#28561: GraphQL added CORS headers

Author: michalderlatka

app/code/Magento/GraphQl/Controller/HttpResponse/Cors/CorsAllowCredentialsHeaderProvider.php

@@ -1,13 +1,21 @@
 <?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
 
 namespace Magento\GraphQl\Controller\HttpResponse\Cors;
 
 use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
 use Magento\GraphQl\Model\Cors\ConfigurationInterface;
 
+/**
+ * Provides value for Access-Control-Allow-Credentials header if CORS is enabled
+ */
 class CorsAllowCredentialsHeaderProvider implements HeaderProviderInterface
 {
-    protected $headerName = 'Access-Control-Allow-Credentials';
+    private $headerName;
 
     /**
      * CORS configuration provider
@@ -16,9 +24,12 @@ class CorsAllowCredentialsHeaderProvider implements HeaderProviderInterface
      */
     private $corsConfiguration;
 
-    public function __construct(ConfigurationInterface $corsConfiguration)
-    {
+    public function __construct(
+        ConfigurationInterface $corsConfiguration,
+        string $headerName
+    ) {
         $this->corsConfiguration = $corsConfiguration;
+        $this->headerName = $headerName;
     }
 
     public function getName()

app/code/Magento/GraphQl/Controller/HttpResponse/Cors/CorsAllowHeadersHeaderProvider.php

@@ -1,16 +1,21 @@
 <?php
-
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
 
 namespace Magento\GraphQl\Controller\HttpResponse\Cors;
 
 use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
 use Magento\GraphQl\Model\Cors\ConfigurationInterface;
 
+/**
+ * Provides value for Access-Control-Allow-Headers header if CORS is enabled
+ */
 class CorsAllowHeadersHeaderProvider implements HeaderProviderInterface
 {
-    protected $headerName = 'Access-Control-Allow-Headers';
-
-    protected $headerValue = '';
+    private $headerName;
 
     /**
      * CORS configuration provider
@@ -19,9 +24,12 @@ class CorsAllowHeadersHeaderProvider implements HeaderProviderInterface
      */
     private $corsConfiguration;
 
-    public function __construct(ConfigurationInterface $corsConfiguration)
-    {
+    public function __construct(
+        ConfigurationInterface $corsConfiguration,
+        string $headerName
+    ) {
         $this->corsConfiguration = $corsConfiguration;
+        $this->headerName = $headerName;
     }
 
     public function getName()
@@ -36,8 +44,6 @@ public function canApply() : bool
 
     public function getValue()
     {
-        return $this->corsConfiguration->getAllowedHeaders()
-            ? $this->corsConfiguration->getAllowedHeaders()
-            : $this->headerValue;
+        return $this->corsConfiguration->getAllowedHeaders();
     }
 }

app/code/Magento/GraphQl/Controller/HttpResponse/Cors/CorsAllowMethodsHeaderProvider.php

@@ -1,17 +1,21 @@
 <?php
-
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
 
 namespace Magento\GraphQl\Controller\HttpResponse\Cors;
 
-
 use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
 use Magento\GraphQl\Model\Cors\ConfigurationInterface;
 
+/**
+ * Provides value for Access-Control-Allow-Methods header if CORS is enabled
+ */
 class CorsAllowMethodsHeaderProvider implements HeaderProviderInterface
 {
-    protected $headerName = 'Access-Control-Allow-Methods';
-
-    protected $headerValue = 'GET,POST,OPTIONS';
+    private $headerName;
 
     /**
      * CORS configuration provider
@@ -20,9 +24,12 @@ class CorsAllowMethodsHeaderProvider implements HeaderProviderInterface
      */
     private $corsConfiguration;
 
