From 30e0d4a6ab771a4a44fbdf193ea52b08f19ec8bc Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Wed, 2 Jun 2021 12:39:44 +1000
Subject: [PATCH] Fixes for CORS

---
 app/Http/Kernel.php                     |   7 +-
 app/Http/Middleware/Cors.php            |  27 +++--
 app/Http/Middleware/VerifyCsrfToken.php |   2 +-
 composer.json                           |   1 +
 composer.lock                           | 135 +++++++++++++++++++++++-
 config/cors.php                         |   6 +-
 config/session.php                      |   2 +-
 7 files changed, 157 insertions(+), 23 deletions(-)

diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 74b0320f16..974ce1a018 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -65,12 +65,12 @@ class Kernel extends HttpKernel
      * @var array
      */
     protected $middleware = [
+        \Fruitcake\Cors\HandleCors::class,
         CheckForMaintenanceMode::class,
         ValidatePostSize::class,
         TrimStrings::class,
         ConvertEmptyStringsToNull::class,
         TrustProxies::class,
-        // \Fruitcake\Cors\HandleCors::class,
         Cors::class,
 
     ];
@@ -95,7 +95,6 @@ class Kernel extends HttpKernel
             'throttle:300,1',
             'bindings',
             'query_logging',
-            Cors::class,
         ],
         'contact' => [
             'throttle:60,1',
@@ -106,7 +105,6 @@ class Kernel extends HttpKernel
             EncryptCookies::class,
             AddQueuedCookiesToResponse::class,
             StartSession::class,
-            // \Illuminate\Session\Middleware\AuthenticateSession::class,
             ShareErrorsFromSession::class,
             VerifyCsrfToken::class,
             SubstituteBindings::class,
@@ -164,6 +162,9 @@ class Kernel extends HttpKernel
 
     protected $middlewarePriority = [
         Cors::class,
+        AddQueuedCookiesToResponse::class,
+        VerifyCsrfToken::class,
+        StartSession::class,
         SetDomainNameDb::class,
         SetDb::class,
         SetWebDb::class,
diff --git a/app/Http/Middleware/Cors.php b/app/Http/Middleware/Cors.php
index 66de2d22b9..70f211ead8 100644
--- a/app/Http/Middleware/Cors.php
+++ b/app/Http/Middleware/Cors.php
@@ -10,25 +10,24 @@ class Cors
 {
     public function handle($request, Closure $next)
     {
-        if ($request->getMethod() == 'OPTIONS') {
-            header('Access-Control-Allow-Origin: *');
+        // if ($request->getMethod() == 'OPTIONS') {
+        //     header('Access-Control-Allow-Origin: *');
 
-            // ALLOW OPTIONS METHOD
-            $headers = [
-                'Access-Control-Allow-Methods'=> 'POST, GET, OPTIONS, PUT, DELETE',
-                'Access-Control-Allow-Headers'=> 'X-API-COMPANY-KEY,X-CLIENT-VERSION,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,X-CSRF-TOKEN,X-LIVEWIRE',
-            ];
+        //     // ALLOW OPTIONS METHOD
+        //     $headers = [
+        //         'Access-Control-Allow-Methods'=> 'POST, GET, OPTIONS, PUT, DELETE',
+        //         'Access-Control-Allow-Headers'=> 'X-API-COMPANY-KEY,X-CLIENT-VERSION,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE',
+        //     ];
 
-            return Response::make('OK', 200, $headers);
-        }
+        //     return Response::make('OK', 200, $headers);
+        // }
 
         $response = $next($request);
 
-        $response->headers->set('Access-Control-Allow-Origin', '*');
-        $response->headers->set('Access-Control-Allow-Credentials', 'True');
-        $response->headers->set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
-        $response->headers->set('Access-Control-Allow-Headers', 'X-API-COMPANY-KEY,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,X-CSRF-TOKEN,X-LIVEWIRE');
-        $response->headers->set('Access-Control-Expose-Headers', 'X-APP-VERSION,X-MINIMUM-CLIENT-VERSION');
+        // $response->headers->set('Access-Control-Allow-Origin', '*');
+        // $response->headers->set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
+        // $response->headers->set('Access-Control-Allow-Headers', 'X-API-COMPANY-KEY,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE');
+        // $response->headers->set('Access-Control-Expose-Headers', 'X-APP-VERSION,X-MINIMUM-CLIENT-VERSION');
         $response->headers->set('X-APP-VERSION', config('ninja.app_version'));
         $response->headers->set('X-MINIMUM-CLIENT-VERSION', config('ninja.minimum_client_version'));
 
