Skip to content

Instantly share code, notes, and snippets.

@jimmyrolando
Last active October 24, 2020 23:28
Show Gist options
  • Save jimmyrolando/c67ebe49731edb0383a6e00d9467552f to your computer and use it in GitHub Desktop.
Save jimmyrolando/c67ebe49731edb0383a6e00d9467552f to your computer and use it in GitHub Desktop.
Cors/Preflight Middleware for Laravel 5.2
<?php
namespace App\Http\Middleware;
use Closure;
use Symfony\Component\HttpFoundation\Response;
class Cors
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$response = $next($request);
if( ! $this->isCorsPath($request) )
{
return $response;
}
if ( $this->isPreflightRequest($request) )
{
return $this->buildResponse();
}
return $this->addHeaders($response);
}
/**
* Create a 'Preflight' response.
*
* @return \Illuminate\Http\Response
*/
protected function buildResponse()
{
$response = new Response('', 204);
return $this->addHeaders($response, true );
}
/**
* Add the cors/preflight header information to the given response.
*
* @param \Symfony\Component\HttpFoundation\Response $response
* @param boolean $preflight
* @return \Illuminate\Http\Response
*/
protected function addHeaders(Response $response, $preflight = false)
{
$headers = [
'Access-Control-Allow-Origin' => '*',
// server side credencial support eg. cookies
//'Access-Control-Allow-Credentials' => 'true'
];
if ( $preflight )
{
$headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization';
$headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, PATCH, DELETE, OPTIONS';
}
$response->headers->add($headers);
return $response;
}
/**
* Check for a CorsPath request.
*
* @param \Illuminate\Http\Request $request
* @return boolean
*/
protected function isCorsPath($request)
{
return $request->segment(1) == 'api';
}
/**
* Check for a Preflight request.
*
* @param \Illuminate\Http\Request $request
* @return boolean
*/
protected function isPreflightRequest($request)
{
return $request->isMethod('OPTIONS') &&
$request->hasHeader('Access-Control-Request-Method') &&
$request->hasHeader('Origin');
}
}
@jimmyrolando
Copy link
Author

jimmyrolando commented May 22, 2016

It must be registered as global middleware, at kernel.php, in middleware array

//Kernel.php
protected $middleware = [
\Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
\App\Http\Middleware\Cors::class,
];

and it will apply to all path starting by 'api' eg. 'http://server/api/posts'

@rohmanhm
Copy link

Wow, this work properly. Thanks a lot Jimmy

@nshCore
Copy link

nshCore commented Oct 10, 2016

still get CORS error with this

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:7939' is therefore not allowed access. The response had HTTP status code 405.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment