Add CORS configuration and refactor CORS resource handling

This commit is contained in:
Damodar Lohani
2026-02-10 10:52:53 +00:00
parent f8fb2e8c2d
commit bb76becf81
3 changed files with 65 additions and 48 deletions
+53
View File
@@ -0,0 +1,53 @@
<?php
/**
* CORS Configuration
*
* Centralised list of allowed methods, headers, and exposed headers for CORS responses.
*/
return [
'allowedMethods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
'allowedHeaders' => [
'Accept',
'Origin',
'Cookie',
'Set-Cookie',
// Content
'Content-Type',
'Content-Range',
// Appwrite
'X-Appwrite-Project',
'X-Appwrite-Key',
'X-Appwrite-Dev-Key',
'X-Appwrite-Locale',
'X-Appwrite-Mode',
'X-Appwrite-JWT',
'X-Appwrite-Response-Format',
'X-Appwrite-Timeout',
'X-Appwrite-ID',
'X-Appwrite-Timestamp',
'X-Appwrite-Session',
'X-Appwrite-Platform',
// SDK generator
'X-SDK-Version',
'X-SDK-Name',
'X-SDK-Language',
'X-SDK-Platform',
'X-SDK-GraphQL',
'X-SDK-Profile',
// Caching
'Range',
'Cache-Control',
'Expires',
'Pragma',
// Server to server
'X-Fallback-Cookies',
'X-Requested-With',
'X-Forwarded-For',
'X-Forwarded-User-Agent',
],
'exposedHeaders' => [
'X-Appwrite-Session',
'X-Fallback-Cookies',
],
];
+1
View File
@@ -46,3 +46,4 @@ Config::load('storage-outputs', __DIR__ . '/../config/storage/outputs.php', $con
Config::load('specifications', __DIR__ . '/../config/specifications.php', $configAdapter);
Config::load('templates-function', __DIR__ . '/../config/templates/function.php', $configAdapter);
Config::load('templates-site', __DIR__ . '/../config/templates/site.php', $configAdapter);
Config::load('cors', __DIR__ . '/../config/cors.php', $configAdapter);
+11 -48
View File
@@ -296,54 +296,17 @@ Http::setResource('rule', function (Request $request, Database $dbForPlatform, D
/**
* CORS service
*/
Http::setResource('cors', fn (array $allowedHostnames) => new Cors(
$allowedHostnames,
allowedMethods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
allowedHeaders: [
'Accept',
'Origin',
'Cookie',
'Set-Cookie',
// Content
'Content-Type',
'Content-Range',
// Appwrite
'X-Appwrite-Project',
'X-Appwrite-Key',
'X-Appwrite-Dev-Key',
'X-Appwrite-Locale',
'X-Appwrite-Mode',
'X-Appwrite-JWT',
'X-Appwrite-Response-Format',
'X-Appwrite-Timeout',
'X-Appwrite-ID',
'X-Appwrite-Timestamp',
'X-Appwrite-Session',
'X-Appwrite-Platform', // for `$platform` injection and SDK generator
// SDK generator
'X-SDK-Version',
'X-SDK-Name',
'X-SDK-Language',
'X-SDK-Platform',
'X-SDK-GraphQL',
'X-SDK-Profile',
// Caching
'Range',
'Cache-Control',
'Expires',
'Pragma',
// Server to server
'X-Fallback-Cookies',
'X-Requested-With',
'X-Forwarded-For',
'X-Forwarded-User-Agent',
],
allowCredentials: true,
exposedHeaders: [
'X-Appwrite-Session',
'X-Fallback-Cookies',
],
), ['allowedHostnames']);
Http::setResource('cors', function (array $allowedHostnames) {
$corsConfig = Config::getParam('cors');
return new Cors(
$allowedHostnames,
allowedMethods: $corsConfig['allowedMethods'],
allowedHeaders: $corsConfig['allowedHeaders'],
allowCredentials: true,
exposedHeaders: $corsConfig['exposedHeaders'],
);
}, ['allowedHostnames']);
Http::setResource('originValidator', function (Document $devKey, array $allowedHostnames, array $allowedSchemes) {
if (!$devKey->isEmpty()) {