CORS made impossible to access API via browser

gultyayev commented 6 years ago

Q	A
Bug?	yes
New Feature?	no	yes
Framework	Laravel	Lumen
Framework version	5.x.y
Package version	1.x.y
PHP version	5.x.y	7.x.y

Actual Behaviour

After I've added CORS middleware to make it work on two hosts only it stopped responding on routes in browser.

When I go to any route it says

{"message":"Undefined index: HTTP_ORIGIN","status_code":500}

My CORS middleware

$allowedOrigins = ['http://localhost:4200', 'http://api.example.com'];
        $origin = $_SERVER['HTTP_ORIGIN'];

        if (in_array($origin, $allowedOrigins)) {
            return $next($request)
                ->header('Access-Control-Allow-Origin', $origin)
                ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE')
                ->header('Access-Control-Allow-Headers', 'Content-Type');
        }

If I access it via Angular it works fine but I need to make requests in browser just to keep data under my glance.

catalinux commented 6 years ago

Don't you have any error in your logs?

gultyayev commented 6 years ago

To be more precise

[2018-08-28 20:27:55] local.ERROR: Undefined index: HTTP_ORIGIN {"exception":"[object] (ErrorException(code: 0): Undefined index: HTTP_ORIGIN at /Users/sergeygultyayev/Projects/laravel-api/app/Http/Middleware/Cors.php:19)
[stacktrace]
#0 /Users/sergeygultyayev/Projects/laravel-api/app/Http/Middleware/Cors.php(19): Illuminate\\Foundation\\Bootstrap\\HandleExceptions->handleError(8, 'Undefined index...', '/Users/sergeygu...', 19, Array)
#1 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(151): App\\Http\\Middleware\\Cors->handle(Object(Dingo\\Api\\Http\\Request), Object(Closure))
#2 /Users/sergeygultyayev/Projects/laravel-api/vendor/fideloper/proxy/src/TrustProxies.php(57): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Dingo\\Api\\Http\\Request))
#3 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(151): Fideloper\\Proxy\\TrustProxies->handle(Object(Dingo\\Api\\Http\\Request), Object(Closure))
#4 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(31): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Dingo\\Api\\Http\\Request))
#5 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(151): Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest->handle(Object(Dingo\\Api\\Http\\Request), Object(Closure))
#6 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(31): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Dingo\\Api\\Http\\Request))
#7 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(151): Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest->handle(Object(Dingo\\Api\\Http\\Request), Object(Closure))
#8 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php(27): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Dingo\\Api\\Http\\Request))
#9 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(151): Illuminate\\Foundation\\Http\\Middleware\\ValidatePostSize->handle(Object(Dingo\\Api\\Http\\Request), Object(Closure))
#10 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/CheckForMaintenanceMode.php(62): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Dingo\\Api\\Http\\Request))
#11 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(151): Illuminate\\Foundation\\Http\\Middleware\\CheckForMaintenanceMode->handle(Object(Dingo\\Api\\Http\\Request), Object(Closure))
#12 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(104): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Dingo\\Api\\Http\\Request))
#13 /Users/sergeygultyayev/Projects/laravel-api/vendor/dingo/api/src/Http/Middleware/Request.php(127): Illuminate\\Pipeline\\Pipeline->then(Object(Closure))
#14 /Users/sergeygultyayev/Projects/laravel-api/vendor/dingo/api/src/Http/Middleware/Request.php(103): Dingo\\Api\\Http\\Middleware\\Request->sendRequestThroughRouter(Object(Dingo\\Api\\Http\\Request))
#15 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(151): Dingo\\Api\\Http\\Middleware\\Request->handle(Object(Dingo\\Api\\Http\\Request), Object(Closure))
#16 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Routing/Pipeline.php(53): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#17 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(104): Illuminate\\Routing\\Pipeline->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))
#18 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(151): Illuminate\\Pipeline\\Pipeline->then(Object(Closure))
#19 /Users/sergeygultyayev/Projects/laravel-api/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(116): Illuminate\\Foundation\\Http\\Kernel->sendRequestThroughRouter(Object(Illuminate\\Http\\Request))
#20 /Users/sergeygultyayev/Projects/laravel-api/public/index.php(55): Illuminate\\Foundation\\Http\\Kernel->handle(Object(Illuminate\\Http\\Request))
#21 {main}
"}

As for me it's a bit strange since while I'm accessing it as API via my Angular app it works fine, but when I want to open that URL in the browser it breaks(worked before CORS). Also as far as I know declared in kernel $middleware invokes each time request comes.

filippotoso commented 6 years ago

Angular sends automatically the origin header. When you use a simple browser, it's not set so your code raises the undefined index. Write a better code (i.e. that checks for HTTP_ORIGIN before using it) and you'll solve the issue.

zackijack commented 6 years ago

have you ever tried the barryvdh/laravel-cors? in me it works perfectly

specialtactics commented 6 years ago

As above. This is not really a concern of this package - it is just a building block of the API project, not the whole thing.

It's also not necessary in every case (for example, B2B APIs).

If you are looking for a ready to go boilerplate, have a look at my project here - https://github.com/specialtactics/l5-api-boilerplate

dingo / api

CORS made impossible to access API via browser #1583

Actual Behaviour

My CORS middleware