Fixes #628 - Handle Cors properly.

app/Http/Kernel.php

@@ -46,7 +46,6 @@ class Kernel extends HttpKernel
         'login.throttling'   => 'CachetHQ\Cachet\Http\Middleware\LoginThrottling',
         'app.isSetup'        => 'CachetHQ\Cachet\Http\Middleware\AppIsSetup',
         'app.hasSetting'     => 'CachetHQ\Cachet\Http\Middleware\HasSetting',
-        'allowedDomains'     => 'CachetHQ\Cachet\Http\Middleware\AllowedDomains',
         'cors'               => 'CachetHQ\Cachet\Http\Middleware\Cors',
     ];
 }

app/Http/Middleware/AllowedDomains.php

@@ -1,49 +0,0 @@
-<?php
-
-/*
- * This file is part of Cachet.
- *
- * (c) James Brooks <james@cachethq.io>
- * (c) Joseph Cohen <joseph.cohen@dinkbit.com>
- * (c) Graham Campbell <graham@mineuk.com>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace CachetHQ\Cachet\Http\Middleware;
-
-use CachetHQ\Cachet\Facades\Setting;
-use Closure;
-
-class AllowedDomains
-{
-    /**
-     * Run the allowed domains middleware.
-     *
-     * @param \Illuminate\Http\Request $request
-     * @param \Closure                 $next
-     *
-     * @return mixed
-     */
-    public function handle($request, Closure $next)
-    {
-        $response = $next($request);
-
-        // Always allow our own domain.
-        $ourDomain = Setting::get('app_domain');
-        $response->headers->set('Access-Control-Allow-Origin', $ourDomain);
-
-        // Should we allow anyone else?
-        if ($allowedDomains = Setting::get('allowed_domains')) {
-            $domains = explode(',', $allowedDomains);
-            foreach ($domains as $domain) {
-                $response->headers->set('Access-Control-Allow-Origin', $domain);
-            }
-        } else {
-            $response->headers->set('Access-Control-Allow-Origin', getenv('APP_URL'));
-        }
-
-        return $response;
-    }
-}

app/Http/Routes/ApiRoutes.php

@@ -25,7 +25,6 @@ class ApiRoutes
     public function map(Registrar $router)
     {
         $router->group([
-            'middleware' => 'allowedDomains',
             'namespace'  => 'Api',
             'prefix'     => 'api/v1',
         ], function ($router) {

app/Providers/LoadConfigServiceProvider.php

@@ -36,6 +36,22 @@ class LoadConfigServiceProvider extends ServiceProvider
                 $segmentRepository = $this->app->make('CachetHQ\Cachet\Segment\RepositoryInterface');
                 $this->app->config->set('segment.write_key', $segmentRepository->fetch());
             }
+
+            // Setup Cors.
+            $allowedOrigins = $this->app->config->get('cors.defaults.allowedOrigins');
+            $allowedOrigins[] = Setting::get('app_domain');
+
+            // Add our allowed domains too.
+            if ($allowedDomains = Setting::get('allowed_domains')) {
+                $domains = explode(',', $allowedDomains);
+                foreach ($domains as $domain) {
+                    $allowedOrigins[] = $domain;
+                }
+            } else {
+                $allowedOrigins[] = getenv('APP_URL');
+            }
+
+            $this->app->config->set('cors.paths.api/v1/*.allowedOrigins', $allowedOrigins);
         } catch (Exception $e) {
             // Don't throw any errors, we may not be setup yet.
         }

composer.json

@@ -25,7 +25,8 @@
         "mccool/laravel-auto-presenter": "^3.0",
         "pragmarx/google2fa": "^0.1",
         "roumen/feed": "^2.9",
-        "watson/validating": "^1.0"
+        "watson/validating": "^1.0",
+        "barryvdh/laravel-cors": "0.5.x@dev"
     },
     "require-dev": {
         "phpunit/phpunit": "^4.4",

