From 89608d58443d72dc2e61524c37148d843de542ca Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 24 Jun 2021 18:02:29 +0000 Subject: [PATCH] Set CORS header fields to support Halcyon --- src/App/Module.php | 30 +++++++++++++++---- .../Api/Mastodon/Accounts/Relationships.php | 6 +++- 2 files changed, 29 insertions(+), 7 deletions(-) diff --git a/src/App/Module.php b/src/App/Module.php index b2cc8210e3..5a2ad61837 100644 --- a/src/App/Module.php +++ b/src/App/Module.php @@ -265,17 +265,35 @@ class Module $logger->debug('index.php: page not found.', ['request_uri' => $server['REQUEST_URI'], 'address' => $server['REMOTE_ADDR'], 'query' => $server['QUERY_STRING']]); } + // @see https://github.com/tootsuite/mastodon/blob/c3aef491d66aec743a3a53e934a494f653745b61/config/initializers/cors.rb + if (substr($_REQUEST['pagename'] ?? '', 0, 12) == '.well-known/') { + header('Access-Control-Allow-Origin: *'); + header('Access-Control-Allow-Headers: *'); + header('Access-Control-Allow-Methods: ' . Router::GET); + header('Access-Control-Allow-Credentials: false'); + } elseif (substr($_REQUEST['pagename'] ?? '', 0, 8) == 'profile/') { + header('Access-Control-Allow-Origin: *'); + header('Access-Control-Allow-Headers: *'); + header('Access-Control-Allow-Methods: ' . Router::GET); + header('Access-Control-Allow-Credentials: false'); + } elseif (substr($_REQUEST['pagename'] ?? '', 0, 4) == 'api/') { + header('Access-Control-Allow-Origin: *'); + header('Access-Control-Allow-Headers: *'); + header('Access-Control-Allow-Methods: ' . implode(',', Router::ALLOWED_METHODS)); + header('Access-Control-Allow-Credentials: false'); + header('Access-Control-Expose-Headers: Link'); + } elseif (substr($_REQUEST['pagename'] ?? '', 0, 11) == 'oauth/token') { + header('Access-Control-Allow-Origin: *'); + header('Access-Control-Allow-Headers: *'); + header('Access-Control-Allow-Methods: ' . Router::POST); + header('Access-Control-Allow-Credentials: false'); + } + // @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS // @todo Check allowed methods per requested path if ($server['REQUEST_METHOD'] === Router::OPTIONS) { header('HTTP/1.1 204 No Content'); header('Allow: ' . implode(',', Router::ALLOWED_METHODS)); - // Deactivated until we know about possible side effects - // header('Access-Control-Allow-Credentials: true'); - // header('Access-Control-Allow-Headers: Authorization,Content-Type'); - // header('Access-Control-Allow-Methods: ' . implode(',', Router::ALLOWED_METHODS)); - // header('Access-Control-Allow-Origin: ' . DI::baseUrl()); - // header('Access-Control-Max-Age: 86400'); exit(); } diff --git a/src/Module/Api/Mastodon/Accounts/Relationships.php b/src/Module/Api/Mastodon/Accounts/Relationships.php index 12d5f2e660..5631952d2a 100644 --- a/src/Module/Api/Mastodon/Accounts/Relationships.php +++ b/src/Module/Api/Mastodon/Accounts/Relationships.php @@ -44,10 +44,14 @@ class Relationships extends BaseApi 'id' => [], ]); - if (empty($request['id']) || !is_array($request['id'])) { + if (empty($request['id'])) { DI::mstdnError()->UnprocessableEntity(); } + if (!is_array($request['id'])) { + $request['id'] = [$request['id']]; + } + $relationsships = []; foreach ($request['id'] as $id) {