diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index 74b0320f16..974ce1a018 100644 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -65,12 +65,12 @@ class Kernel extends HttpKernel * @var array */ protected $middleware = [ + \Fruitcake\Cors\HandleCors::class, CheckForMaintenanceMode::class, ValidatePostSize::class, TrimStrings::class, ConvertEmptyStringsToNull::class, TrustProxies::class, - // \Fruitcake\Cors\HandleCors::class, Cors::class, ]; @@ -95,7 +95,6 @@ class Kernel extends HttpKernel 'throttle:300,1', 'bindings', 'query_logging', - Cors::class, ], 'contact' => [ 'throttle:60,1', @@ -106,7 +105,6 @@ class Kernel extends HttpKernel EncryptCookies::class, AddQueuedCookiesToResponse::class, StartSession::class, - // \Illuminate\Session\Middleware\AuthenticateSession::class, ShareErrorsFromSession::class, VerifyCsrfToken::class, SubstituteBindings::class, @@ -164,6 +162,9 @@ class Kernel extends HttpKernel protected $middlewarePriority = [ Cors::class, + AddQueuedCookiesToResponse::class, + VerifyCsrfToken::class, + StartSession::class, SetDomainNameDb::class, SetDb::class, SetWebDb::class, diff --git a/app/Http/Middleware/Cors.php b/app/Http/Middleware/Cors.php index 66de2d22b9..70f211ead8 100644 --- a/app/Http/Middleware/Cors.php +++ b/app/Http/Middleware/Cors.php @@ -10,25 +10,24 @@ class Cors { public function handle($request, Closure $next) { - if ($request->getMethod() == 'OPTIONS') { - header('Access-Control-Allow-Origin: *'); + // if ($request->getMethod() == 'OPTIONS') { + // header('Access-Control-Allow-Origin: *'); - // ALLOW OPTIONS METHOD - $headers = [ - 'Access-Control-Allow-Methods'=> 'POST, GET, OPTIONS, PUT, DELETE', - 'Access-Control-Allow-Headers'=> 'X-API-COMPANY-KEY,X-CLIENT-VERSION,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,X-CSRF-TOKEN,X-LIVEWIRE', - ]; + // // ALLOW OPTIONS METHOD + // $headers = [ + // 'Access-Control-Allow-Methods'=> 'POST, GET, OPTIONS, PUT, DELETE', + // 'Access-Control-Allow-Headers'=> 'X-API-COMPANY-KEY,X-CLIENT-VERSION,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE', + // ]; - return Response::make('OK', 200, $headers); - } + // return Response::make('OK', 200, $headers); + // } $response = $next($request); - $response->headers->set('Access-Control-Allow-Origin', '*'); - $response->headers->set('Access-Control-Allow-Credentials', 'True'); - $response->headers->set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS'); - $response->headers->set('Access-Control-Allow-Headers', 'X-API-COMPANY-KEY,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,X-CSRF-TOKEN,X-LIVEWIRE'); - $response->headers->set('Access-Control-Expose-Headers', 'X-APP-VERSION,X-MINIMUM-CLIENT-VERSION'); + // $response->headers->set('Access-Control-Allow-Origin', '*'); + // $response->headers->set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS'); + // $response->headers->set('Access-Control-Allow-Headers', 'X-API-COMPANY-KEY,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE'); + // $response->headers->set('Access-Control-Expose-Headers', 'X-APP-VERSION,X-MINIMUM-CLIENT-VERSION'); $response->headers->set('X-APP-VERSION', config('ninja.app_version')); $response->headers->set('X-MINIMUM-CLIENT-VERSION', config('ninja.minimum_client_version')); diff --git a/app/Http/Middleware/VerifyCsrfToken.php b/app/Http/Middleware/VerifyCsrfToken.php index 5f934bc442..121074f3c9 100644 --- a/app/Http/Middleware/VerifyCsrfToken.php +++ b/app/Http/Middleware/VerifyCsrfToken.php @@ -28,6 +28,6 @@ class VerifyCsrfToken extends Middleware * @var array */ protected $except = [ - // 'livewire/message/*' + 'livewire/message/*' ]; } diff --git a/composer.json b/composer.json index 804e2b5c30..8d7e805590 100644 --- a/composer.json +++ b/composer.json @@ -43,6 +43,7 @@ "doctrine/dbal": "^2.10", "fakerphp/faker": "^1.14", "fideloper/proxy": "^4.2", + "fruitcake/laravel-cors": "^2.0", "google/apiclient": "^2.7", "guzzlehttp/guzzle": "^7.0.1", "hashids/hashids": "^4.0", diff --git a/composer.lock b/composer.lock index 688d165b08..b1790ead06 