From 8b492c76df8d162b126cb91bb3f7562df2f81b63 Mon Sep 17 00:00:00 2001 From: Freek Van der Herten Date: Tue, 12 Dec 2017 17:48:12 +0100 Subject: [PATCH 01/42] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b70eaaf..a87f801 100644 --- a/README.md +++ b/README.md @@ -170,7 +170,7 @@ If you discover any security related issues, please email freek@spatie.be instea ## Alternatives -- [barryvdh/laravel-cors](barryvdh/laravel-cors): a tried and tested package. Our package is a modern rewrite of the basic features of Barry's excellent one. We created our own solution because we needed our configuration to be [very flexible](/#creating-your-own-cors-profile). +- [barryvdh/laravel-cors](barryvdh/laravel-cors): a tried and tested package. Our package is a modern rewrite of the basic features of Barry's excellent one. We created our own solution because we needed our configuration to be [very flexible](#creating-your-own-cors-profile). ## Postcardware From acf657a3b61b2c0d87288cae59603f37736405c3 Mon Sep 17 00:00:00 2001 From: Freek Van der Herten Date: Wed, 13 Dec 2017 15:05:30 +0100 Subject: [PATCH 02/42] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a87f801..45378ca 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +**WORK IN PROGRESS, DO NOT USE YET** + # Send CORS headers in a Laravel application [![Latest Version on Packagist](https://img.shields.io/packagist/v/spatie/laravel-cors.svg?style=flat-square)](https://packagist.org/packages/spatie/laravel-cors) @@ -48,7 +50,7 @@ protected $middleware = [ Optionally you can publish the config file with: ```php -php artisan vendor:publish --provider="Spatie\Cors\CorsServiceProvider" --tag="cors" +php artisan vendor:publish --provider="Spatie\Cors\CorsServiceProvider" --tag="config" ``` This is the default content of the config file published at `config/cors.php`: From 15a649e9bcb257fd43aad937debd100e8456d285 Mon Sep 17 00:00:00 2001 From: Freek Van der Herten Date: Wed, 13 Dec 2017 15:37:25 +0100 Subject: [PATCH 03/42] fix deps --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 8ae5778..01e03bc 100644 --- a/composer.json +++ b/composer.json @@ -22,9 +22,9 @@ "require": { "php": "^7.0", "illuminate/support": "5.5.*", - "orchestra/testbench": "3.5.0" }, "require-dev": { + "orchestra/testbench": "3.5.*", "phpunit/phpunit": "^6.5.4" }, "autoload": { From ae585d9120532c6ee16826930cf087b1154a78e9 Mon Sep 17 00:00:00 2001 From: freek Date: Wed, 13 Dec 2017 15:38:21 +0100 Subject: [PATCH 04/42] fix composer.json --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 01e03bc..73d9b9c 100644 --- a/composer.json +++ b/composer.json @@ -21,7 +21,7 @@ ], "require": { "php": "^7.0", - "illuminate/support": "5.5.*", + "illuminate/support": "5.5.*" }, "require-dev": { "orchestra/testbench": "3.5.*", From 8aca378e32e40a1801fc9f8c79e1677d5a66df10 Mon Sep 17 00:00:00 2001 From: freek Date: Wed, 13 Dec 2017 16:13:38 +0100 Subject: [PATCH 05/42] check for cors requests --- src/Cors.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/Cors.php b/src/Cors.php index 619c0d3..006a2e1 100644 --- a/src/Cors.php +++ b/src/Cors.php @@ -25,6 +25,10 @@ public function __construct(CorsProfile $corsProfile) */ public function handle($request, Closure $next) { + if (! $this->isCorsRequest($request)) { + return $next($request); + } + $this->corsProfile->setRequest($request); if (! $this->corsProfile->isAllowed()) { @@ -40,6 +44,15 @@ public function handle($request, Closure $next) return $this->corsProfile->addCorsHeaders($response); } + protected function isCorsRequest($request): bool + { + if ($request->headers->has('Origin')) { + return true; + } + + return $request->headers->get('Origin') !== $request->getSchemeAndHttpHost(); + } + protected function isPreflightRequest($request): bool { return $request->getMethod() === 'OPTIONS'; From d0d3e58c0d88081a137a05855c0047db6fc959fa Mon Sep 17 00:00:00 2001 From: freek Date: Wed, 13 Dec 2017 16:20:37 +0100 Subject: [PATCH 06/42] fix cors detection --- src/Cors.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Cors.php b/src/Cors.php index 006a2e1..c537659 100644 --- a/src/Cors.php +++ b/src/Cors.php @@ -46,8 +46,8 @@ public function handle($request, Closure $next) protected function isCorsRequest($request): bool { - if ($request->headers->has('Origin')) { - return true; + if (! $request->headers->has('Origin')) { + return false; } return $request->headers->get('Origin') !