Enhance CORS exposed headers handling for dynamic response (#26)

yinheli · yinheli · commit f3ef5d436ec8 · 2024-09-04T09:57:34.000+08:00
- Update CorsService to merge existing exposed headers with configured
- Add deduplication for exposed headers
diff --git a/src/CorsService.php b/src/CorsService.php
@@ -260,8 +260,17 @@ private function configureAllowCredentials(Response $response, Request $request)
 
     private function configureExposedHeaders(Response $response, Request $request): void
     {
+        $existingExposedHeaders = $response->headers->get('Access-Control-Expose-Headers');
+        $exposedHeaders = $existingExposedHeaders ? array_map('trim', explode(',', $existingExposedHeaders)) : [];
+
         if ($this->exposedHeaders) {
-            $response->headers->set('Access-Control-Expose-Headers', implode(', ', $this->exposedHeaders));
+            $exposedHeaders = array_merge($this->exposedHeaders, $exposedHeaders);
+        }
+
+        $uniqueExposedHeaders = array_unique(array_filter($exposedHeaders));
+
+        if (!empty($uniqueExposedHeaders)) {
+            $response->headers->set('Access-Control-Expose-Headers', implode(', ', $uniqueExposedHeaders));
         }
     }
 
diff --git a/tests/CorsTest.php b/tests/CorsTest.php
@@ -535,6 +535,43 @@ public function itDoesntSetAccessControlAllowOriginWithoutOrigin(): void
         $this->assertFalse($response->headers->has('Access-Control-Allow-Origin'));
     }
 
+    /**
+     * @test
+     */
+    public function itConfiguresExposedHeadersWhenResponseHasNoExistingHeaders(): void
+    {
+        $app = $this->createStackedApp([], [
+            'Access-Control-Expose-Headers' => 'X-Custom-1, X-Custom-2',
+        ]);
+        $request = $this->createValidActualRequest();
+
+        $response = $app->handle($request);
+
+        $this->assertTrue($response->headers->has('Access-Control-Expose-Headers'));
+        $this->assertEquals('X-Custom-1, X-Custom-2', $response->headers->get('Access-Control-Expose-Headers'));
+    }
+
+    /**
+     * @test
+     */
+    public function itMergesExposedHeadersWhenResponseHasExistingHeaders(): void
+    {
+        $app = $this->createStackedApp(
+            [
+                'exposedHeaders' => ['X-Option-1', 'X-Option-2'],
+            ],
+            [
+                'Access-Control-Expose-Headers' => 'X-Custom-1',
+            ]
+        );
+        $request = $this->createValidActualRequest();
+
+        $result = $app->handle($request);
+
+        $this->assertTrue($result->headers->has('Access-Control-Expose-Headers'));
+        $this->assertEquals('X-Option-1, X-Option-2, X-Custom-1', $result->headers->get('Access-Control-Expose-Headers'));
+    }
+
     private function createValidActualRequest(): Request
     {
         $request  = new Request();

Original file line number	Diff line number	Diff line change
`@@ -260,8 +260,17 @@ private function configureAllowCredentials(Response $response, Request $request)`
`260`	`260`
`261`	`261`	`private function configureExposedHeaders(Response $response, Request $request): void`
`262`	`262`	`{`
	`263`	`+ $existingExposedHeaders = $response->headers->get('Access-Control-Expose-Headers');`
	`264`	`+ $exposedHeaders = $existingExposedHeaders ? array_map('trim', explode(',', $existingExposedHeaders)) : [];`
	`265`	`+`
`263`	`266`	`if ($this->exposedHeaders) {`
`264`		`- $response->headers->set('Access-Control-Expose-Headers', implode(', ', $this->exposedHeaders));`
	`267`	`+ $exposedHeaders = array_merge($this->exposedHeaders, $exposedHeaders);`
	`268`	`+ }`
	`269`	`+`
	`270`	`+ $uniqueExposedHeaders = array_unique(array_filter($exposedHeaders));`
	`271`	`+`
	`272`	`+ if (!empty($uniqueExposedHeaders)) {`
	`273`	`+ $response->headers->set('Access-Control-Expose-Headers', implode(', ', $uniqueExposedHeaders));`
`265`	`274`	`}`
`266`	`275`	`}`
`267`	`276`