From bc376748c8967a5745533d940a4754e8a91b393e Mon Sep 17 00:00:00 2001
From: James Brooks <jbrooksuk@me.com>
Date: Mon, 18 May 2015 22:07:28 +0100
Subject: [PATCH] Fixes #628 - Handle Cors properly.

---
 app/Http/Kernel.php                         |  1 -
 app/Http/Middleware/AllowedDomains.php      | 49 -----------
 app/Http/Routes/ApiRoutes.php               |  1 -
 app/Providers/LoadConfigServiceProvider.php | 16 ++++
 composer.json                               |  3 +-
 composer.lock                               | 98 ++++++++++++++++++++-
 config/app.php                              |  1 +
 config/cors.php                             | 37 ++++++++
 8 files changed, 152 insertions(+), 54 deletions(-)
 delete mode 100644 app/Http/Middleware/AllowedDomains.php
 create mode 100644 config/cors.php

diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index c8f1fe46..97c40798 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -46,7 +46,6 @@ class Kernel extends HttpKernel
         'login.throttling'   => 'CachetHQ\Cachet\Http\Middleware\LoginThrottling',
         'app.isSetup'        => 'CachetHQ\Cachet\Http\Middleware\AppIsSetup',
         'app.hasSetting'     => 'CachetHQ\Cachet\Http\Middleware\HasSetting',
-        'allowedDomains'     => 'CachetHQ\Cachet\Http\Middleware\AllowedDomains',
         'cors'               => 'CachetHQ\Cachet\Http\Middleware\Cors',
     ];
 }
diff --git a/app/Http/Middleware/AllowedDomains.php b/app/Http/Middleware/AllowedDomains.php
deleted file mode 100644
index 5f0433be..00000000
--- a/app/Http/Middleware/AllowedDomains.php
+++ /dev/null
@@ -1,49 +0,0 @@
-<?php
-
-/*
- * This file is part of Cachet.
- *
- * (c) James Brooks <james@cachethq.io>
- * (c) Joseph Cohen <joseph.cohen@dinkbit.com>
- * (c) Graham Campbell <graham@mineuk.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace CachetHQ\Cachet\Http\Middleware;
-
-use CachetHQ\Cachet\Facades\Setting;
-use Closure;
-
-class AllowedDomains
-{
-    /**
-     * Run the allowed domains middleware.
-     *
-     * @param \Illuminate\Http\Request $request
-     * @param \Closure                 $next
-     *
-     * @return mixed
-     */
-    public function handle($request, Closure $next)
-    {
-        $response = $next($request);
-
-        // Always allow our own domain.
-        $ourDomain = Setting::get('app_domain');
-        $response->headers->set('Access-Control-Allow-Origin', $ourDomain);
-
-        // Should we allow anyone else?
-        if ($allowedDomains = Setting::get('allowed_domains')) {
-            $domains = explode(',', $allowedDomains);
-            foreach ($domains as $domain) {
-                $response->headers->set('Access-Control-Allow-Origin', $domain);
-            }
-        } else {
-            $response->headers->set('Access-Control-Allow-Origin', getenv('APP_URL'));
-        }
-
-        return $response;
-    }
-}
diff --git a/app/Http/Routes/ApiRoutes.php b/app/Http/Routes/ApiRoutes.php
index 6c5054cb..5bdc3e79 100644
--- a/app/Http/Routes/ApiRoutes.php
+++ b/app/Http/Routes/ApiRoutes.php
@@ -25,7 +25,6 @@ class ApiRoutes
     public function map(Registrar $router)
     {
         $router->group([
-            'middleware' => 'allowedDomains',
             'namespace'  => 'Api',
             'prefix'     => 'api/v1',
         ], function ($router) {
diff --git a/app/Providers/LoadConfigServiceProvider.php b/app/Providers/LoadConfigServiceProvider.php
index 10e18ea5..0bf64678 100644
--- a/app/Providers/LoadConfigServiceProvider.php
+++ b/app/Providers/LoadConfigServiceProvider.php
@@ -36,6 +36,22 @@ class LoadConfigServiceProvider extends ServiceProvider
                 $segmentRepository = $this->app->make('CachetHQ\Cachet\Segment\RepositoryInterface');
                 $this->app->config->set('segment.write_key', $segmentRepository->fetch());
             }
+
+            // Setup Cors.
+            $allowedOrigins = $this->app->config->get('cors.defaults.allowedOrigins');
+            $allowedOrigins[] = Setting::get('app_domain');
+
+            // Add our allowed domains too.
+            if ($allowedDomains = Setting::get('allowed_domains')) {
+                $domains = explode(',', $allowedDomains);
+                foreach ($domains as $domain) {
+                    $allowedOrigins[] = $domain;
+                }
+            } else {
+                $allowedOrigins[] = getenv('APP_URL');
+            }
+
+            $this->app->config->set('cors.paths.api/v1/*.allowedOrigins', $allowedOrigins);
         } catch (Exception $e) {
             // Don't throw any errors, we may not be setup yet.
         }
diff --git a/composer.json b/composer.json
index c4815cbe..8554ee74 100644
--- a/composer.json
+++ b/composer.json
@@ -25,7 +25,8 @@
         "mccool/laravel-auto-presenter": "^3.0",
         "pragmarx/google2fa": "^0.1",
         "roumen/feed": "^2.9",
-        "watson/validating": "^1.0"
+        "watson/validating": "^1.0",
+        "barryvdh/laravel-cors": "0.5.x@dev"
     },
     "require-dev": {
         "phpunit/phpunit": "^4.4",
diff --git a/composer.lock b/composer.lock
index 5d59ee30..5be974e3 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,8 +4,100 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "hash": "3f3ab385fbc40d0d67da0de8ee0f87ee",
+    "hash": "df9a3c00e4cbd84bfd177128b2d5d5cb",
     "packages": [
+        {
+            "name": "asm89/stack-cors",
+            "version": "0.2.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/asm89/stack-cors.git",
+                "reference": "2d77e77251a434e4527315313a672f5801b29fa2"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/asm89/stack-cors/zipball/2d77e77251a434e4527315313a672f5801b29fa2",
+                "reference": "2d77e77251a434e4527315313a672f5801b29fa2",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.2",
+                "symfony/http-foundation": "~2.1",
+                "symfony/http-kernel": "~2.1"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-0": {
+                    "Asm89\\Stack": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Alexander",
+                    "email": "iam.asm89@gmail.com"
+                }
+            ],
+            "description": "Cross-origin resource sharing library and stack middleware",
+            "homepage": "https://github.com/asm89/stack-cors",
+            "keywords": [
+                "cors",
+                "stack"
+            ],
+            "time": "2014-07-28 07:22:35"
+        },
+        {
+            "name": "barryvdh/laravel-cors",
+            "version": "dev-master",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/barryvdh/laravel-cors.git",
+                "reference": "7de71aa777f38393365f98eccb44d8ae6c85a95a"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/barryvdh/laravel-cors/zipball/7de71aa777f38393365f98eccb44d8ae6c85a95a",
+                "reference": "7de71aa777f38393365f98eccb44d8ae6c85a95a",
+                "shasum": ""
+            },
+            "require": {
+                "asm89/stack-cors": "0.2.x",
+                "illuminate/support": "~5.0.17",
+                "php": ">=5.4.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "0.5-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Barryvdh\\Cors\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Barry vd. Heuvel",
+                    "email": "barryvdh@gmail.com"
+                }
+            ],
+            "description": "Adds CORS (Cross-Origin Resource Sharing) headers support in your Laravel application",
+            "keywords": [
+                "api",
+                "cors",
+                "crossdomain",
+                "laravel"
+            ],
+            "time": "2015-04-03 18:27:34"
+        },
         {
             "name": "cachethq/segment",
             "version": "2.0.0",
@@ -4316,7 +4408,9 @@
     ],
     "aliases": [],
     "minimum-stability": "stable",
-    "stability-flags": [],
+    "stability-flags": {
+        "barryvdh/laravel-cors": 20
+    },
     "prefer-stable": false,
     "prefer-lowest": false,
     "platform": {
diff --git a/config/app.php b/config/app.php
index d11c0612..39e52bec 100644
--- a/config/app.php
+++ b/config/app.php
@@ -161,6 +161,7 @@ return [
         'McCool\LaravelAutoPresenter\LaravelAutoPresenterServiceProvider',
         'PragmaRX\Google2FA\Vendor\Laravel\ServiceProvider',
         'Roumen\Feed\FeedServiceProvider',
+        'Barryvdh\Cors\CorsServiceProvider',
 