== $request->getSchemeAndHttpHost(); From c4411e33f077cd0f4a7e5924e9e79f474026fc34 Mon Sep 17 00:00:00 2001 From: Freek Van der Herten Date: Wed, 13 Dec 2017 17:08:02 +0100 Subject: [PATCH 07/42] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 45378ca..bfd3325 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ Or you could opt to register it as global middleware. protected $middleware = [ ... - Spatie\Cors\Cors::class + \Spatie\Cors\Cors::class ]; ``` From 802df8b2752b8638a2423fbedbca886e982bbb78 Mon Sep 17 00:00:00 2001 From: Freek Van der Herten Date: Thu, 14 Dec 2017 15:42:25 +0100 Subject: [PATCH 08/42] Update Cors.php --- src/Cors.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Cors.php b/src/Cors.php index c537659..247de96 100644 --- a/src/Cors.php +++ b/src/Cors.php @@ -69,6 +69,6 @@ protected function handlePreflightRequest() protected function forbiddenResponse() { - return response('Forbidden.', 403); + return response('Forbidden (cors).', 403); } } From 28bb5c6c33262a558bddb8626f6ef5d4c26a2f8b Mon Sep 17 00:00:00 2001 From: Alex Vanderbist Date: Mon, 18 Dec 2017 11:51:51 +0100 Subject: [PATCH 09/42] Various fixes --- config/cors.php | 1 + src/Cors.php | 2 +- src/CorsProfile/CorsProfile.php | 6 ++++++ src/CorsProfile/DefaultProfile.php | 17 +++++++++++++++-- tests/CorsTest.php | 27 ++++++++++++++++++++++++++- tests/PreflightTest.php | 2 +- 6 files changed, 50 insertions(+), 5 deletions(-) diff --git a/config/cors.php b/config/cors.php index 9870ed1..edce375 100644 --- a/config/cors.php +++ b/config/cors.php @@ -26,6 +26,7 @@ 'GET', 'OPTIONS', 'PUT', + 'PATCH', 'DELETE', ], diff --git a/src/Cors.php b/src/Cors.php index 247de96..9260338 100644 --- a/src/Cors.php +++ b/src/Cors.php @@ -64,7 +64,7 @@ protected function handlePreflightRequest() return $this->forbiddenResponse(); } - return $this->corsProfile->addPreflightheaders(response('Preflight OK', 200)); + return $this->corsProfile->addPreflightHeaders(response('Preflight OK', 200)); } protected function forbiddenResponse() diff --git a/src/CorsProfile/CorsProfile.php b/src/CorsProfile/CorsProfile.php index 550327c..a90e091 100644 --- a/src/CorsProfile/CorsProfile.php +++ b/src/CorsProfile/CorsProfile.php @@ -2,6 +2,8 @@ namespace Spatie\Cors\CorsProfile; +use Symfony\Component\HttpFoundation\Response; + interface CorsProfile { public function setRequest($request); @@ -12,6 +14,10 @@ public function allowMethods(): array; public function allowHeaders(): array; + public function addCorsHeaders($response); + + public function addPreflightHeaders($response); + public function maxAge(): int; public function isAllowed(): bool; diff --git a/src/CorsProfile/DefaultProfile.php b/src/CorsProfile/DefaultProfile.php index 97969fb..6a4987a 100644 --- a/src/CorsProfile/DefaultProfile.php +++ b/src/CorsProfile/DefaultProfile.php @@ -35,7 +35,7 @@ public function maxAge(): int public function addCorsHeaders($response) { return $response - ->header('Access-Control-Allow-Origin', $this->toString($this->allowOrigins())); + ->header('Access-Control-Allow-Origin', $this->allowedOriginsToString()); } public function addPreflightHeaders($response) @@ -43,7 +43,7 @@ public function addPreflightHeaders($response) return $response ->header('Access-Control-Allow-Methods', $this->toString($this->allowMethods())) ->header('Access-Control-Allow-Headers', $this->toString($this->allowHeaders())) - ->header('Access-Control-Allow-Origin', $this->toString($this->allowOrigins())) + ->header('Access-Control-Allow-Origin', $this->allowedOriginsToString()) ->header('Access-Control-Max-Age', $this->maxAge()); } @@ -64,4 +64,17 @@ protected function toString(array $array): string { return implode(', ', $array); } + + protected function allowedOriginsToString(): string + { + if (! $this->isAllowed()) { + return ''; + } + + if (in_array('*', $this->allowOrigins())) { + return '*'; + } + + return $this->request->header('Origin'); + } } diff --git a/tests/CorsTest.php b/tests/CorsTest.php index 434a57b..c233295 100644 --- a/tests/CorsTest.php +++ b/tests/CorsTest.php @@ -5,7 +5,7 @@ class CorsTest extends TestCase { /** @test */ - public function it_add_the_cors_headers_on_a_valid_requests() + public function it_adds_the_cors_headers_on_a_valid_requests() { $this ->sendRequest('POST', 'https://spatie.be') @@ -14,6 +14,31 @@ public