mitsuki/cors

Official CORS listener for the Mitsuki PHP framework with IP whitelisting support

Maintainers

Package info

github.com/zgeniuscoders/mitsuki-cors

Type:lirary

pkg:composer/mitsuki/cors

Statistics

Installs: 0

Dependents: 0

Suggesters: 0

Stars: 0

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v1.0.0 2026-02-22 09:54 UTC

Requires

Requires (Dev)

MIT e0c9ea71038b8b68452de51327cf312d6b6fa42a

  • zgeniusecoders <zgeniusecoders.woop@gmail.com>

symfonyhttpsecuritycorslistenermicro-frameworkcidrip-whitelistmitsuki

This package is auto-updated.

Last update: 2026-02-22 09:56:55 UTC

README

Official CORS listener for the Mitsuki PHP framework with configurable IP whitelisting support. Production-ready for secure REST APIs, microservices, and mobile backends.

โœจ Features

  • Standard CORS headers support (Origin, Methods, Headers, Credentials, Max-Age)
  • Configurable IP whitelisting via .env (exact IPs + CIDR ranges: 192.168.1.0/24)
  • Main request only (isMainRequest() validation)
  • Symfony kernel.response event listener
  • Production-ready CIDR validation (ip2long + subnet mask)
  • Zero runtime dependencies beyond core Mitsuki contracts

๐Ÿ“ฆ Installation

composer require mitsuki/cors

Production Requirements:

  • PHP ^8.1
  • mitsuki/listener-contracts:^1.0

Development Dependencies:

  • mitsuki/http:^1.0 (unit tests only)
  • pestphp/pest:^4.4 (testing)

๐Ÿ“‹ Usage Examples

Development (Allow All)

CORS_ALLOWED_IPS=""

Production Security

# Localhost + Docker + VPS range
CORS_ALLOWED_IPS="127.0.0.1,::1,192.168.1.0/24,10.96.0.0/12"

Generated Response Headers

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400

๐Ÿงช Testing

# Install dev dependencies (including mitsuki/http for tests)
composer install

# Run full test suite
./vendor/bin/pest

# Run specific tests
./vendor/bin/pest tests/Unit/CorsListenerTest.php

Test Coverage:

  • Main vs sub-request handling
  • Exact IP matching (127.0.0.1)
  • CIDR range validation (192.168.1.55 โˆˆ 192.168.1.0/24)
  • Fallback behavior (empty config = allow all)
  • Full CORS headers verification

๐Ÿ—๏ธ Architecture

Mitsuki\Listeners\CorsListener implements ListenerResponseInterface
โ”œโ”€โ”€ __construct(array $allowedIps = [])
โ”œโ”€โ”€ onKernelResponse(ResponseEvent $event)
โ”‚   โ”œโ”€โ”€ if (!$event->isMainRequest()) return
โ”‚   โ”œโ”€โ”€ $clientIp = $request->getClientIp()
โ”‚   โ”œโ”€โ”€ if (!$this->isIpAllowed($clientIp)) return
โ”‚   โ””โ”€โ”€ $response->headers->set() // CORS headers
โ”œโ”€โ”€ isIpAllowed(string $ip): bool
โ”‚   โ””โ”€โ”€ foreach($allowedIps) { CIDR/exact match }
โ””โ”€โ”€ ipInCidr(string $ip, string $cidr): bool
    โ””โ”€โ”€ ip2long() + subnet mask logic

๐Ÿ”ง Advanced Usage

IPv6 Support

CORS_ALLOWED_IPS="2001:db8::/32,::1,127.0.0.1"

Custom Headers/Methods

// Extend the listener
class CustomCorsListener extends CorsListener
{
    protected function setCorsHeaders(Response $response): void
    {
        parent::setCorsHeaders($response);
        $response->headers->set('Access-Control-Allow-Headers', 'X-API-Key,Authorization');
    }
}

๐ŸŽฏ Perfect For

  • REST APIs โ†’ Flutter/React/Vue SPAs
  • Microservices โ†’ Docker/Kubernetes networking
  • Secure deployments โ†’ VPS/hosting providers
  • JWT/OAuth2 โ†’ API authentication flows

๐Ÿ“ Repository Structure

mitsuki/cors/
โ”œโ”€โ”€ src/
โ”‚   โ””โ”€โ”€ CorsListener.php
โ”œโ”€โ”€ tests/
โ”‚   โ””โ”€โ”€ Unit/
โ”‚       โ””โ”€โ”€ CorsListenerTest.php
โ”œโ”€โ”€ composer.json
โ”œโ”€โ”€ README.md
โ””โ”€โ”€ LICENSE

๐Ÿ“„ License

MIT License ยฉ 2026 ZGenius Matondo

Made with โค๏ธ for the Mitsuki PHP framework