         /*
          * Application Service Providers...
diff --git a/config/cors.php b/config/cors.php
new file mode 100644
index 00000000..66822263
--- /dev/null
+++ b/config/cors.php
@@ -0,0 +1,37 @@
+<?php
+
+return [
+
+    /*
+     |--------------------------------------------------------------------------
+     | Laravel CORS Defaults
+     |--------------------------------------------------------------------------
+     |
+     | The defaults are the default values applied to all the paths that match,
+     | unless overridden in a specific URL configuration.
+     | If you want them to apply to everything, you must define a path with *.
+     |
+     | allowedOrigins, allowedHeaders and allowedMethods can be set to ['*']
+     | to accept any value, the allowed methods however have to be explicitly listed.
+     |
+     */
+    'defaults' => [
+        'supportsCredentials' => true,
+        'allowedOrigins'      => [],
+        'allowedHeaders'      => [],
+        'allowedMethods'      => [],
+        'exposedHeaders'      => [],
+        'maxAge'              => 0,
+        'hosts'               => [],
+    ],
+
+    'paths' => [
+        'api/v1/*' => [
+            'allowedOrigins' => [],
+            'allowedHeaders' => ['X-Cachet-Token'],
+            'allowedMethods' => ['*'],
+            'maxAge'         => 3600,
+        ],
+    ],
+
+];