From 93e85e14f3b30d033324277751a9ba4c655b4399 Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@bluestatic.org>
Date: Sun, 19 Nov 2017 00:00:08 -0500
Subject: [PATCH] Add an interceptor for CORS OPTIONS preflighting.

---
 http/cors_options_interceptor.php | 51 +++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 http/cors_options_interceptor.php

diff --git a/http/cors_options_interceptor.php b/http/cors_options_interceptor.php
new file mode 100644
index 0000000..6b3d899
--- /dev/null
+++ b/http/cors_options_interceptor.php
@@ -0,0 +1,51 @@
+<?php
+// Hoplite
+// Copyright (c) 2017 Blue Static
+//
+// This program is free software: you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by the Free
+// Software Foundation, either version 3 of the License, or any later version.
+//
+// This program is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+// more details.
+//
+// You should have received a copy of the GNU General Public License along with
+// this program.  If not, see <http://www.gnu.org/licenses/>.
+
+namespace hoplite\http;
+
+require_once HOPLITE_ROOT . '/http/interceptor.php';
+require_once HOPLITE_ROOT . '/http/response_code.php';
+
+class CorsOptionsInterceptor implements Interceptor
+{
+  private $allowed_origins = [];
+
+  public function __construct($allowed_origins = []) {
+    $this->allowed_origins = $allowed_origins;
+  }
+
+  public function DoIntercept(FrontController $controller,
+                              Action $action = NULL,
+                              Request $request,
+                              Response $response)
+  {
+    if ($action === NULL) {
+      return;
+    }
+
+    // If a CORS pre-flight is in process, interrupt the action flow and
+    // permit the request.
+    if ($request->http_method == 'OPTIONS' &&
+        isset($request->data['_SERVER']['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])) {
+      if (in_array($request->data['_SERVER']['HTTP_ORIGIN'], $this->allowed_origins)) {
+        $controller->SendResponseCode(ResponseCode::OK);
+      } else {
+        $controller->SendResponseCode(ResponseCode::FORBIDDEN);
+        return;
+      }
+    }
+  }
+}
-- 
2.22.5