From 0d6c167712a7501688eebfc038bb340fc41ae3ef Mon Sep 17 00:00:00 2001
From: Elana Kopelevich <elana.kopelevich@shopify.com>
Date: Thu, 6 Jul 2023 15:27:25 -0600
Subject: [PATCH] chore: Add access control headers for embedded apps

---
 web/app/Http/Kernel.php                       |  1 +
 .../Http/Middleware/AccessControlHeaders.php  | 33 +++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 web/app/Http/Middleware/AccessControlHeaders.php

diff --git a/web/app/Http/Kernel.php b/web/app/Http/Kernel.php
index 4af497fa0..3eb42388d 100644
--- a/web/app/Http/Kernel.php
+++ b/web/app/Http/Kernel.php
@@ -21,6 +21,7 @@ class Kernel extends HttpKernel
         \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
         \App\Http\Middleware\TrimStrings::class,
         \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
+        \App\Http\Middleware\AccessControlHeaders::class,
     ];
 
     /**
diff --git a/web/app/Http/Middleware/AccessControlHeaders.php b/web/app/Http/Middleware/AccessControlHeaders.php
new file mode 100644
index 000000000..1c5ccd98e
--- /dev/null
+++ b/web/app/Http/Middleware/AccessControlHeaders.php
@@ -0,0 +1,33 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+use Shopify\Context;
+
+class AccessControlHeaders
+{
+    /**
+     * Ensures that Access Control Headers are set for embedded apps.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        if (Context::$IS_EMBEDDED_APP) {
+
+            /** @var Response $response */
+            $response = $next($request);
+
+            $response->headers->set("Access-Control-Allow-Origin", "*");
+            $response->headers->set("Access-Control-Allow-Header", "Authorization");
+            $response->headers->set("Access-Control-Expose-Headers", 'X-Shopify-API-Request-Failure-Reauthorize-Url');
+
+            return $response;
+        }
+    }
+}