function it_add_the_cors_headers_on_a_valid_requests() ->assertSee('real content'); } + /** @test */ + public function it_adds_the_wildcard_in_the_cors_headers_on_a_valid_request_if_no_allow_origins_are_set() + { + $this + ->sendRequest('POST', 'https://spatie.be') + ->assertSuccessful() + ->assertHeader('Access-Control-Allow-Origin', '*') + ->assertSee('real content'); + } + + /** @test */ + public function it_adds_the_origin_domain_in_the_cors_headers_on_a_valid_request() + { + config()->set('cors.default_profile.allow_origins', [ + 'https://spatie.be', + 'https://laravel.com', + ]); + + $this + ->sendRequest('POST', 'https://spatie.be') + ->assertSuccessful() + ->assertHeader('Access-Control-Allow-Origin', 'https://spatie.be') + ->assertSee('real content'); + } + /** @test */ public function it_will_send_a_403_for_invalid_requests() { diff --git a/tests/PreflightTest.php b/tests/PreflightTest.php index 5dec59c..ddf9e2f 100644 --- a/tests/PreflightTest.php +++ b/tests/PreflightTest.php @@ -11,7 +11,7 @@ public function it_responds_with_a_200_for_a_valid_preflight_request() ->sendPreflightRequest('DELETE', 'https://spatie.be') ->assertSuccessful() ->assertSee('Preflight OK') - ->assertHeader('Access-Control-Allow-Methods', 'POST, GET, OPTIONS, PUT, DELETE') + ->assertHeader('Access-Control-Allow-Methods', 'POST, GET, OPTIONS, PUT, PATCH, DELETE') ->assertHeader('Access-Control-Allow-Headers', 'Content-Type, X-Auth-Token, Origin, Authorization') ->assertHeader('Access-Control-Allow-Origin', '*') ->assertHeader('Access-Control-Max-Age', 60 * 60 * 24); From 874b7a77076e725c02db4a80167c18dcbdf65db3 Mon Sep 17 00:00:00 2001 From: Alex Vanderbist Date: Mon, 18 Dec 2017 11:52:37 +0100 Subject: [PATCH 10/42] Update readme --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index bfd3325..917add7 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,7 @@ return [ 'default_profile' => [ 'allow_origins' => [ - '*' + '*', ], 'allow_methods' => [ @@ -82,7 +82,8 @@ return [ 'GET', 'OPTIONS', 'PUT', - 'DELETE' + 'PATCH', + 'DELETE', ], 'allow_headers' => [ @@ -191,7 +192,7 @@ We publish all received postcards [on our company website](https://spatie.be/en/ Spatie is a webdesign agency based in Antwerp, Belgium. You'll find an overview of all our open source projects [on our website](https://spatie.be/opensource). -Does your business depend on our contributions? Reach out and support us on [Patreon](https://www.patreon.com/spatie). +Does your business depend on our contributions? Reach out and support us on [Patreon](https://www.patreon.com/spatie). All pledges will be dedicated to allocating workforce on maintenance and new awesome stuff. ## License From a29d82837a7467d2831e2c8aaa401bc19d9489ab Mon Sep 17 00:00:00 2001 From: Alex Vanderbist Date: Mon, 18 Dec 2017 11:56:44 +0100 Subject: [PATCH 11/42] Removed unused import --- src/CorsProfile/CorsProfile.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/CorsProfile/CorsProfile.php b/src/CorsProfile/CorsProfile.php index a90e091..194b1a0 100644 --- a/src/CorsProfile/CorsProfile.php +++ b/src/CorsProfile/CorsProfile.php @@ -2,8 +2,6 @@ namespace Spatie\Cors\CorsProfile; -use Symfony\Component\HttpFoundation\Response; - interface CorsProfile { public function setRequest($request); From 9a15419b9e8acc8a396d6bac55ed6b0155bb4548 Mon Sep 17 00:00:00 2001 From: Freek Van der Herten Date: Mon, 18 Dec 2017 12:27:23 +0100 Subject: [PATCH 12/42] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 917add7..f8a79ca 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ [![StyleCI](https://styleci.io/repos/113957368/shield?branch=master)](https://styleci.io/repos/113957368) [![Total Downloads](https://img.shields.io/packagist/dt/spatie/laravel-cors.svg?style=flat-square)](https://packagist.org/packages/spatie/laravel-cors) -This package will add CORS headers to the reponses of your Laravel. Read [this excellent article](https://spring.io/understanding/CORS) on the subject if you want to understand what CORS is all about. +This package will add CORS headers to the responses of your Laravel. Read [this excellent article](https://spring.io/understanding/CORS) on the subject if you want to understand what CORS is all about. This package support preflight request and is easily configurable to fit your needs. From 4024be07a81a3700f934fa2d0b4822b2d71a2438 Mon Sep 17 00:00:00 2001 