[Bug]fix prefilght cors OPTIONS request record in the action visits (#19030)

* extend request with options and method

when options header and method is options do not record in the database.

* update function

update function

* update tests

update tests

* update tests

adjust code only trigger on option request

* remove class variable

remove server

* Update Request.php

add check request method

* drop option request

drop prefight request

* update reset

update reset

* return 204 on prefight

return 204 on prefight

* Update Tracker.php

accept cors

* fix typo & add type hint

* Update core/Tracker/RequestSet.php

* apply PSR12 code formatting

* adds test

Co-authored-by: sgiehl <stefan@matomo.org>

4 files changed, 34 insertions, 6 deletions

diff --git a/core/Tracker.php b/core/Tracker.php
index 9d813c0796..90485e1a5d 100644
--- a/core/Tracker.php
+++ b/core/Tracker.php
@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Matomo - free/libre analytics platform
  *
@@ -6,6 +7,7 @@
  * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
  *
  */
+
 namespace Piwik;
 
 use Exception;
@@ -110,11 +112,21 @@ class Tracker
     {
         try {
             $this->init();
+
+            if ($this->isPreFlightCorsRequest()) {
+                Common::sendHeader('Access-Control-Allow-Methods: GET, POST');
+                Common::sendHeader('Access-Control-Allow-Headers: *');
+                Common::sendHeader('Access-Control-Allow-Origin: *');
+                Common::sendResponseCode(204);
+                $this->logger->debug("Tracker detected preflight CORS request. Skipping...");
+                return null;
+            }
+
             $handler->init($this, $requestSet);
 
             $this->track($handler, $requestSet);
         } catch (Exception $e) {
-            StaticContainer::get(LoggerInterface::class)->debug("Tracker encountered an exception: {ex}", [$e]);
+            $this->logger->debug("Tracker encountered an exception: {ex}", [$e]);
 
             $handler->onException($this, $requestSet, $e);
         }
@@ -171,7 +183,8 @@ class Tracker
      */
     public static function initCorePiwikInTrackerMode()
     {
-        if (SettingsServer::isTrackerApiRequest()
+        if (
+            SettingsServer::isTrackerApiRequest()
             && self::$initTrackerMode === false
         ) {
             self::$initTrackerMode = true;
@@ -291,7 +304,8 @@ class Tracker
         }
 
         // Tests using window_look_back_for_visitor
-        if (Common::getRequestVar('forceLargeWindowLookBackForVisitor', false, null, $args) == 1
+        if (
+            Common::getRequestVar('forceLargeWindowLookBackForVisitor', false, null, $args) == 1
             // also look for this in bulk requests (see fake_logs_replay.log)
             || strpos(json_encode($args, true), '"forceLargeWindowLookBackForVisitor":"1"') !== false
         ) {
@@ -330,7 +344,8 @@ class Tracker
 
     private function handleFatalErrors()
     {
-        register_shutdown_function(function () { // TODO: add a log here
+        register_shutdown_function(function () {
+            // TODO: add a log here
             $lastError = error_get_last();
             if (!empty($lastError) && $lastError['type'] == E_ERROR) {
                 Common::sendResponseCode(500);
@@ -355,4 +370,12 @@ class Tracker
 
         return false;
     }
+
+    public function isPreFlightCorsRequest(): bool
+    {
+        if (isset($_SERVER['REQUEST_METHOD']) && strtoupper($_SERVER['REQUEST_METHOD']) === 'OPTIONS') {
+            return !empty($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']) || !empty($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']);
+        }
+        return false;
+    }
 }
diff --git a/core/Tracker/Action.php b/core/Tracker/Action.php
index bd0cc078ca..13baf6c0dd 100644
--- a/core/Tracker/Action.php
+++ b/core/Tracker/Action.php
@@ -381,6 +381,8 @@ abstract class Action
      */
     public function record(Visitor $visitor, $idReferrerActionUrl, $idReferrerActionName)
     {
+
+
         $this->loadIdsFromLogActionTable();
 
         $visitAction = array(
diff --git a/core/Tracker/Request.php b/core/Tracker/Request.php
index 58911a25a5..2b1496f451 100644
--- a/core/Tracker/Request.php
+++ b/core/Tracker/Request.php
@@ -44,6 +44,8 @@ class Request
 
     protected $tokenAuth;
 
+
+
     /**
      * Stores plugin specific tracking request metadata. RequestProcessors can store
      * whatever they want in this array, and other RequestProcessors can modify these
@@ -72,6 +74,7 @@ class Request
         $this->timestamp = time();
         $this->isEmptyRequest = empty($params);
 
+
         // When the 'url' and referrer url parameter are not given, we might be in the 'Simple Image Tracker' mode.
         // The URL can default to the Referrer, which will be in this case
         // the URL of the page containing the Simple Image beacon
@@ -921,4 +924,5 @@ class Request
         }
         return false;
     }
+
 }
diff --git a/core/Tracker/RequestSet.php b/core/Tracker/RequestSet.php
index d243f45504..7249ea2262 100644
--- a/core/Tracker/RequestSet.php
+++ b/core/Tracker/RequestSet.php
@@ -36,7 +36,7 @@ class RequestSet
         if (empty($requests)|| !is_array($requests)) {
             return;
         }
-        
+
         foreach ($requests as $request) {
             if (empty($request) && !is_array($request)) {
                 continue;
@@ -45,7 +45,6 @@ class RequestSet
             if (!$request instanceof Request) {
                 $request = new Request($request, $this->getTokenAuth());
             }
-
             $this->requests[] = $request;
         }
     }