add cors middleware

remove methodannotationreader namespace

fix namespace for server container

fix tests

fail if with cors credentials header is set to true, implement a reusable preflighted cors method in the controller baseclass, make corsmiddleware private and register it for every request

remove uneeded  local in cors middleware registratio

dont uppercase cors to easily use it from routes

fix indention

comment fixes

explicitely set allow credentials header to false

dont depend on better controllers PR, fix that stuff later

split cors methods to be in a seperate controller for exposing apis

remove protected definitions from apicontroller since controller has it

3 files changed, 108 insertions, 2 deletions

diff --git a/lib/public/appframework/apicontroller.php b/lib/public/appframework/apicontroller.php
new file mode 100644
index 00000000000..5272f3ed529
--- /dev/null
+++ b/lib/public/appframework/apicontroller.php
@@ -0,0 +1,93 @@
+<?php
+/**
+ * ownCloud - App Framework
+ *
+ * @author Bernhard Posselt
+ * @copyright 2012 Bernhard Posselt nukeawhale@gmail.com
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public
+ * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/**
+ * Public interface of ownCloud for apps to use.
+ * AppFramework\Controller class
+ */
+
+namespace OCP\AppFramework;
+
+use OCP\AppFramework\Http\Response;
+use OCP\IRequest;
+
+
+/**
+ * Base class to inherit your controllers from that are used for RESTful APIs
+ */
+abstract class ApiController extends Controller {
+
+    private $corsMethods;
+    private $corsAllowedHeaders;
+    private $corsMaxAge;
+
+    /**
+     * constructor of the controller
+     * @param string $appName the name of the app
+     * @param IRequest $request an instance of the request
+     * @param string $corsMethods: comma seperated string of HTTP verbs which 
+     * should be allowed for websites or webapps when calling your API, defaults to
+     * 'PUT, POST, GET, DELETE, PATCH'
+     * @param string $corsAllowedHeaders: comma seperated string of HTTP headers
+     * which should be allowed for websites or webapps when calling your API, 
+     * defaults to 'Authorization, Content-Type, Accept'
+     * @param int $corsMaxAge number in seconds how long a preflighted OPTIONS
+     * request should be cached, defaults to 1728000 seconds
+     */
+    public function __construct($appName, 
+                                IRequest $request, 
+                                $corsMethods='PUT, POST, GET, DELETE, PATCH',
+                                $corsAllowedHeaders='Authorization, Content-Type, Accept',
+                                $corsMaxAge=1728000){
+        parent::__construct($appName, $request);
+        $this->corsMethods = $corsMethods;
+        $this->corsAllowedHeaders = $corsAllowedHeaders;
+        $this->corsMaxAge = $corsMaxAge;
+    }
+
+
+    /**
+     * This method implements a preflighted cors response for you that you can
+     * link to for the options request
+     *
+     * @NoAdminRequired
+     * @NoCSRFRequired
+     * @PublicPage
+     */
+    public function preflightedCors() {
+        if(isset($this->request->server['HTTP_ORIGIN'])) {
+            $origin = $this->request->server['HTTP_ORIGIN'];
+        } else {
+            $origin = '*';
+        }
+
+        $response = new Response();
+        $response->addHeader('Access-Control-Allow-Origin', $origin);
+        $response->addHeader('Access-Control-Allow-Methods', $this->corsMethods);
+        $response->addHeader('Access-Control-Max-Age', $this->corsMaxAge);
+        $response->addHeader('Access-Control-Allow-Headers', $this->corsAllowedHeaders);
+        $response->addHeader('Access-Control-Allow-Credentials', 'false');
+        return $response;
+    }
+
+
+}
diff --git a/lib/public/appframework/controller.php b/lib/public/appframework/controller.php
index 758f0a80083..f42eba172c7 100644
--- a/lib/public/appframework/controller.php
+++ b/lib/public/appframework/controller.php
@@ -28,7 +28,6 @@
 namespace OCP\AppFramework;
 
 use OCP\AppFramework\Http\TemplateResponse;
-use OCP\AppFramework\IAppContainer;
 use OCP\IRequest;
 
 
@@ -49,12 +48,22 @@ abstract class Controller {
 	 */
 	protected $request;
 
+
 	/**
 	 * constructor of the controller
 	 * @param string $appName the name of the app
 	 * @param IRequest $request an instance of the request
+	 * @param string $corsMethods: comma seperated string of HTTP verbs which 
+	 * should be allowed for websites or webapps when calling your API, defaults to
+	 * 'PUT, POST, GET, DELETE, PATCH'
+	 * @param string $corsAllowedHeaders: comma seperated string of HTTP headers
+	 * which should be allowed for websites or webapps when calling your API, 
+	 * defaults to 'Authorization, Content-Type, Accept'
+	 * @param int $corsMaxAge number in seconds how long a preflighted OPTIONS
+	 * request should be cached, defaults to 1728000 seconds
 	 */
-	public function __construct($appName, IRequest $request){
+	public function __construct($appName, 
+	                            IRequest $request){
 		$this->appName = $appName;
 		$this->request = $request;
 	}
diff --git a/lib/public/appframework/http/response.php b/lib/public/appframework/http/response.php
index 45402d9b3b3..559d14dd7e7 100644
--- a/lib/public/appframework/http/response.php
+++ b/lib/public/appframework/http/response.php
@@ -92,6 +92,10 @@ class Response {
 	 * @return Response Reference to this object
 	 */
 	public function addHeader($name, $value) {
+		$name = trim($name);  // always remove leading and trailing whitespace
+		                      // to be able to reliably check for security 
+		                      // headers
+
 		if(is_null($value)) {
 			unset($this->headers[$name]);
 		} else {