From 2091bdb4e3f549e128f64c6744bd4bf031760665 Mon Sep 17 00:00:00 2001
From: Kilian Hofmann <llego03@yahoo.com>
Date: Thu, 25 Jul 2024 22:19:38 +0200
Subject: [PATCH] CORS Unauth repsonse

---
 exam/classes/Auth/AdminAuth.php | 24 +++++++++++++++++++++---
 exam/classes/Auth/Auth.php      | 16 ++++++++++++++--
 exam/classes/Auth/OptAuth.php   |  8 +++++++-
 3 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/exam/classes/Auth/AdminAuth.php b/exam/classes/Auth/AdminAuth.php
index e7e9eca..8c353bb 100644
--- a/exam/classes/Auth/AdminAuth.php
+++ b/exam/classes/Auth/AdminAuth.php
@@ -16,17 +16,35 @@ class AdminAuth implements IMiddleware
 
     // No token
     if ($token === null) {
-      Response::response()->httpCode(401)->json(["code" => "Unauthorized", "message" => "Not Authorized"]);
+      Response::response()
+        ->header("Cache-control: no-cache")
+        ->header("Access-Control-Allow-Origin: *")
+        ->header("Access-Control-Allow-Methods: *")
+        ->header("Access-Control-Allow-Headers: *")
+        ->httpCode(401)
+        ->json(["code" => "Unauthorized", "message" => "Not Authorized"]);
     }
 
     try {
       $user = User::getByToken($token);
       if (!$user->getIsAdmin()) {
-        Response::response()->httpCode(401)->json(["code" => "Unauthorized", "message" => "Not Authorized"]);
+        Response::response()
+          ->header("Cache-control: no-cache")
+          ->header("Access-Control-Allow-Origin: *")
+          ->header("Access-Control-Allow-Methods: *")
+          ->header("Access-Control-Allow-Headers: *")
+          ->httpCode(401)
+          ->json(["code" => "Unauthorized", "message" => "Not Authorized"]);
       }
     } catch (Exception $err) {
       // No user with this token exists
-      Response::response()->httpCode(401)->json(["code" => "Unauthorized", "message" => "Not Authorized"]);
+      Response::response()
+        ->header("Cache-control: no-cache")
+        ->header("Access-Control-Allow-Origin: *")
+        ->header("Access-Control-Allow-Methods: *")
+        ->header("Access-Control-Allow-Headers: *")
+        ->httpCode(401)
+        ->json(["code" => "Unauthorized", "message" => "Not Authorized"]);
     }
   }
 }
diff --git a/exam/classes/Auth/Auth.php b/exam/classes/Auth/Auth.php
index eef37cc..baff77e 100644
--- a/exam/classes/Auth/Auth.php
+++ b/exam/classes/Auth/Auth.php
@@ -16,14 +16,26 @@ class Auth implements IMiddleware
 
     // No token
     if ($token === null) {
-      Response::response()->httpCode(401)->json(["code" => "Unauthorized", "message" => "Not Authorized"]);
+      Response::response()
+        ->header("Cache-control: no-cache")
+        ->header("Access-Control-Allow-Origin: *")
+        ->header("Access-Control-Allow-Methods: *")
+        ->header("Access-Control-Allow-Headers: *")
+        ->httpCode(401)
+        ->json(["code" => "Unauthorized", "message" => "Not Authorized"]);
     }
 
     try {
       User::getByToken($token);
     } catch (Exception $err) {
       // No user with this token exists
-      Response::response()->httpCode(401)->json(["code" => "Unauthorized", "message" => "Not Authorized"]);
+      Response::response()
+        ->header("Cache-control: no-cache")
+        ->header("Access-Control-Allow-Origin: *")
+        ->header("Access-Control-Allow-Methods: *")
+        ->header("Access-Control-Allow-Headers: *")
+        ->httpCode(401)
+        ->json(["code" => "Unauthorized", "message" => "Not Authorized"]);
     }
   }
 }
diff --git a/exam/classes/Auth/OptAuth.php b/exam/classes/Auth/OptAuth.php
index 1a0964d..8f2b9f5 100644
--- a/exam/classes/Auth/OptAuth.php
+++ b/exam/classes/Auth/OptAuth.php
@@ -23,7 +23,13 @@ class OptAuth implements IMiddleware
       User::getByToken($token);
     } catch (Exception $err) {
       // No user with this token exists
-      Response::response()->httpCode(401)->json(["code" => "Unauthorized", "message" => "Not Authorized"]);
+      Response::response()
+        ->header("Cache-control: no-cache")
+        ->header("Access-Control-Allow-Origin: *")
+        ->header("Access-Control-Allow-Methods: *")
+        ->header("Access-Control-Allow-Headers: *")
+        ->httpCode(401)
+        ->json(["code" => "Unauthorized", "message" => "Not Authorized"]);
     }
   }
 }