From: freek Date: Tue, 19 Dec 2017 14:18:18 +0100 Subject: [PATCH 13/42] prepare release --- CHANGELOG.md | 2 +- README.md | 16 ++-------------- config/cors.php | 2 +- 3 files changed, 4 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5f16c5b..2da12e0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,6 @@ All notable changes to `laravel-cors` will be documented in this file -## 1.0.0 - 201X-XX-XX +## 1.0.0 - 2019-12-19 - initial release diff --git a/README.md b/README.md index f8a79ca..0cf33cf 100644 --- a/README.md +++ b/README.md @@ -25,18 +25,7 @@ The package will automatically register it's service provider. The provided `Spatie\Cors\Cors` middleware can be registered in the api middleware group. -```php -// app/Http/Kernel.php - -protected $middlewareGroups = [ - 'api' => [ - ... - \Spatie\Cors\Cors::class - ], -]; -``` - -Or you could opt to register it as global middleware. +You must register it as global middleware. ```php // app/Http/Kernel.php @@ -57,7 +46,6 @@ This is the default content of the config file published at `config/cors.php`: ```php return [ - /* * A cors profile determines which orgins, methods, headers are allowed for * a given requests. The `DefaultProfile` reads its configuration from this @@ -69,7 +57,7 @@ return [ 'cors_profile' => Spatie\Cors\CorsProfile\DefaultProfile::class, /* - * These configuration is used by `DefaultProfile`. + * This configuration is used by `DefaultProfile`. */ 'default_profile' => [ diff --git a/config/cors.php b/config/cors.php index edce375..91dc90b 100644 --- a/config/cors.php +++ b/config/cors.php @@ -13,7 +13,7 @@ 'cors_profile' => Spatie\Cors\CorsProfile\DefaultProfile::class, /* - * These configuration is used by `DefaultProfile`. + * This configuration is used by `DefaultProfile`. */ 'default_profile' => [ From e5a4eefbda2add901229156ca3ccb110efb04429 Mon Sep 17 00:00:00 2001 From: freek Date: Tue, 19 Dec 2017 14:19:01 +0100 Subject: [PATCH 14/42] prepare release --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 0cf33cf..3025a8e 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,3 @@ -**WORK IN PROGRESS, DO NOT USE YET** - # Send CORS headers in a Laravel application [![Latest Version on Packagist](https://img.shields.io/packagist/v/spatie/laravel-cors.svg?style=flat-square)](https://packagist.org/packages/spatie/laravel-cors) From 4cda47bd0c15d9f83708c762122f711d1d5b9fa1 Mon Sep 17 00:00:00 2001 From: freek Date: Tue, 19 Dec 2017 14:20:39 +0100 Subject: [PATCH 15/42] commit --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 3025a8e..ce64e81 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,6 @@ [![Latest Version on Packagist](https://img.shields.io/packagist/v/spatie/laravel-cors.svg?style=flat-square)](https://packagist.org/packages/spatie/laravel-cors) [![Build Status](https://img.shields.io/travis/spatie/laravel-cors/master.svg?style=flat-square)](https://travis-ci.org/spatie/laravel-cors) -[![SensioLabsInsight](https://img.shields.io/sensiolabs/i/e913c9eb-556b-4e2e-84b8-3913ed46a87a.svg?style=flat-square)](https://insight.sensiolabs.com/projects/e913c9eb-556b-4e2e-84b8-3913ed46a87a) [![Quality Score](https://img.shields.io/scrutinizer/g/spatie/laravel-cors.svg?style=flat-square)](https://scrutinizer-ci.com/g/spatie/laravel-cors) [![StyleCI](https://styleci.io/repos/113957368/shield?branch=master)](https://styleci.io/repos/113957368) [![Total Downloads](https://img.shields.io/packagist/dt/spatie/laravel-cors.svg?style=flat-square)](https://packagist.org/packages/spatie/laravel-cors) From 5568796ef1e5a2385d13500f09724631a1585bc6 Mon Sep 17 00:00:00 2001 From: Freek Van der Herten Date: Tue, 19 Dec 2017 17:32:33 +0100 Subject: [PATCH 16/42] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ce64e81..1a71eb4 100644 --- a/README.md +++ b/README.md @@ -158,7 +158,7 @@ If you discover any security related issues, please email freek@spatie.be instea ## Alternatives -- [barryvdh/laravel-cors](barryvdh/laravel-cors): a tried and tested package. Our package is a modern rewrite of the basic features of Barry's excellent one. We created our own solution because we needed our configuration to be [very flexible](#creating-your-own-cors-profile). +- [barryvdh/laravel-cors](https://github.com/barryvdh/laravel-cors): a tried and tested package. Our package is a modern rewrite of the basic features of Barry's excellent one. We