0

I have used Laravel Passport for authenticated endpoints. I am facing CORS issue for those APIs.

In app/Http/Middleware/Cors.php

<?php

namespace App\Http\Middleware;

use Closure;

class Cors
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        return $next($request)
            ->header('Access-Control-Allow-Origin', "*")
                ->header('Access-Control-Allow-Methods', "PUT,POST,DELETE,GET,OPTIONS")
                ->header('Access-Control-Allow-Headers', "Accept,Authorization,Content-Type");
    }
}

In app/Http/Kernel.php, added in the middleware array

\App\Http\Middleware\Cors::class,

In the routes/api.php,

Route::post('auth/login', 'PassportController@login'); //working 
Route::middleware('auth:api')->group(function () {
Route::get('vehicle/all', 'VehicleController@getVehicles'); //not working: facing CORS error
});

I have used the auth:api (Laravel passport) for authorization. I am facing CORS error for the endpoints in the auth:api group. Endpoints which are outside the group like 'auth/login' are working fine. How to handle cors error inside Route::middleware('auth:api') group?

Improve this question
1
  • 'Access-Control-Allow-Origin', "*" is not accepted by browsers anymore, you need to specify the domain Commented Dec 25, 2020 at 13:33

2 Answers 2

Reset to default
0

You need to specify the domain allowed, the wildcard '*' is not accepted by browsers anymore.

If you have multiple domains calling your api, you can make it dynamic with $_SERVER['HTTP_HOST']

<?php

namespace App\Http\Middleware;

use Closure;

class Cors
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $domain = $request->getHost();
        // or $domain =  $_SERVER['HTTP_HOST'];
        return $next($request)
            ->header('Access-Control-Allow-Origin', $domain)
                ->header('Access-Control-Allow-Methods', "PUT,POST,DELETE,GET,OPTIONS")
                ->header('Access-Control-Allow-Headers', "Accept,Authorization,Content-Type");
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you @N69S. Problem solved. I have directly put domain url in $domain and modified Access-Control-Allow-Headers... header('Access-Control-Allow-Headers', "Accept,Authorization,Content-Type,Access-Control-Allow-Headers,access-control-allow-methods");
0

I've faced the same issue and the solutions found here didn't work for me.

I've simply installed the package CORS Middleware for Laravel and followed the documentation to finally added the routes where the cors middleware should be applied to. And it worked :)

Here are the steps :

Step 1: Install the package

composer require fruitcake/laravel-cors

Step 2:

To allow CORS for all your routes, add the HandleCors middleware at the top of the $middleware property of app/Http/Kernel.php class:

protected $middleware = [
  \Fruitcake\Cors\HandleCors::class,
    // ...
];

Step 3: Publish the configuration file

The defaults are set in config/cors.php. Publish the config to copy the file to your own config:

php artisan vendor:publish --tag="cors"

Step 4: Update your config/cors.php

Now update the config to define the paths you want to run the CORS service on, (see Configuration below):

'paths' => ['api/*'],

Hope this will help you too.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.