* @author Lukas Reschke * @author Morris Jobke * @author Stefan Weil * * @license AGPL-3.0 * * This code is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License, version 3, * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License, version 3, * along with this program. If not, see * */ /** * Public interface of ownCloud for apps to use. * AppFramework\Controller class */ namespace OCP\AppFramework; use OCP\AppFramework\Http\Response; use OCP\IRequest; /** * Base class to inherit your controllers from that are used for RESTful APIs * @since 7.0.0 */ abstract class ApiController extends Controller { private $corsMethods; private $corsAllowedHeaders; private $corsMaxAge; /** * constructor of the controller * @param string $appName the name of the app * @param IRequest $request an instance of the request * @param string $corsMethods comma separated string of HTTP verbs which * should be allowed for websites or webapps when calling your API, defaults to * 'PUT, POST, GET, DELETE, PATCH' * @param string $corsAllowedHeaders comma separated string of HTTP headers * which should be allowed for websites or webapps when calling your API, * defaults to 'Authorization, Content-Type, Accept' * @param int $corsMaxAge number in seconds how long a preflighted OPTIONS * request should be cached, defaults to 1728000 seconds * @since 7.0.0 */ public function __construct($appName, IRequest $request, $corsMethods='PUT, POST, GET, DELETE, PATCH', $corsAllowedHeaders='Authorization, Content-Type, Accept', $corsMaxAge=1728000) { parent::__construct($appName, $request); $this->corsMethods = $corsMethods; $this->corsAllowedHeaders = $corsAllowedHeaders; $this->corsMaxAge = $corsMaxAge; } /** * This method implements a preflighted cors response for you that you can * link to for the options request * * @NoAdminRequired * @NoCSRFRequired * @PublicPage * @since 7.0.0 */ public function preflightedCors() { if(isset($this->request->server['HTTP_ORIGIN'])) { $origin = $this->request->server['HTTP_ORIGIN']; } else { $origin = '*'; } $response = new Response(); $response->addHeader('Access-Control-Allow-Origin', $origin); $response->addHeader('Access-Control-Allow-Methods', $this->corsMethods); $response->addHeader('Access-Control-Max-Age', (string)$this->corsMaxAge); $response->addHeader('Access-Control-Allow-Headers', $this->corsAllowedHeaders); $response->addHeader('Access-Control-Allow-Credentials', 'false'); return $response; } }