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "407c398eefe5bab138b1d984a5116156", + "content-hash": "551d077c3d25c2a962f0c2c270618582", "packages": [ { "name": "asm/php-ansible", @@ -58,6 +58,62 @@ }, "time": "2021-05-09T14:58:03+00:00" }, + { + "name": "asm89/stack-cors", + "version": "v2.0.3", + "source": { + "type": "git", + "url": "https://github.com/asm89/stack-cors.git", + "reference": "9cb795bf30988e8c96dd3c40623c48a877bc6714" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/asm89/stack-cors/zipball/9cb795bf30988e8c96dd3c40623c48a877bc6714", + "reference": "9cb795bf30988e8c96dd3c40623c48a877bc6714", + "shasum": "" + }, + "require": { + "php": "^7.0|^8.0", + "symfony/http-foundation": "~2.7|~3.0|~4.0|~5.0", + "symfony/http-kernel": "~2.7|~3.0|~4.0|~5.0" + }, + "require-dev": { + "phpunit/phpunit": "^6|^7|^8|^9", + "squizlabs/php_codesniffer": "^3.5" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.0-dev" + } + }, + "autoload": { + "psr-4": { + "Asm89\\Stack\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Alexander", + "email": "iam.asm89@gmail.com" + } + ], + "description": "Cross-origin resource sharing library and stack middleware", + "homepage": "https://github.com/asm89/stack-cors", + "keywords": [ + "cors", + "stack" + ], + "support": { + "issues": "https://github.com/asm89/stack-cors/issues", + "source": "https://github.com/asm89/stack-cors/tree/v2.0.3" + }, + "time": "2021-03-11T06:42:03+00:00" + }, { "name": "authorizenet/authorizenet", "version": "2.0.2", @@ -2084,6 +2140,83 @@ }, "time": "2021-05-20T17:37:02+00:00" }, + { + "name": "fruitcake/laravel-cors", + "version": "v2.0.4", + "source": { + "type": "git", + "url": "https://github.com/fruitcake/laravel-cors.git", + "reference": "a8ccedc7ca95189ead0e407c43b530dc17791d6a" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/fruitcake/laravel-cors/zipball/a8ccedc7ca95189ead0e407c43b530dc17791d6a", + "reference": "a8ccedc7ca95189ead0e407c43b530dc17791d6a", + "shasum": "" + }, + "require": { + "asm89/stack-cors": "^2.0.1", + "illuminate/contracts": "^6|^7|^8|^9", + "illuminate/support": "^6|^7|^8|^9", + "php": ">=7.2", + "symfony/http-foundation": "^4|^5", + "symfony/http-kernel": "^4.3.4|^5" + }, + "require-dev": { + "laravel/framework": "^6|^7|^8", + "orchestra/testbench-dusk": "^4|^5|^6|^7", + "phpunit/phpunit": "^6|^7|^8|^9", + "squizlabs/php_codesniffer": "^3.5" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.0-dev" + }, + "laravel": { + "providers": [ + "Fruitcake\\Cors\\CorsServiceProvider" + ] + } + }, + "autoload": { + "psr-4": { + "Fruitcake\\Cors\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Fruitcake", + "homepage": "https://fruitcake.nl" + }, + { + "name": "Barry vd. Heuvel", + "email": "barryvdh@gmail.com" + } + ], + "description": "Adds CORS (Cross-Origin Resource Sharing) headers support in your Laravel application", + "keywords": [ + "api", + "cors", + "crossdomain", + "laravel" + ], + "support": { + "issues": "https://github.com/fruitcake/laravel-cors/issues", + "source": "https://github.com/fruitcake/laravel-cors/tree/v2.0.4" + }, + "funding": [ + { + "url": "https://github.com/barryvdh", + "type": "github" + } + ], + "time": "2021-04-26T11:24:25+00:00" + }, { "name": "google/apiclient", "version": "v2.9.1", diff --git a/config/cors.php b/config/cors.php index c6f92087df..d90557c1a4 100644 --- a/config/cors.php +++ b/config/cors.php @@ -15,7 +15,7 @@ return [ | */ - 'paths' => ['livewire/*'], + 'paths' => ['*'], 'allowed_methods' => ['*'], @@ -23,9 +23,9 @@ return [ 'allowed_origins_patterns' => [], - 'allowed_headers' => ['*'], + 'allowed_headers' => ['X-API-COMPANY-KEY,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE'], - 'exposed_headers' => [], + 'exposed_headers' => ['X-APP-VERSION,X-MINIMUM-CLIENT-VERSION,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE'], 'max_age' => 0, diff --git a/config/session.php b/config/session.php index 4e0f66cda6..571c90ad7e 100644 --- a/config/session.php +++ b/config/session.php @@ -196,6 +196,6 @@ return [ | */ - 'same_site' => 'lax', + 'same_site' => 'none', ];