<?php
// Hoplite
// Copyright (c) 2017 Blue Static
//
// This program is free software: you can redistribute it and/or modify it
// under the terms of the GNU General Public License as published by the Free
// Software Foundation, either version 3 of the License, or any later version.
//
// This program is distributed in the hope that it will be useful, but WITHOUT
// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
// more details.
//
// You should have received a copy of the GNU General Public License along with
// this program.  If not, see <http://www.gnu.org/licenses/>.

namespace hoplite\http;

require_once HOPLITE_ROOT . '/http/interceptor.php';
require_once HOPLITE_ROOT . '/http/response_code.php';

class CorsOptionsInterceptor implements Interceptor
{
  private $allowed_origins = [];

  public function __construct($allowed_origins = []) {
    $this->allowed_origins = $allowed_origins;
  }

  public function DoIntercept(FrontController $controller,
                              Action $action = NULL,
                              Request $request,
                              Response $response)
  {
    if ($action === NULL) {
      return;
    }

    // If a CORS pre-flight is in process, interrupt the action flow and
    // permit the request.
    if ($request->http_method == 'OPTIONS' &&
        isset($request->data['_SERVER']['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])) {
      if (in_array($request->data['_SERVER']['HTTP_ORIGIN'], $this->allowed_origins)) {
        $controller->SendResponseCode(ResponseCode::OK);
      } else {
        $controller->SendResponseCode(ResponseCode::FORBIDDEN);
        return;
      }
    }
  }
}