diff --git a/app/Http/Middleware/VerifyCsrfToken.php b/app/Http/Middleware/VerifyCsrfToken.php
index 5f934bc442..121074f3c9 100644
--- a/app/Http/Middleware/VerifyCsrfToken.php
+++ b/app/Http/Middleware/VerifyCsrfToken.php
@@ -28,6 +28,6 @@ class VerifyCsrfToken extends Middleware
      * @var array
      */
     protected $except = [
-    //    'livewire/message/*'
+        'livewire/message/*'
     ];
 }
diff --git a/composer.json b/composer.json
index 804e2b5c30..8d7e805590 100644
--- a/composer.json
+++ b/composer.json
@@ -43,6 +43,7 @@
         "doctrine/dbal": "^2.10",
         "fakerphp/faker": "^1.14",
         "fideloper/proxy": "^4.2",
+        "fruitcake/laravel-cors": "^2.0",
         "google/apiclient": "^2.7",
         "guzzlehttp/guzzle": "^7.0.1",
         "hashids/hashids": "^4.0",
diff --git a/composer.lock b/composer.lock
index 688d165b08..b1790ead06 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "407c398eefe5bab138b1d984a5116156",
+    "content-hash": "551d077c3d25c2a962f0c2c270618582",
     "packages": [
         {
             "name": "asm/php-ansible",
@@ -58,6 +58,62 @@
             },
             "time": "2021-05-09T14:58:03+00:00"
         },
+        {
+            "name": "asm89/stack-cors",
+            "version": "v2.0.3",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/asm89/stack-cors.git",
+                "reference": "9cb795bf30988e8c96dd3c40623c48a877bc6714"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/asm89/stack-cors/zipball/9cb795bf30988e8c96dd3c40623c48a877bc6714",
+                "reference": "9cb795bf30988e8c96dd3c40623c48a877bc6714",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.0|^8.0",
+                "symfony/http-foundation": "~2.7|~3.0|~4.0|~5.0",
+                "symfony/http-kernel": "~2.7|~3.0|~4.0|~5.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "^6|^7|^8|^9",
+                "squizlabs/php_codesniffer": "^3.5"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "2.0-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Asm89\\Stack\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Alexander",
+                    "email": "iam.asm89@gmail.com"
+                }
+            ],
+            "description": "Cross-origin resource sharing library and stack middleware",
+            "homepage": "https://github.com/asm89/stack-cors",
+            "keywords": [
+                "cors",
+                "stack"
+            ],
+            "support": {
+                "issues": "https://github.com/asm89/stack-cors/issues",
+                "source": "https://github.com/asm89/stack-cors/tree/v2.0.3"
+            },
+            "time": "2021-03-11T06:42:03+00:00"
+        },
         {
             "name": "authorizenet/authorizenet",
             "version": "2.0.2",
@@ -2084,6 +2140,83 @@
             },
             "time": "2021-05-20T17:37:02+00:00"
         },
+        {
+            "name": "fruitcake/laravel-cors",
+            "version": "v2.0.4",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/fruitcake/laravel-cors.git",
+                "reference": "a8ccedc7ca95189ead0e407c43b530dc17791d6a"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/fruitcake/laravel-cors/zipball/a8ccedc7ca95189ead0e407c43b530dc17791d6a",
+                "reference": "a8ccedc7ca95189ead0e407c43b530dc17791d6a",
+                "shasum": ""
+            },
+            "require": {
+                "asm89/stack-cors": "^2.0.1",
+                "illuminate/contracts": "^6|^7|^8|^9",
+                "illuminate/support": "^6|^7|^8|^9",
+                "php": ">=7.2",
+                "symfony/http-foundation": "^4|^5",
+                "symfony/http-kernel": "^4.3.4|^5"
+            },
+            "require-dev": {
+                "laravel/framework": "^6|^7|^8",
+                "orchestra/testbench-dusk": "^4|^5|^6|^7",
+                "phpunit/phpunit": "^6|^7|^8|^9",
+                "squizlabs/php_codesniffer": "^3.5"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "2.0-dev"
+                },
+                "laravel": {
+                    "providers": [
+                        "Fruitcake\\Cors\\CorsServiceProvider"
+                    ]
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Fruitcake\\Cors\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Fruitcake",
+                    "homepage": "https://fruitcake.nl"
+                },
+                {
+                    "name": "Barry vd. Heuvel",
+                    "email": "barryvdh@gmail.com"
+                }
+            ],
+            "description": "Adds CORS (Cross-Origin Resource Sharing) headers support in your Laravel application",
+            "keywords": [
+                "api",
+                "cors",
+                "crossdomain",
+                "laravel"
+            ],
+            "support": {
+                "issues": "https://github.com/fruitcake/laravel-cors/issues",
+                "source": "https://github.com/fruitcake/laravel-cors/tree/v2.0.4"
+            },
+            "funding": [
+                {
+                    "url": "https://github.com/barryvdh",
+                    "type": "github"
+                }
+            ],
+            "time": "2021-04-26T11:24:25+00:00"
+        },
         {
             "name": "google/apiclient",
             "version": "v2.9.1",
diff --git a/config/cors.php b/config/cors.php
index c6f92087df..d90557c1a4 100644
--- a/config/cors.php
+++ b/config/cors.php
@@ -15,7 +15,7 @@ return [
     |
     */
 
-    'paths' => ['livewire/*'],
+    'paths' => ['*'],
 
     'allowed_methods' => ['*'],
 
@@ -23,9 +23,9 @@ return [
 
     'allowed_origins_patterns' => [],
 
-    'allowed_headers' => ['*'],
+    'allowed_headers' => ['X-API-COMPANY-KEY,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE'],
 
-    'exposed_headers' => [],
+    'exposed_headers' => ['X-APP-VERSION,X-MINIMUM-CLIENT-VERSION,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE'],
 
     'max_age' => 0,
 
diff --git a/config/session.php b/config/session.php
index 4e0f66cda6..571c90ad7e 100644
--- a/config/session.php
+++ b/config/session.php
@@ -196,6 +196,6 @@ return [
     |
     */
 
-    'same_site' => 'lax',
+    'same_site' => 'none',
 
 ];