fix(cors): add preflight option routes for episode, podcast and status objects

2025-04-19 13:01:19 +00:00 · 2021-11-22 14:35:44 +00:00 · 2021-11-22 14:35:44 +00:00 · a281abfda4
commit a281abfda4
parent a09853ef14
3 changed files with 36 additions and 14 deletions
--- a/app/Config/Routes.php
+++ b/app/Config/Routes.php
@ -690,6 +690,7 @@ $routes->group('@(:podcastName)', function ($routes): void {
        'as' => 'podcast-activity',
    ]);
    // override default ActivityPub Library's actor route
+    $routes->options('/', 'ActivityPubController::preflight');
    $routes->get('/', 'PodcastController::activity/$1', [
        'as' => 'actor',
        'alternate-content' => [
@ -707,6 +708,7 @@ $routes->group('@(:podcastName)', function ($routes): void {
            ],
        ],
    ]);
+    $routes->options('episodes', 'ActivityPubController::preflight');
    $routes->get('episodes', 'PodcastController::episodes/$1', [
        'as' => 'podcast-episodes',
        'alternate-content' => [
@ -722,6 +724,7 @@ $routes->group('@(:podcastName)', function ($routes): void {
        ],
    ]);
    $routes->group('episodes/(:slug)', function ($routes): void {
+        $routes->options('/', 'ActivityPubController::preflight');
        $routes->get('/', 'EpisodeController/$1/$2', [
            'as' => 'episode',
            'alternate-content' => [
@ -736,7 +739,7 @@ $routes->group('@(:podcastName)', function ($routes): void {
                ],
            ],
        ]);
-        $routes->options('comments', 'EpisodeController::commentsPreflight/$1/$2');
+        $routes->options('comments', 'ActivityPubController::preflight');
        $routes->get('comments', 'EpisodeController::comments/$1/$2', [
            'as' => 'episode-comments',
            'application/activity+json' => [
@ -806,6 +809,7 @@ $routes->group('@(:podcastName)', function ($routes): void {
    ]);
    // Status
    $routes->group('statuses/(:uuid)', function ($routes): void {
+        $routes->options('/', 'ActivityPubController::preflight');
        $routes->get('/', 'StatusController::view/$1/$2', [
            'as' => 'status',
            'alternate-content' => [
@ -819,6 +823,7 @@ $routes->group('@(:podcastName)', function ($routes): void {
                ],
            ],
        ]);
+        $routes->options('replies', 'ActivityPubController::preflight');
        $routes->get('replies', 'StatusController/$1/$2', [
            'as' => 'status-replies',
            'alternate-content' => [
--- a/app/Controllers/ActivityPubController.php
+++ b/app/Controllers/ActivityPubController.php
@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright  2021 Podlibre
+ * @license    https://www.gnu.org/licenses/agpl-3.0.en.html AGPL3
+ * @link       https://castopod.org/
+ */
+
+namespace App\Controllers;
+
+use CodeIgniter\Controller;
+use CodeIgniter\HTTP\Response;
+
+class ActivityPubController extends Controller
+{
+    /**
+     * @noRector ReturnTypeDeclarationRector
+     */
+    public function preflight(): Response
+    {
+        return $this->response->setHeader('Access-Control-Allow-Origin', '*') // for allowing any domain, insecure
+            ->setHeader('Access-Control-Allow-Headers', '*') // for allowing any headers, insecure
+            ->setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS') // allows GET and OPTIONS methods only
+            ->setHeader('Access-Control-Max-Age', '86400')
+            ->setHeader('Cache-Control', 'public, max-age=86400')
+            ->setStatusCode(200);
+    }
+}
--- a/app/Controllers/EpisodeController.php
+++ b/app/Controllers/EpisodeController.php
@ -210,19 +210,6 @@ class EpisodeController extends BaseController
            ->setBody($podcastObject->toJSON());
    }

-    /**
-     * @noRector ReturnTypeDeclarationRector
-     */
-    public function commentsPreflight(): Response
-    {
-        return $this->response->setHeader('Access-Control-Allow-Origin', '*') // for allowing any domain, insecure
-            ->setHeader('Access-Control-Allow-Headers', '*') // for allowing any headers, insecure
-            ->setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS') // allows GET and OPTIONS methods only
-            ->setHeader('Access-Control-Max-Age', '86400')
-            ->setHeader('Cache-Control', 'public, max-age=86400')
-            ->setStatusCode(200);
-    }
-
    /**
     * @noRector ReturnTypeDeclarationRector
     */