created our own solution because we needed our configuration to be [very flexible](#creating-your-own-cors-profile). ## Postcardware From 3f6d0ffdda7b42d99bb705a5e481dc229eec39b5 Mon Sep 17 00:00:00 2001 From: Freek Van der Herten Date: Fri, 5 Jan 2018 15:42:28 +0100 Subject: [PATCH 17/42] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1a71eb4..d90439e 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ [![StyleCI](https://styleci.io/repos/113957368/shield?branch=master)](https://styleci.io/repos/113957368) [![Total Downloads](https://img.shields.io/packagist/dt/spatie/laravel-cors.svg?style=flat-square)](https://packagist.org/packages/spatie/laravel-cors) -This package will add CORS headers to the responses of your Laravel. Read [this excellent article](https://spring.io/understanding/CORS) on the subject if you want to understand what CORS is all about. +This package will add CORS headers to the responses of your Laravel app. Read [this excellent article](https://spring.io/understanding/CORS) on the subject if you want to understand what CORS is all about. This package support preflight request and is easily configurable to fit your needs. From 49e8d467c2bb6107ff45a8f9a9ee096521fccfdf Mon Sep 17 00:00:00 2001 From: Freek Van der Herten Date: Sat, 6 Jan 2018 21:30:34 +0100 Subject: [PATCH 18/42] Update README.md --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index d90439e..4aee8e7 100644 --- a/README.md +++ b/README.md @@ -20,8 +20,6 @@ composer require spatie/laravel-cors The package will automatically register it's service provider. -The provided `Spatie\Cors\Cors` middleware can be registered in the api middleware group. - You must register it as global middleware. ```php From 2b708de1328e3b549c71fd283a158fc38324959e Mon Sep 17 00:00:00 2001 From: Chris Brown Date: Wed, 10 Jan 2018 16:01:09 -0500 Subject: [PATCH 19/42] Update README.md Just a few typos and tweaks for clarity --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 4aee8e7..3083d82 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ This package will add CORS headers to the responses of your Laravel app. Read [this excellent article](https://spring.io/understanding/CORS) on the subject if you want to understand what CORS is all about. -This package support preflight request and is easily configurable to fit your needs. +This package supports preflight requests and is easily configurable to fit your needs. ## Installation @@ -18,7 +18,7 @@ You can install the package via composer: composer require spatie/laravel-cors ``` -The package will automatically register it's service provider. +The package will automatically register its service provider. You must register it as global middleware. @@ -86,9 +86,9 @@ return [ ## Usage -With the middleware installed your api routes should now get apprioriate cors headers. Preflight requests will be handled as well. If a request comes in that is not allowed, Laravel will return a `403` response. +With the middleware installed your API routes should now get apprioriate CORS headers. Preflight requests will be handled as well. If a request comes in that is not allowed, Laravel will return a `403` response. -The default configuration of this package allows all requests from any origin. You probably want to at least specify some origins. If you want to allow requests to come in in from `https://spatie.be` and `https://laravel.com` add those domains to the config file: +The default configuration of this package allows all requests from any origin (denoted as `'*'`). You probably want to at least specify some origins relevant to your project. If you want to allow requests to come in from `https://spatie.be` and `https://laravel.com` add those domains to the config file: ```php // config/cors.php @@ -104,11 +104,11 @@ The default configuration of this package allows all requests from any origin. Y ... ``` -### Creating your own cors profile +### Creating your own CORS profile -Imagine you want to specify allowed origins based on the user that is currently logged in. In that case the `DefaultProfile` which just reads the config file won't cut it. Fortunately it's very easy to write your own cors profile. A valid cors profile is any class that extends `Spatie\Cors\DefaultProfile`. +Imagine you want to specify allowed origins based on the user that is currently logged in. In that case the `DefaultProfile` which just reads the config file won't cut it. Fortunately it's very easy to write your own CORS profile, which is simply a class that extends `Spatie\Cors\DefaultProfile`. -Here's a quick example where it is assumed that you've already added a `allowed_domains` column on your user model: +Here's a quick example where it is assumed that you've already added an `allowed_domains` column on your user model: ```php namespace App\Services\Cors; From b21f6a41a8126da05b47650137e0f3e9ad1e0812 Mon Sep 17 00:00:00 2001 From: sixlive Date: Tue, 6 Feb 2018 10:14:51 -0500 Subject: [PATCH 20/42] Adds laravel 5.6 support --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 73d9b9c..2ae0451 100644 --- a/composer.json +++ b/composer.json @@ -21,7 +21,7 @@ ], "require": { "php": "^7.0", - "illuminate/support": "5.5.*" + "illuminate/support": "5.5.*|5.6.*" }, "require-dev": { "orchestra/testbench": "3.5.*", From 390099a45f0639eefd1b7093e20d60ad4a99ae5a Mon Sep 17 00:00:00 2001 From: Thomas Mills Date: Tue, 6 Feb 2018 20:07:10 +0100 Subject: [PATCH 21/42] Update README.md Just one tiny fix with the custom CORS profile example. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3083d82..412455a 100644 --- a/README.md +++ b/README.md @@ -113,7 +113,7 @@ Here's a quick example where it is assumed that you've already added an `allowed ```php namespace App\Services\Cors; -use Spatie\Cors\DefaultProfile; +use Spatie\Cors\CorsProfile\DefaultProfile; class UserBasedCorsProfile extends DefaultProfile; { From 8912cc85185117135c5a624e411797944ff3d881 Mon Sep 17 00:00:00 2001 From: sixlive Date: Wed, 7 Feb 2018 15:52:29 -0500 Subject: [PATCH 22/42] Adds orchestral/testbench 3.6 in prep for release --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 2ae0451..25322aa 100644 --- a/composer.json +++ b/composer.json @@ -24,7 +24,7 @@ "illuminate/support": "5.5.*|5.6.*" }, "require-dev": { - "orchestra/testbench": "3.5.*", + "orchestra/testbench": "3.6.*", "phpunit/phpunit": "^6.5.4" }, "autoload": { From d27426244d9f82cdf07e33c6ee8c600ce37c44d0 Mon Sep 17 00:00:00 2001 From: sixlive Date: Wed, 7 Feb 2018 17:00:49 -0500 Subject: [PATCH 23/42] Allow testbench 3.5 for backwards compat --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 25322aa..6294c47 100644 --- a/composer.json +++ b/composer.json @@ -24,7 +24,7 @@ "illuminate/support": "5.5.*|5.6.*" }, "require-dev": { - "orchestra/testbench": "3.6.*", + "orchestra/testbench": "3.5.*|3.6.*", "phpunit/phpunit": "^6.5.4" }, "autoload": { From bd1399acceda9ae65a52344a40f42dfc669f64d1 Mon Sep 17 00:00:00 2001 From: sixlive Date: Wed, 7 Feb 2018 17:04:47 -0500 Subject: [PATCH 24/42] Prep changelog --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2da12e0..6e6df87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ All notable changes to `laravel-cors` will be documented in this file -## 1.0.0 - 2019-12-19 +## 1.0.1 - 2018-02-07 + +- Adds support for Laravel 5.6 + +## 1.0.0 - 2018-12-19 - initial release From 58686836cf5311f6ba51a94072a419dedf873459 Mon Sep 17 00:00:00 2001 From: sixlive Date: Wed, 7 Feb 2018 18:09:11 -0500 Subject: [PATCH 25/42] Accept phpunit 7 --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 6294c47..8e4a86c 100644 --- a/composer.json +++ b/composer.json @@ -25,7 +25,7 @@ }, "require-dev": { "orchestra/testbench": "3.5.*|3.6.*", - "phpunit/phpunit": "^6.5.4" + "phpunit/phpunit": "^6.5.4|7.0.*" }, "autoload": { "psr-4": { From 61966da0a7d718d4ef8151d6e9a9b2b946646848 Mon Sep 17 00:00:00 2001 From: Freek Van der Herten Date: Thu, 8 Feb 2018 01:12:44 +0100 Subject: [PATCH 26/42] Update composer.json --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 8e4a86c..2dce5d7 100644 --- a/composer.json +++ b/composer.json @@ -25,7 +25,7 @@ }, "require-dev": { "orchestra/testbench": "3.5.*|3.6.*", - "phpunit/phpunit": "^6.5.4|7.0.*" + "phpunit/phpunit": "^6.5.4|^7.0" }, "autoload": { "psr-4": { From a48cdf59362e82c5b4213073c7491f3f09dd4c23 Mon Sep 17 00:00:00 2001 From: Benjamin Crozat Date: Fri, 9 Feb 2018 15:14:34 +0100 Subject: [PATCH 27/42] Added support for Lumen --- src/CorsServiceProvider.php | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/CorsServiceProvider.php b/src/CorsServiceProvider.php index 6188568..238f6f6 100644 --- a/src/CorsServiceProvider.php +++ b/src/CorsServiceProvider.php @@ -11,9 +11,9 @@ class CorsServiceProvider extends ServiceProvider { public function boot() { - if ($this->app->runningInConsole()) { + if ($this->isNotLumen() && $this->app->runningInConsole()) { $this->publishes([ - __DIR__.'