-    public function __construct(ConfigurationInterface $corsConfiguration)
-    {
+    public function __construct(
+        ConfigurationInterface $corsConfiguration,
+        string $headerName
+    ) {
         $this->corsConfiguration = $corsConfiguration;
+        $this->headerName = $headerName;
     }
 
     public function getName()
@@ -37,8 +44,6 @@ public function canApply() : bool
 
     public function getValue()
     {
-        return $this->corsConfiguration->getAllowedMethods()
-            ? $this->corsConfiguration->getAllowedMethods()
-            : $this->headerValue;
+        return $this->corsConfiguration->getAllowedMethods();
     }
 }

app/code/Magento/GraphQl/Controller/HttpResponse/Cors/CorsAllowOriginHeaderProvider.php

@@ -1,14 +1,21 @@
 <?php
-
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
 
 namespace Magento\GraphQl\Controller\HttpResponse\Cors;
 
 use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
 use Magento\GraphQl\Model\Cors\ConfigurationInterface;
 
+/**
+ * Provides value for Access-Control-Allow-Origin header if CORS is enabled
+ */
 class CorsAllowOriginHeaderProvider implements HeaderProviderInterface
 {
-    protected $headerName = 'Access-Control-Allow-Origin';
+    private $headerName;
 
     /**
      * CORS configuration provider
@@ -17,9 +24,12 @@ class CorsAllowOriginHeaderProvider implements HeaderProviderInterface
      */
     private $corsConfiguration;
 
-    public function __construct(ConfigurationInterface $corsConfiguration)
-    {
+    public function __construct(
+        ConfigurationInterface $corsConfiguration,
+        string $headerName
+    ) {
         $this->corsConfiguration = $corsConfiguration;
+        $this->headerName = $headerName;
     }
 
     public function getName()

app/code/Magento/GraphQl/Controller/HttpResponse/Cors/CorsMaxAgeHeaderProvider.php

@@ -1,17 +1,21 @@
 <?php
-
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
 
 namespace Magento\GraphQl\Controller\HttpResponse\Cors;
 
-
 use Magento\Framework\App\Response\HeaderProvider\HeaderProviderInterface;
 use Magento\GraphQl\Model\Cors\ConfigurationInterface;
 
+/**
+ * Provides value for Access-Control-Max-Age header if CORS is enabled
+ */
 class CorsMaxAgeHeaderProvider implements HeaderProviderInterface
 {
-    protected $headerName = 'Access-Control-Max-Age';
-
-    protected $headerValue = '86400';
+    private $headerName;
 
     /**
      * CORS configuration provider
@@ -20,9 +24,12 @@ class CorsMaxAgeHeaderProvider implements HeaderProviderInterface
      */
     private $corsConfiguration;
 
-    public function __construct(ConfigurationInterface $corsConfiguration)
-    {
+    public function __construct(
+        ConfigurationInterface $corsConfiguration,
+        string $headerName
+    ) {
         $this->corsConfiguration = $corsConfiguration;
+        $this->headerName = $headerName;
     }
 
     public function getName()
@@ -37,8 +44,6 @@ public function canApply()
 
     public function getValue()
     {
-        return $this->corsConfiguration->getMaxAge()
-            ? $this->corsConfiguration->getMaxAge()
-            : $this->headerValue;
+        return $this->corsConfiguration->getMaxAge();
     }
 }

app/code/Magento/GraphQl/Model/Cors/Configuration.php

@@ -1,11 +1,17 @@
 <?php
-
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
 
 namespace Magento\GraphQl\Model\Cors;
 
-
 use Magento\Framework\App\Config\ScopeConfigInterface;
 
+/**
+ * Configuration provider for GraphQL CORS settings
+ */
 class Configuration implements ConfigurationInterface
 {
     const XML_PATH_CORS_HEADERS_ENABLED = 'graphql/cors/enabled';
@@ -47,7 +53,7 @@ public function getAllowedMethods(): ?string
 
     public function getMaxAge(): int
     {
-        return $this->scopeConfig->getValue(self::XML_PATH_CORS_MAX_AGE);
+        return (int) $this->scopeConfig->getValue(self::XML_PATH_CORS_MAX_AGE);
     }
 
     public function isCredentialsAllowed(): bool

app/code/Magento/GraphQl/Model/Cors/ConfigurationInterface.php

@@ -1,9 +1,15 @@
 <?php
-
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
 
 namespace Magento\GraphQl\Model\Cors;
 
