Allow credentials to be enabled in CORS

module/Core/src/Config/Options/CorsOptions.php

@@ -8,6 +8,7 @@ use Shlinkio\Shlink\Core\Config\EnvVars;
 
 use function Shlinkio\Shlink\Core\ArrayUtils\contains;
 use function Shlinkio\Shlink\Core\splitByComma;
+use function strtolower;
 
 final readonly class CorsOptions
 {
@@ -21,9 +22,10 @@ final readonly class CorsOptions
         public bool $allowCredentials = false,
         public int $maxAge = 3600,
     ) {
-        $this->allowOrigins = $allowOrigins !== '*' && $allowOrigins !== self::ORIGIN_PATTERN
-            ? splitByComma($allowOrigins)
-            : $allowOrigins;
+        $lowerCaseAllowOrigins = strtolower($allowOrigins);
+        $this->allowOrigins = contains($lowerCaseAllowOrigins, ['*', self::ORIGIN_PATTERN])
+            ? $lowerCaseAllowOrigins
+            : splitByComma($lowerCaseAllowOrigins);
     }
 
     public static function fromEnv(): self

module/Rest/src/Middleware/CrossDomainMiddleware.php

@@ -44,6 +44,10 @@ readonly class CrossDomainMiddleware implements MiddlewareInterface, RequestMeth
             'Access-Control-Max-Age' => $this->options->maxAge,
         ];
 
+        if ($this->options->allowCredentials) {
+            $corsHeaders['Access-Control-Allow-Credentials'] = 'true';
+        }
+
         // Options requests should always be empty and have a 204 status code
         return EmptyResponse::withHeaders([...$response->getHeaders(), ...$corsHeaders]);
     }