From f65263c2acf3f185a700b88028e3ec6ca2698fdc Mon Sep 17 00:00:00 2001
From: daycry <7590335+daycry@users.noreply.github.com>
Date: Wed, 28 Jun 2023 17:31:03 +0200
Subject: [PATCH] exposed headers

---
 src/Config/RestFul.php        |  4 ++--
 src/Validators/Cors.php       | 14 ++++++++------
 tests/Validators/CorsTest.php |  2 +-
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/src/Config/RestFul.php b/src/Config/RestFul.php
index 258017f..9ee1fd0 100644
--- a/src/Config/RestFul.php
+++ b/src/Config/RestFul.php
@@ -206,7 +206,7 @@ class RestFul extends BaseConfig
     * Set to TRUE to enable Cross-Origin Resource Sharing (CORS) from any
     * source domain
     */
-    public bool $allowAnyCorsDomain = true;
+    public bool $allowAnyCorsDomain = false;
 
     /**
     * --------------------------------------------------------------------------
@@ -261,7 +261,7 @@ class RestFul extends BaseConfig
     | http://docs.sencha.com/extjs/6.5.2/classic/Ext.data.proxy.Rest.html#cfg-withCredentials
     |
     */
-    public array $forcedCorsHeaders = [ 'Access-Control-Allow-Credentials' => 'true' ];
+    public bool $supportsCredentials = false;
 
     /**
      * --------------------------------------------------------------------------
diff --git a/src/Validators/Cors.php b/src/Validators/Cors.php
index 952ae54..e43ec30 100644
--- a/src/Validators/Cors.php
+++ b/src/Validators/Cors.php
@@ -40,12 +40,14 @@ public static function check(ResponseInterface &$response)
         $response->setHeader('Access-Control-Allow-Headers', $allowedCorsHeaders);
         $response->setHeader('Access-Control-Allow-Methods', $allowedCorsMethods);
 
-        $forcedheaders = service('settings')->get('RestFul.forcedCorsHeaders');
-        // If there are headers that should be forced in the CORS check, add them now
-        if (is_array($forcedheaders)) {
-            foreach ($forcedheaders as $header => $value) {
-                $response->setHeader($header, $value);
-            }
+        $response->setHeader('Access-Control-Expose-Headers', implode(', ', service('settings')->get('RestFul.exposedCorsHeaders')));
+
+        if (service('settings')->get('RestFul.corsMaxAge') !== null) {
+            $response = $response->setHeader('Access-Control-Max-Age', (string) service('settings')->get('RestFul.corsMaxAge'));
+        }
+
+        if (service('settings')->get('RestFul.supportsCredentials')) {
+            $response = $response->setHeader('Access-Control-Allow-Credentials', 'true');
         }
 
     }
diff --git a/tests/Validators/CorsTest.php b/tests/Validators/CorsTest.php
index 3134189..374c2ae 100644
--- a/tests/Validators/CorsTest.php
+++ b/tests/Validators/CorsTest.php
@@ -70,7 +70,7 @@ public function testCorsAllowCustomDomainError(): void
         $result = $this->call('get', 'example');
 
         $result->assertHeaderMissing('Access-Control-Allow-Origin');
-        $result->assertHeader('Access-Control-Allow-Credentials');
+        $result->assertHeaderMissing('Access-Control-Allow-Credentials');
     }
 
     public function testCorsOptionsMethodError(): void