GraphQL</label>
+            <tab>service</tab>
+            <resource>Magento_Integration::config_oauth</resource>
+            <group id="cors" translate="label" type="text" sortOrder="60" showInDefault="1" showInWebsite="1">
+                <label>CORS Settings</label>
+                <field id="enabled" translate="label" type="select" sortOrder="1" showInDefault="1" canRestore="1">
+                    <label>CORS Headers Enabled</label>
+                    <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
+                </field>
+
+                <field id="allowed_origins" translate="label" type="text" sortOrder="10" showInDefault="1" canRestore="1">
+                    <label>Allowed origins</label>
+                    <depends>
+                        <field id="graphql/cors/enabled">1</field>
+                    </depends>
+                </field>
+
+                <field id="allowed_methods" translate="label" type="text" sortOrder="20" showInDefault="1" canRestore="1">
+                    <label>Allowed methods</label>
+                    <depends>
+                        <field id="graphql/cors/enabled">1</field>
+                    </depends>
+                </field>
+
+                <field id="allowed_headers" translate="label" type="text" sortOrder="30" showInDefault="1" canRestore="1">
+                    <label>Allowed headers</label>
+                    <depends>
+                        <field id="graphql/cors/enabled">1</field>
+                    </depends>
+                </field>
+
+                <field id="max_age" translate="label" type="text" sortOrder="40" showInDefault="1" canRestore="1">
+                    <label>Max Age</label>
+                    <depends>
+                        <field id="graphql/cors/enabled">1</field>
+                    </depends>
+                </field>
+
+                <field id="allow_credentials" translate="label" type="select" sortOrder="50" showInDefault="1" canRestore="1">
+                    <label>Credentials Allowed</label>
+                    <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
+                    <depends>
+                        <field id="graphql/cors/enabled">1</field>
+                    </depends>
+                </field>
+            </group>
+        </section>
+    </system>
+</config>

app/code/Magento/GraphQl/etc/config.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:noNamespaceSchemaLocation="urn:magento:module:Magento_Store:etc/config.xsd">
+    <default>
+        <graphql>
+            <cors>
+                <enabled>0</enabled>
+                <allowed_origins></allowed_origins>
+                <allowed_methods></allowed_methods>
+                <allowed_headers></allowed_headers>
+                <max_age>86400</max_age>
+                <allow_credentials>0</allow_credentials>
+            </cors>
+        </graphql>
+    </default>
+</config>

app/code/Magento/GraphQl/etc/di.xml

@@ -98,4 +98,6 @@
             <argument name="queryComplexity" xsi:type="number">300</argument>
         </arguments>
     </type>
+
+    <preference for="Magento\GraphQl\Model\Cors\ConfigurationInterface" type="Magento\GraphQl\Model\Cors\Configuration" />
 </config>