/../config/cors.php' => config_path('cors.php'), + __DIR__ . '/../config/cors.php' => config_path('cors.php'), ], 'config'); } @@ -28,6 +28,13 @@ public function boot() public function register() { - $this->mergeConfigFrom(__DIR__.'/../config/cors.php', 'cors'); + if ($this->isNotLumen()) { + $this->mergeConfigFrom(__DIR__ . '/../config/cors.php', 'cors'); + } + } + + protected function isNotLumen() + { + return ! preg_match('/lumen/i', app()->version()); } } From dcf6d5c319762eb5c71c5867ed2e4afdde472656 Mon Sep 17 00:00:00 2001 From: Benjamin Crozat Date: Fri, 9 Feb 2018 15:21:30 +0100 Subject: [PATCH 28/42] Updated README.md --- README.md | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 412455a..64001dc 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,12 @@ This package supports preflight requests and is easily configurable to fit your ## Installation -You can install the package via composer: +- [Laravel](#laravel) +- [Lumen](#lumen) + +### Laravel + +You can install the package via Composer: ```bash composer require spatie/laravel-cors @@ -84,6 +89,32 @@ return [ ]; ``` +### Lumen + +You can install the package via Composer: + +```bash +composer require spatie/laravel-cors +``` + +Copy the config file from the vendor directory: + +```bash +cp vendor/spatie/laravel-cors/config/cors.php config/cors.php +``` + +Register the config file, the middleware and the service provider in `bootstrap/app.php`: + +```php +$app->configure('cors'); + +$app->middleware([ + Spatie\Cors\Cors::class, +]); + +$app->register(Spatie\Cors\CorsServiceProvider::class); +``` + ## Usage With the middleware installed your API routes should now get apprioriate CORS headers. Preflight requests will be handled as well. If a request comes in that is not allowed, Laravel will return a `403` response. From 1383a601895bec883ce0d8098b23533367a8b896 Mon Sep 17 00:00:00 2001 From: Benjamin Crozat Date: Fri, 9 Feb 2018 15:22:09 +0100 Subject: [PATCH 29/42] Updated composer.json --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 2dce5d7..4664053 100644 --- a/composer.json +++ b/composer.json @@ -1,6 +1,6 @@ { "name": "spatie/laravel-cors", - "description": "Send CORS headers in a Laravel application", + "description": "Send CORS headers in a Laravel or Lumen application", "keywords": [ "spatie", "laravel-cors", From a0a3023c5847687befbd10de4f888c416238c0cd Mon Sep 17 00:00:00 2001 From: Benjamin Crozat Date: Fri, 9 Feb 2018 15:22:52 +0100 Subject: [PATCH 30/42] Updated README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 64001dc..24035cb 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ [![StyleCI](https://styleci.io/repos/113957368/shield?branch=master)](https://styleci.io/repos/113957368) [![Total Downloads](https://img.shields.io/packagist/dt/spatie/laravel-cors.svg?style=flat-square)](https://packagist.org/packages/spatie/laravel-cors) -This package will add CORS headers to the responses of your Laravel app. Read [this excellent article](https://spring.io/understanding/CORS) on the subject if you want to understand what CORS is all about. +This package will add CORS headers to the responses of your Laravel or Lumen app. Read [this excellent article](https://spring.io/understanding/CORS) on the subject if you want to understand what CORS is all about. This package supports preflight requests and is easily configurable to fit your needs. From cb470df9ab1c00ce09e298e8a6a25acdac047af2 Mon Sep 17 00:00:00 2001 From: Benjamin Crozat Date: Fri, 9 Feb 2018 15:27:47 +0100 Subject: [PATCH 31/42] Code style fixes --- src/CorsServiceProvider.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/CorsServiceProvider.php b/src/CorsServiceProvider.php index 238f6f6..62ff27d 100644 --- a/src/CorsServiceProvider.php +++ b/src/CorsServiceProvider.php @@ -13,7 +13,7 @@ public function boot() { if ($this->isNotLumen() && $this->app->runningInConsole()) { $this->publishes([ - __DIR__ . '/../config/cors.php' => config_path('cors.php'), + __DIR__.'/../config/cors.php' => config_path('cors.php'), ], 'config'); } @@ -29,7 +29,7 @@ public function boot() public function register() { if ($this->isNotLumen()) { - $this->mergeConfigFrom(__DIR__ . '/../config/cors.php', 'cors'); + $this->mergeConfigFrom(__DIR__.'