From 3dc2cc9f22d8debcd55f9c26e46c4a72c154c4ab Mon Sep 17 00:00:00 2001 From: snipe Date: Fri, 26 Jul 2019 12:38:31 -0700 Subject: [PATCH] CORS for api (#7292) * Added CORS support to API * Changed order so CORS will still work if throttle hit * Added APP_CORS_ALLOWED_ORIGINS env option * Fixed typo * Clarified header comments * More clarification * DIsable CORS allowed origins by default to replicate existing behavior * Change variable name to be clearer --- .env.example | 1 + app/Http/Kernel.php | 1 + composer.json | 1 + composer.lock | 116 +++++++++++++++++++++++++++++++++++++++++++- config/cors.php | 48 ++++++++++++++++++ 5 files changed, 166 insertions(+), 1 deletion(-) create mode 100644 config/cors.php diff --git a/.env.example b/.env.example index d495111d78ab..d48dcb47883a 100644 --- a/.env.example +++ b/.env.example @@ -66,6 +66,7 @@ SECURE_COOKIES=false # -------------------------------------------- REFERRER_POLICY=same-origin ENABLE_CSP=false +CORS_ALLOWED_ORIGINS=null # -------------------------------------------- # OPTIONAL: CACHE SETTINGS diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index 25bbb7f81a63..da3c5092b910 100644 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -44,6 +44,7 @@ class Kernel extends HttpKernel ], 'api' => [ + \Barryvdh\Cors\HandleCors::class, 'throttle:120,1', 'auth:api', ], diff --git a/composer.json b/composer.json index b920a2aed4c8..aad02bdb4441 100644 --- a/composer.json +++ b/composer.json @@ -6,6 +6,7 @@ "type": "project", "require": { "php": ">=7.1.2", + "barryvdh/laravel-cors": "^0.11.3", "barryvdh/laravel-debugbar": "^3.2", "doctrine/cache": "^1.8", "doctrine/common": "^2.10", diff --git a/composer.lock b/composer.lock index 4ff057f907db..d1014faf0c5a 100644 --- a/composer.lock +++ b/composer.lock @@ -4,8 +4,60 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "content-hash": "f8b40b743ea544f650ac6c4d8c7a6eda", + "content-hash": "83584cbcfed9d4b063847283c0472606", "packages": [ + { + "name": "asm89/stack-cors", + "version": "1.2.0", + "source": { + "type": "git", + "url": "https://github.com/asm89/stack-cors.git", + "reference": "c163e2b614550aedcf71165db2473d936abbced6" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/asm89/stack-cors/zipball/c163e2b614550aedcf71165db2473d936abbced6", + "reference": "c163e2b614550aedcf71165db2473d936abbced6", + "shasum": "" + }, + "require": { + "php": ">=5.5.9", + "symfony/http-foundation": "~2.7|~3.0|~4.0", + "symfony/http-kernel": "~2.7|~3.0|~4.0" + }, + "require-dev": { + "phpunit/phpunit": "^5.0 || ^4.8.10", + "squizlabs/php_codesniffer": "^2.3" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.2-dev" + } + }, + "autoload": { + "psr-4": { + "Asm89\\Stack\\": "src/Asm89/Stack/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Alexander", + "email": "iam.asm89@gmail.com" + } + ], + "description": "Cross-origin resource sharing library and stack middleware", + "homepage": "https://github.com/asm89/stack-cors", + "keywords": [ + "cors", + "stack" + ], + "time": "2017-12-20T14:37:45+00:00" + }, { "name": "bacon/bacon-qr-code", "version": "2.0.0", @@ -55,6 +107,68 @@ "homepage": "https://github.com/Bacon/BaconQrCode", "time": "2018-04-25T17:53:56+00:00" }, + { + "name": "barryvdh/laravel-cors", + "version": "v0.11.3", + "source": { + "type": "git", + "url": "https://github.com/barryvdh/laravel-cors.git", + "reference": "c95ac944f2f20a17949aae6645692dfd3b402bca" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/barryvdh/laravel-cors/zipball/c95ac944f2f20a17949aae6645692dfd3b402bca", + "reference": "c95ac944f2f20a17949aae6645692dfd3b402bca", + "shasum": "" + }, + "require": { + "asm89/stack-cors": "^1.2", + "illuminate/support": "5.5.x|5.6.x|5.7.x|5.8.x", + "php": ">=7", + "symfony/http-foundation": "^3.1|^4", + "symfony/http-kernel": "^3.1|^4" + }, + "require-dev": { + "laravel/framework": "^5.5", + "orchestra/testbench": "3.3.x|3.4.x|3.5.x|3.6.x|3.7.x", + "phpunit/phpunit": "^4.8|^5.2|^7.0", + "squizlabs/php_codesniffer": "^2.3" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "0.11-dev" + }, + "laravel": { + "providers": [ + "Barryvdh\\Cors\\ServiceProvider" + ] + } + }, + "autoload": { + "psr-4": { + "Barryvdh\\Cors\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Barry vd. Heuvel", + "email": "barryvdh@gmail.com" + } + ], + "description": "Adds CORS (Cross-Origin Resource Sharing) headers support in your Laravel application", + "keywords": [ + "api", + "cors", + "crossdomain", + "laravel" + ], + "time": "2019-02-26T18:08:30+00:00" + }, { "name": "barryvdh/laravel-debugbar", "version": "v3.2.3", diff --git a/config/cors.php b/config/cors.php new file mode 100644 index 000000000000..0aa4b8cef486 --- /dev/null +++ b/config/cors.php @@ -0,0 +1,48 @@ + false, + 'allowedOrigins' => $allowed_origins, + 'allowedOriginsPatterns' => [], + 'allowedHeaders' => ['*'], + 'allowedMethods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'], + 'exposedHeaders' => [], + 'maxAge' => 0, + +];