-
+/**
+ * Interface for configuration provider for GraphQL CORS settings
+ */
 interface ConfigurationInterface
 {
     public function isEnabled() : bool;

app/code/Magento/GraphQl/etc/adminhtml/system.xml

@@ -20,27 +20,32 @@
 
                 <field id="allowed_origins" translate="label" type="text" sortOrder="10" showInDefault="1" canRestore="1">
                     <label>Allowed origins</label>
+                    <comment>The Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given origin. Fill this field with one or more origins (comma separated) or use '*' to allow access from all origins.</comment>
                     <depends>
                         <field id="graphql/cors/enabled">1</field>
                     </depends>
                 </field>
 
                 <field id="allowed_methods" translate="label" type="text" sortOrder="20" showInDefault="1" canRestore="1">
                     <label>Allowed methods</label>
+                    <comment>The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request. Use comma separated methods (e.g. GET,POST)</comment>
                     <depends>
                         <field id="graphql/cors/enabled">1</field>
                     </depends>
                 </field>
 
                 <field id="allowed_headers" translate="label" type="text" sortOrder="30" showInDefault="1" canRestore="1">
                     <label>Allowed headers</label>
+                    <comment>The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request. Use comma separated headers.</comment>
                     <depends>
                         <field id="graphql/cors/enabled">1</field>
                     </depends>
                 </field>
 
                 <field id="max_age" translate="label" type="text" sortOrder="40" showInDefault="1" canRestore="1">
                     <label>Max Age</label>
+                    <validate>validate-digits</validate>
+                    <comment>The Access-Control-Max-Age response header indicates how long the results of a preflight request (that is the information contained in the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers) can be cached.</comment>
                     <depends>
                         <field id="graphql/cors/enabled">1</field>
                     </depends>
@@ -49,6 +54,7 @@
                 <field id="allow_credentials" translate="label" type="select" sortOrder="50" showInDefault="1" canRestore="1">
                     <label>Credentials Allowed</label>
                     <source_model>Magento\Config\Model\Config\Source\Yesno</source_model>
+                    <comment>The Access-Control-Allow-Credentials response header tells browsers whether to expose the response to frontend code when the request's credentials mode is include.</comment>
                     <depends>
                         <field id="graphql/cors/enabled">1</field>
                     </depends>

app/code/Magento/GraphQl/etc/di.xml

@@ -100,4 +100,29 @@
     </type>
 
     <preference for="Magento\GraphQl\Model\Cors\ConfigurationInterface" type="Magento\GraphQl\Model\Cors\Configuration" />
+    <type name="\Magento\GraphQl\Controller\HttpResponse\Cors\CorsMaxAgeHeaderProvider">
+        <arguments>
+            <argument name="headerName" xsi:type="string">Access-Control-Max-Age</argument>
+        </arguments>
+    </type>
+    <type name="\Magento\GraphQl\Controller\HttpResponse\Cors\CorsAllowCredentialsHeaderProvider">
+        <arguments>
+            <argument name="headerName" xsi:type="string">Access-Control-Allow-Credentials</argument>
+        </arguments>
+    </type>
+    <type name="\Magento\GraphQl\Controller\HttpResponse\Cors\CorsAllowHeadersHeaderProvider">
+        <arguments>
+            <argument name="headerName" xsi:type="string">Access-Control-Allow-Headers</argument>
+        </arguments>
+    </type>
+    <type name="\Magento\GraphQl\Controller\HttpResponse\Cors\CorsAllowMethodsHeaderProvider">
+        <arguments>
+            <argument name="headerName" xsi:type="string">Access-Control-Allow-Methods</argument>
+        </arguments>
+    </type>
+    <type name="\Magento\GraphQl\Controller\HttpResponse\Cors\CorsAllowOriginHeaderProvider">
+        <arguments>
+            <argument name="headerName" xsi:type="string">Access-Control-Allow-Origin</argument>
+        </arguments>
+    </type>
 </config>