composer.lock

@@ -4,8 +4,100 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "hash": "3f3ab385fbc40d0d67da0de8ee0f87ee",
+    "hash": "df9a3c00e4cbd84bfd177128b2d5d5cb",
     "packages": [
+        {
+            "name": "asm89/stack-cors",
+            "version": "0.2.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/asm89/stack-cors.git",
+                "reference": "2d77e77251a434e4527315313a672f5801b29fa2"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/asm89/stack-cors/zipball/2d77e77251a434e4527315313a672f5801b29fa2",
+                "reference": "2d77e77251a434e4527315313a672f5801b29fa2",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.2",
+                "symfony/http-foundation": "~2.1",
+                "symfony/http-kernel": "~2.1"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-0": {
+                    "Asm89\\Stack": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Alexander",
+                    "email": "iam.asm89@gmail.com"
+                }
+            ],
+            "description": "Cross-origin resource sharing library and stack middleware",
+            "homepage": "https://github.com/asm89/stack-cors",
+            "keywords": [
+                "cors",
+                "stack"
+            ],
+            "time": "2014-07-28 07:22:35"
+        },
+        {
+            "name": "barryvdh/laravel-cors",
+            "version": "dev-master",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/barryvdh/laravel-cors.git",
+                "reference": "7de71aa777f38393365f98eccb44d8ae6c85a95a"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/barryvdh/laravel-cors/zipball/7de71aa777f38393365f98eccb44d8ae6c85a95a",
+                "reference": "7de71aa777f38393365f98eccb44d8ae6c85a95a",
+                "shasum": ""
+            },
+            "require": {
+                "asm89/stack-cors": "0.2.x",
+                "illuminate/support": "~5.0.17",
+                "php": ">=5.4.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "0.5-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Barryvdh\\Cors\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Barry vd. Heuvel",
+                    "email": "barryvdh@gmail.com"
+                }
+            ],
+            "description": "Adds CORS (Cross-Origin Resource Sharing) headers support in your Laravel application",
+            "keywords": [
+                "api",
+                "cors",
+                "crossdomain",
+                "laravel"
+            ],
+            "time": "2015-04-03 18:27:34"
+        },
         {
             "name": "cachethq/segment",
             "version": "2.0.0",
@@ -4316,7 +4408,9 @@
     ],
     "aliases": [],
     "minimum-stability": "stable",
-    "stability-flags": [],
+    "stability-flags": {
+        "barryvdh/laravel-cors": 20
+    },
     "prefer-stable": false,
     "prefer-lowest": false,
     "platform": {

config/app.php

@@ -161,6 +161,7 @@ return [
         'McCool\LaravelAutoPresenter\LaravelAutoPresenterServiceProvider',
         'PragmaRX\Google2FA\Vendor\Laravel\ServiceProvider',
         'Roumen\Feed\FeedServiceProvider',
+        'Barryvdh\Cors\CorsServiceProvider',
 
         /*
          * Application Service Providers...

config/cors.php

@@ -0,0 +1,37 @@
+<?php
+
+return [
+
+    /*
+     |--------------------------------------------------------------------------
+     | Laravel CORS Defaults
+     |--------------------------------------------------------------------------
+     |
+     | The defaults are the default values applied to all the paths that match,
+     | unless overridden in a specific URL configuration.
+     | If you want them to apply to everything, you must define a path with *.
+     |
+     | allowedOrigins, allowedHeaders and allowedMethods can be set to ['*']
+     | to accept any value, the allowed methods however have to be explicitly listed.
+     |
+     */
+    'defaults' => [
+        'supportsCredentials' => true,
+        'allowedOrigins'      => [],
+        'allowedHeaders'      => [],
+        'allowedMethods'      => [],
+        'exposedHeaders'      => [],
+        'maxAge'              => 0,
+        'hosts'               => [],
+    ],
+
+    'paths' => [
+        'api/v1/*' => [
+            'allowedOrigins' => [],
+            'allowedHeaders' => ['X-Cachet-Token'],
+            'allowedMethods' => ['*'],
+            'maxAge'         => 3600,
+        ],
+    ],
+
+];