From 2a167c0c4d1d66a3f03d487dede262156d01600f Mon Sep 17 00:00:00 2001 From: Lars Gebhardt-Kusche Date: Mon, 8 Dec 2025 23:31:05 +0100 Subject: [PATCH] 11 --- src/ApiKernel.php | 36 +++++++++++++++++++++++++++++------- 1 file changed, 29 insertions(+), 7 deletions(-) diff --git a/src/ApiKernel.php b/src/ApiKernel.php index b62caca..6d82931 100644 --- a/src/ApiKernel.php +++ b/src/ApiKernel.php @@ -97,14 +97,36 @@ class ApiKernel $this->fail('Invalid config', 'config file not found or not returning array', 500); } private function cors(): void { /* ... Logik bleibt unverändert ... */ - $cors = $this->conf['cors'] ?? '*'; - if ($cors) { - header('Access-Control-Allow-Origin: ' . $cors); - header('Access-Control-Allow-Methods: GET, POST, OPTIONS'); - header('Access-Control-Allow-Headers: Content-Type, Authorization'); - header('Access-Control-Allow-Credentials: true'); + $corsConfig = $this->conf['cors'] ?? '*'; + $originHeader = $_SERVER['HTTP_ORIGIN'] ?? ''; + $allowedOrigin = null; + + if (is_array($corsConfig)) { + if ($originHeader && in_array($originHeader, $corsConfig, true)) { + $allowedOrigin = $originHeader; + } + } elseif (is_string($corsConfig)) { + if ($corsConfig === '*' && $originHeader !== '') { + $allowedOrigin = $originHeader; + } else { + $allowedOrigin = $corsConfig; + } + } + + if ($allowedOrigin) { + header('Access-Control-Allow-Origin: ' . $allowedOrigin); + header('Vary: Origin'); + header('Access-Control-Allow-Credentials: true'); + } elseif ($corsConfig === '*') { + header('Access-Control-Allow-Origin: *'); + } + + header('Access-Control-Allow-Methods: GET, POST, OPTIONS'); + header('Access-Control-Allow-Headers: Content-Type, Authorization'); + + if (($_SERVER['REQUEST_METHOD'] ?? 'GET') === 'OPTIONS') { + $this->respond(['ok' => true]); } - if (($_SERVER['REQUEST_METHOD'] ?? 'GET') === 'OPTIONS') $this->respond(['ok' => true]); if (!empty($this->conf['auth']['cookie'])) { $c = $this->conf['auth']['cookie'];