Merge pull request #3434 from CachetHQ/hotfix/cors

Fixes CORS headers
2025-01-18 05:58:18 +01:00 · 2019-01-27 14:29:57 +00:00 · 2019-01-27 14:29:57 +00:00 · 61cddfb55f
commit 61cddfb55f
parent 33116e4f34 ffe9c99f9c
5 changed files with 49 additions and 13 deletions
--- a/app/Foundation/Providers/RouteServiceProvider.php
+++ b/app/Foundation/Providers/RouteServiceProvider.php
@ -11,10 +11,10 @@

 namespace CachetHQ\Cachet\Foundation\Providers;

-use Barryvdh\Cors\HandleCors;
 use CachetHQ\Cachet\Http\Middleware\Acceptable;
 use CachetHQ\Cachet\Http\Middleware\Authenticate;
 use CachetHQ\Cachet\Http\Middleware\Timezone;
+use CachetHQ\Cachet\Http\Middleware\VerifyCsrfToken;
 use CachetHQ\Cachet\Http\Routes\ApiSystemRoutes;
 use CachetHQ\Cachet\Http\Routes\AuthRoutes;
 use CachetHQ\Cachet\Http\Routes\Setup\ApiRoutes as ApiSetupRoutes;
@ -22,7 +22,6 @@ use CachetHQ\Cachet\Http\Routes\SetupRoutes;
 use CachetHQ\Cachet\Http\Routes\SignupRoutes;
 use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
 use Illuminate\Cookie\Middleware\EncryptCookies;
-use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
 use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
 use Illuminate\Routing\Middleware\SubstituteBindings;
 use Illuminate\Routing\Router;
@ -171,7 +170,6 @@ class RouteServiceProvider extends ServiceProvider
    protected function mapOtherwise(Router $router, $routes, $applyAlwaysAuthenticate)
    {
        $middleware = [
-            HandleCors::class,
            SubstituteBindings::class,
            Acceptable::class,
            Timezone::class,
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -12,6 +12,7 @@
 namespace CachetHQ\Cachet\Http;

 use AltThree\Throttle\ThrottlingMiddleware;
+use Barryvdh\Cors\HandleCors;
 use CachetHQ\Cachet\Http\Middleware\Admin;
 use CachetHQ\Cachet\Http\Middleware\ApiAuthentication;
 use CachetHQ\Cachet\Http\Middleware\Authenticate;
@ -33,8 +34,8 @@ class Kernel extends HttpKernel
     * @var array
     */
    protected $middleware = [
-        TrustProxies::class,
-        CheckForMaintenanceMode::class,
+        // TrustProxies::class,
+        // CheckForMaintenanceMode::class,
    ];

    /**
@ -45,6 +46,7 @@ class Kernel extends HttpKernel
    protected $routeMiddleware = [
        'admin'       => Admin::class,
        'can'         => Authorize::class,
+        'cors'        => HandleCors::class,
        'auth'        => Authenticate::class,
        'auth.api'    => ApiAuthentication::class,
        'guest'       => RedirectIfAuthenticated::class,
--- a/app/Http/Middleware/VerifyCsrfToken.php
+++ b/app/Http/Middleware/VerifyCsrfToken.php
@ -0,0 +1,33 @@
+<?php
+
+/*
+ * This file is part of Cachet.
+ *
+ * (c) Alt Three Services Limited
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace CachetHQ\Cachet\Http\Middleware;
+
+use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
+
+class VerifyCsrfToken extends Middleware
+{
+    /**
+     * Indicates whether the XSRF-TOKEN cookie should be set on the response.
+     *
+     * @var bool
+     */
+    protected $addHttpCookie = true;
+
+    /**
+     * The URIs that should be excluded from CSRF verification.
+     *
+     * @var array
+     */
+    protected $except = [
+        '/api/*',
+    ];
+}
--- a/app/Http/Routes/ApiRoutes.php
+++ b/app/Http/Routes/ApiRoutes.php
@ -40,7 +40,7 @@ class ApiRoutes
            'namespace'  => 'Api',
            'prefix'     => 'api/v1',
        ], function (Registrar $router) {
-            $router->group(['middleware' => ['auth.api']], function (Registrar $router) {
+            $router->group(['middleware' => ['auth.api', 'cors']], function (Registrar $router) {
                $router->get('components', 'ComponentController@index');
                $router->get('components/groups', 'ComponentGroupController@index');
                $router->get('components/groups/{component_group}', 'ComponentGroupController@show');
--- a/config/cors.php
+++ b/config/cors.php
@ -10,6 +10,7 @@
 */

 return [
+
    /*
     |--------------------------------------------------------------------------
     | Laravel CORS
@ -19,11 +20,13 @@ return [
     | to accept any value.
     |
     */
-    'supportsCredentials' => false,
-    'allowedOrigins'      => ['*'],
-    'allowedHeaders'      => ['X-Cachet-Token'],
-    'allowedMethods'      => ['*'],
-    'exposedHeaders'      => [],
-    'maxAge'              => 3600,
-    'hosts'               => [],
+
+    'supportsCredentials'    => false,
+    'allowedOrigins'         => ['*'],
+    'allowedOriginsPatterns' => [],
+    'allowedHeaders'         => ['X-Cachet-Token'],
+    'allowedMethods'         => ['*'],
+    'exposedHeaders'         => [],
+    'maxAge'                 => 3600,
+
 ];