add Sabre plugin to whitelist the OP instance in the CORS headers

Signed-off-by: Julien Veyssier <[email protected]>
nextcloud · julien-nc · Dec 6, 2022 · Dec 6, 2022 · Dec 6, 2022 · c8fb8534568cf18a23c2aec969bc9fbfa708339e
commit c8fb8534568cf18a23c2aec969bc9fbfa708339e
@@ -23,6 +23,9 @@ For more information on how to set up and use the OpenProject application, pleas
 	<licence>agpl</licence>
 	<author>Julien Veyssier</author>
 	<namespace>OpenProject</namespace>
+	<types>
+		<dav/>
+	</types>
 	<documentation>
 		<user>https://openproject.org/docs/user-guide/nextcloud-integration/</user>
 		<admin>https://openproject.org/docs/system-admin-guide/integrations/nextcloud/</admin>

@@ -12,11 +12,13 @@
 use Closure;
 use OCA\Files\Event\LoadSidebar;
 use OCA\OpenProject\Listener\LoadSidebarScript;
+use OCA\OpenProject\Sabre\CorsPlugin;
 use OCP\IConfig;
 use OCP\IL10N;
 use OCP\INavigationManager;
 use OCP\IURLGenerator;
 use OCP\IUserSession;
+use OCP\SabrePluginEvent;
 use OCP\Util;
 
 use OCP\AppFramework\App;
@@ -70,6 +72,11 @@ public function boot(IBootContext $context): void {
 		$dispatcher->addListener('OCA\Files::loadAdditionalScripts', function () {
 			Util::addScript(Application::APP_ID, 'integration_openproject-fileActions');
 		});
+
+		$config = $this->config;
+		$dispatcher->addListener('OCA\DAV\Connector\Sabre::addPlugin', function (SabrePluginEvent $event) use ($config) {
+			$event->getServer()->addPlugin(new CorsPlugin($config));
+		});
 	}
 
 	public function registerNavigation(IUserSession $userSession): void {

@@ -0,0 +1,62 @@
+<?php
+
+declare(strict_types=1);
+
+namespace OCA\OpenProject\Sabre;
+
+use OCA\OpenProject\AppInfo\Application;
+use OCP\IConfig;
+use Sabre\DAV\Server;
+use Sabre\DAV\ServerPlugin;
+use Sabre\HTTP\RequestInterface;
+use Sabre\HTTP\ResponseInterface;
+use Sabre\HTTP\Sapi;
+
+/**
+ * inspired by https://gitlab.tugraz.at/dbp/nextcloud/webapppassword/-/blob/master/lib/Connector/Sabre/CorsPlugin.php
+ */
+class CorsPlugin extends ServerPlugin {
+	/**
+	 * @var string
+	 */
+	private $allowedOrigin;
+
+	public function __construct(IConfig $config) {
+		$this->allowedOrigin = $config->getAppValue(Application::APP_ID, 'oauth_instance_url');
+	}
+
+	/**
+	 * @param Server $server
+	 * @return void
+	 */
+	public function initialize(\Sabre\DAV\Server $server): void {
+		$server->on('beforeMethod:*', [$this, 'setCorsHeaders'], 5);
+	}
+
+	/**
+	 * @return void|bool
+	 */
+	public function setCorsHeaders(RequestInterface $request, ResponseInterface $response) {
+		if ($response->hasHeader('access-control-allow-origin')) {
+			return;
+		}
+
+		$origin = $request->getHeader('origin');
+		if (empty($origin) || $origin !== $this->allowedOrigin) {
+			return;
+		}
+
+		$response->addHeader('access-control-allow-origin', $origin);
+		$response->addHeader('access-control-allow-methods', $request->getHeader('access-control-request-method'));
+		$response->addHeader('access-control-allow-headers', $request->getHeader('access-control-request-headers'));
+		$response->addHeader('access-control-expose-headers', 'etag, dav');
+		$response->addHeader('access-control-allow-credentials', 'true');
+
+		if ($request->getMethod() === 'OPTIONS' && empty($request->getHeader('authorization'))) {
+			$response->setStatus(204);
+			Sapi::sendResponse($response);
+
+			return false;
+		}
+	}
+}