Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Laravel multiple domain origin CORS

I want to allow two domains for CORS in my laravel to be able work with it locally and on the server, thus I don't wan't to expose my app to any domain. That is shat I have for now

public function handle($request, Closure $next)
    {
        return $next($request)
            ->header('Access-Control-Allow-Origin', 'http://localhost:4200')
//            ->header('Access-Control-Allow-Origin', 'http://api.example.com')
            ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE')
            ->header('Access-Control-Allow-Headers', 'Content-Type');
    }

I'm not able to do it neither as I've commented nor as an array

like image 540
Sergey Avatar asked Aug 28 '18 07:08

Sergey


3 Answers

You can define an array of origins you want to allow and then check the incoming request if its one of them:

public function handle($request, Closure $next)
{
    $allowedOrigins = ['example.com', 'example1.com', 'example2.com'];
    $origin = $_SERVER['HTTP_ORIGIN'];

    if (in_array($origin, $allowedOrigins)) {
        return $next($request)
            ->header('Access-Control-Allow-Origin', $origin)
            ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE')
            ->header('Access-Control-Allow-Headers', 'Content-Type');
    }

    return $next($request);
}
like image 120
thefallen Avatar answered Oct 25 '22 23:10

thefallen


@thefallen 's answer works for me, also I had the @sergey 's same problem, I solved like this.

public function handle($request, Closure $next)
{

  $allowedOrigins = [env('FRONTEND_ENDPOINT', 'http://localhost:8080'), env('WORDPRESS_ENDPOINT', 'http://localhost'), env('EXTRA_ENDPOINT', 'http://127.0.0.1')];

  if($request->server('HTTP_ORIGIN')){
    if (in_array($request->server('HTTP_ORIGIN'), $allowedOrigins)) {
        return $next($request)
            ->header('Access-Control-Allow-Origin', $request->server('HTTP_ORIGIN'))
            ->header('Access-Control-Allow-Origin', '*')
            ->header('Access-Control-Allow-Methods', 'POST, GET, OPTIONS, PUT, DELETE')
            ->header('Access-Control-Allow-Headers', '*');
    }
  }


  return $next($request);

}

this way you can also just set the variables in .env file like this.

FRONTEND_ENDPOINT=http://localhost:8080
WORDPRESS_ENDPOINT=http://localhost
EXTRA_ENDPOINT=http://127.0.0.1:8080
like image 20
men32z Avatar answered Oct 26 '22 00:10

men32z


You could just check what host you are on, and then send out the matching Access-Control-Allow-Origin just for that one.

$request->getHttpHost() will get you the host name that was used in the request - if you just need to differentiate based on that, we can probably ignore the other stuff that is also part of the origin (protocol, port) here, and simply make this something like

public function handle($request, Closure $next)
    {
        $origin = $request->getHttpHost() == 'localhost' ?
                    'http://localhost:4200' : 'http://api.example.com';

        return $next($request)
            ->header('Access-Control-Allow-Origin', $origin)
            ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE')
            ->header('Access-Control-Allow-Headers', 'Content-Type');
    }

Of course you can make this more "sophisticated", if you need this for more possible origins (like match the host name against an array of possible values, take protocol and port into account to if necessary), but if you just need these two for now, that should basically do.

like image 1
misorude Avatar answered Oct 26 '22 01:10

misorude