mahmoud-birdsol/cors-laravel

Laravel Cross origin resource sharing package

Cross-origin resource sharing for laravel applications

This package give's a middleware to allow for resource sharing across different origins useful for api development with laravel. This package is still in development more options will be added, _(*1)

Usage

Require the package through composer, _(*2)

composer require mahmoud-birdsol/cors-laravel:dev-master

Add the service provider to the app service providers in config/app.php, _(*3)

/*
* Other Service Providers...
*/
MahmoudBirdsol\CORSLaravel\CORSServiceProvider::class,

Publish the config file (cors.php), _(*4)

php artisan vendor:publish --provider="MahmoudBirdsol\CORSLaravel\CORSServiceProvider"

Add the middleware to the api route group, _(*5)

'api' => [
    'throttle:60,1',
    MahmoudBirdsol\CORSLaravel\CORSMiddleware::class,
],

Modify the config/cors.php file sensible defaults exist for all options except for the allowed origins., _(*6)

<?php
/*
|--------------------------------------------------------------------------
| CORS, Cross Origin Resource Sharing Config File
|--------------------------------------------------------------------------
|
*/
return [

    /*
    |--------------------------------------------------------------------------
    | Local environment
    |--------------------------------------------------------------------------
    |
    | This options will simple allow for requests without HTTP_ORIGIN to go
    | through if set to true an will abort with an unauthorized response
    | if false. Also note if the APP_ENV is not set to local in .env
    | file this option will be overridden by the .env file option.
    |
    */

    'local' => true,

    /*
    |--------------------------------------------------------------------------
    | Internal Requests
    |--------------------------------------------------------------------------
    |
    | Internal will simply allow for internal api requests the default is true
    | but change to false if you'r app is just an api layer. If set true it
    | will allow for dingo API internal requests other wise se to false.
    |
    */

    'internal' => true,

    /*
    |--------------------------------------------------------------------------
    | Allowed Origins
    |--------------------------------------------------------------------------
    |
    | These are the allowed origins to make requests to this application
    | you can add as many origins as your application requires to this
    | array each request will be validated through the middleware.
    |
    | To make all origins allowed just remove the array syntax
    | and add *
    |
    */

    'origins' => [

    ],

    /*
    |--------------------------------------------------------------------------
    | Access control allow credentials
    |--------------------------------------------------------------------------
    |
    | The credentials variable can be either true or false.
    |
    */
    'credentials' => true,

    /*
    |--------------------------------------------------------------------------
    | Allowed methods for a CORS request
    |--------------------------------------------------------------------------
    */
    'methods' => [
        'GET',
        'POST',
        'PATCH',
        'PUT',
        'DELETE',
        'OPTIONS'
    ],

    /*
    |--------------------------------------------------------------------------
    | Allowed headers for a CORS request
    |--------------------------------------------------------------------------
    */
    'headers' => [
        'Origin',
        'Content-Type',
        'X-Auth-Token',
        'X-Requested-With',
        'Authorization',
        'Accept',
    ]

];

And that's it, _(*7)

Extended usage

In most cases you would want to exclude the api route's from the VerifyCsrfToken middleware so in add the api prefix to the except array in the middleware, _(*8)

protected $except = [
    'api/*'
];

As an alternative you can have a different routes file for your api routes first create the routes file routes.api.php next go to RouteServiceProvider.php and add the this function, _(*9)

/**
 * Define the "api" routes for the application.
 *
 * These routes receive the api route group middlewares.
 *
 * @param  \Illuminate\Routing\Router  $router
 * @return void
 */
protected function mapApiRoutes(Router $router)
{
    $router->group([
        'namespace' => $this->namespace, 'middleware' => 'api',
    ], function ($router) {
        require app_path('Http/routes.api.php');
    });
}

And don't forget to call this function in the RouteServiceProvider.php map function, _(*10)

/**
 * Define the routes for the application.
 *
 * @param  \Illuminate\Routing\Router  $router
 * @return void
 */
public function map(Router $router)
{
    $this->mapWebRoutes($router);
    $this->mapApiRoutes($router);
}

For usage with [dingo api] (https://github.com/dingo/api)

In the config/api.php add the middle ware to default list of API middleware, _(*11)

/*
|--------------------------------------------------------------------------
| API Middleware
|--------------------------------------------------------------------------
|
| Middleware that will be applied globally to all API requests.
|
*/
'middleware' => [
    MahmoudBirdsol\CORSLaravel\CORSMiddleware::class,
],

License

Released under the MIT License, see LICENSE., _(*12)