Fixes CORS headers. Closes #3413

2019-01-26 10:37:24 +00:00
parent 73eea810b0
commit 654e72ceb5
5 changed files with 49 additions and 13 deletions
--- a/app/Foundation/Providers/RouteServiceProvider.php
+++ b/app/Foundation/Providers/RouteServiceProvider.php
@@ -11,7 +11,6 @@

 namespace CachetHQ\Cachet\Foundation\Providers;

-use Barryvdh\Cors\HandleCors;
 use CachetHQ\Cachet\Http\Middleware\Acceptable;
 use CachetHQ\Cachet\Http\Middleware\Authenticate;
 use CachetHQ\Cachet\Http\Middleware\Timezone;
@@ -22,12 +21,12 @@ use CachetHQ\Cachet\Http\Routes\SetupRoutes;
 use CachetHQ\Cachet\Http\Routes\SignupRoutes;
 use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
 use Illuminate\Cookie\Middleware\EncryptCookies;
-use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
 use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
 use Illuminate\Routing\Middleware\SubstituteBindings;
 use Illuminate\Routing\Router;
 use Illuminate\Session\Middleware\StartSession;
 use Illuminate\View\Middleware\ShareErrorsFromSession;
+use CachetHQ\Cachet\Http\Middleware\VerifyCsrfToken;

 /**
 * This is the route service provider.
@@ -171,7 +170,6 @@ class RouteServiceProvider extends ServiceProvider
    protected function mapOtherwise(Router $router, $routes, $applyAlwaysAuthenticate)
    {
        $middleware = [
-            HandleCors::class,
            SubstituteBindings::class,
            Acceptable::class,
            Timezone::class,
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -24,6 +24,7 @@ use CachetHQ\Cachet\Http\Middleware\TrustProxies;
 use Illuminate\Auth\Middleware\Authorize;
 use Illuminate\Foundation\Http\Kernel as HttpKernel;
 use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode;
+use Barryvdh\Cors\HandleCors;

 class Kernel extends HttpKernel
 {
@@ -33,8 +34,8 @@ class Kernel extends HttpKernel
     * @var array
     */
    protected $middleware = [
-        TrustProxies::class,
-        CheckForMaintenanceMode::class,
+        // TrustProxies::class,
+        // CheckForMaintenanceMode::class,
    ];

    /**
@@ -45,6 +46,7 @@ class Kernel extends HttpKernel
    protected $routeMiddleware = [
        'admin'       => Admin::class,
        'can'         => Authorize::class,
+        'cors'        => HandleCors::class,
        'auth'        => Authenticate::class,
        'auth.api'    => ApiAuthentication::class,
        'guest'       => RedirectIfAuthenticated::class,
--- a/app/Http/Middleware/VerifyCsrfToken.php
+++ b/app/Http/Middleware/VerifyCsrfToken.php
@@ -0,0 +1,33 @@
+<?php
+
+/*
+ * This file is part of Cachet.
+ *
+ * (c) Alt Three Services Limited
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace CachetHQ\Cachet\Http\Middleware;
+
+use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
+
+class VerifyCsrfToken extends Middleware
+{
+    /**
+     * Indicates whether the XSRF-TOKEN cookie should be set on the response.
+     *
+     * @var bool
+     */
+    protected $addHttpCookie = true;
+
+    /**
+     * The URIs that should be excluded from CSRF verification.
+     *
+     * @var array
+     */
+    protected $except = [
+        '/api/*'
+    ];
+}
--- a/app/Http/Routes/ApiRoutes.php
+++ b/app/Http/Routes/ApiRoutes.php
@@ -40,7 +40,7 @@ class ApiRoutes
            'namespace'  => 'Api',
            'prefix'     => 'api/v1',
        ], function (Registrar $router) {
-            $router->group(['middleware' => ['auth.api']], function (Registrar $router) {
+            $router->group(['middleware' => ['auth.api', 'cors']], function (Registrar $router) {
                $router->get('components', 'ComponentController@index');
                $router->get('components/groups', 'ComponentGroupController@index');
                $router->get('components/groups/{component_group}', 'ComponentGroupController@show');
--- a/config/cors.php
+++ b/config/cors.php
@@ -10,6 +10,7 @@
 */

 return [
+    
    /*
     |--------------------------------------------------------------------------
     | Laravel CORS
@@ -19,11 +20,13 @@ return [
     | to accept any value.
     |
     */
-    'supportsCredentials' => false,
-    'allowedOrigins'      => ['*'],
-    'allowedHeaders'      => ['X-Cachet-Token'],
-    'allowedMethods'      => ['*'],
-    'exposedHeaders'      => [],
-    'maxAge'              => 3600,
-    'hosts'               => [],
+    
+    'supportsCredentials'    => false,
+    'allowedOrigins'         => ['*'],
+    'allowedOriginsPatterns' => [],
+    'allowedHeaders'         => ['X-Cachet-Token'],
+    'allowedMethods'         => ['*'],
+    'exposedHeaders'         => [],
+    'maxAge'                 => 3600,
+
 ];