/../config/cors.php', 'cors'); } } From 597587b008f47cc28e06ddecee73946cb1a887b8 Mon Sep 17 00:00:00 2001 From: Benjamin Crozat Date: Mon, 12 Feb 2018 14:12:11 +0100 Subject: [PATCH 32/42] Changed isNotLumen to isLaravel --- src/CorsServiceProvider.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/CorsServiceProvider.php b/src/CorsServiceProvider.php index 62ff27d..bd2ef0b 100644 --- a/src/CorsServiceProvider.php +++ b/src/CorsServiceProvider.php @@ -11,9 +11,9 @@ class CorsServiceProvider extends ServiceProvider { public function boot() { - if ($this->isNotLumen() && $this->app->runningInConsole()) { + if ($this->isLaravel() && $this->app->runningInConsole()) { $this->publishes([ - __DIR__.'/../config/cors.php' => config_path('cors.php'), + __DIR__ . '/../config/cors.php' => config_path('cors.php'), ], 'config'); } @@ -28,12 +28,12 @@ public function boot() public function register() { - if ($this->isNotLumen()) { - $this->mergeConfigFrom(__DIR__.'/../config/cors.php', 'cors'); + if ($this->isLaravel()) { + $this->mergeConfigFrom(__DIR__ . '/../config/cors.php', 'cors'); } } - protected function isNotLumen() + protected function isLaravel() { return ! preg_match('/lumen/i', app()->version()); } From 0e247545df180ad2e4bc13396567d97b9fbae35d Mon Sep 17 00:00:00 2001 From: Freek Van der Herten Date: Mon, 12 Feb 2018 15:56:49 +0000 Subject: [PATCH 33/42] Apply fixes from StyleCI --- src/CorsServiceProvider.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/CorsServiceProvider.php b/src/CorsServiceProvider.php index bd2ef0b..bbbe752 100644 --- a/src/CorsServiceProvider.php +++ b/src/CorsServiceProvider.php @@ -13,7 +13,7 @@ public function boot() { if ($this->isLaravel() && $this->app->runningInConsole()) { $this->publishes([ - __DIR__ . '/../config/cors.php' => config_path('cors.php'), + __DIR__.'/../config/cors.php' => config_path('cors.php'), ], 'config'); } @@ -29,7 +29,7 @@ public function boot() public function register() { if ($this->isLaravel()) { - $this->mergeConfigFrom(__DIR__ . '/../config/cors.php', 'cors'); + $this->mergeConfigFrom(__DIR__.'/../config/cors.php', 'cors'); } } From 5cb8ae5c3b201c5b34fb282e8a6a2fb4eb11dbfb Mon Sep 17 00:00:00 2001 From: Freek Van der Herten Date: Mon, 12 Feb 2018 16:57:51 +0100 Subject: [PATCH 34/42] Update CHANGELOG.md --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6e6df87..3c0fd2f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,9 +2,13 @@ All notable changes to `laravel-cors` will be documented in this file +## 1.0.2 - 2018-02-12 + +- add support for Lumen + ## 1.0.1 - 2018-02-07 -- Adds support for Laravel 5.6 +- add support for Laravel 5.6 ## 1.0.0 - 2018-12-19 From a0b3c46497595e25cfbc24c301b2a0a76c229c16 Mon Sep 17 00:00:00 2001 From: Chris Breuer Date: Wed, 28 Feb 2018 09:56:22 -0800 Subject: [PATCH 35/42] fix typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit just changed “orgins” to “origins” --- config/cors.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/cors.php b/config/cors.php index 91dc90b..bf5e4da 100644 --- a/config/cors.php +++ b/config/cors.php @@ -3,7 +3,7 @@ return [ /* - * A cors profile determines which orgins, methods, headers are allowed for + * A cors profile determines which origins, methods, headers are allowed for * a given requests. The `DefaultProfile` reads its configuration from this * config file. * From 01e8fc12dc6be57f3d75a21c3a84df517aacb088 Mon Sep 17 00:00:00 2001 From: Freek Van der Herten Date: Wed, 28 Feb 2018 19:52:07 +0100 Subject: [PATCH 36/42] Update CHANGELOG.md --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c0fd2f..dec490b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ All notable changes to `laravel-cors` will be documented in this file +## 1.0.3 - 2018-02-28 + +- fix typo in config + ## 1.0.2 - 2018-02-12 - add support for Lumen From b308fbf6d357d5afb16da040fa043a812268c8ca Mon Sep 17 00:00:00 2001 From: Joshua Noyes Date: Wed, 7 Mar 2018 15:07:09 +0000 Subject: [PATCH 37/42] Add forbidden_response to default_profile --- config/cors.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config/cors.php b/config/cors.php index bf5e4da..9e381d1 100644 --- a/config/cors.php +++ b/config/cors.php @@ -37,6 +37,11 @@ 'Authorization', ], + 'forbidden_response' => [ + 'message' => 'Forbidden (cors).', + 'status' => 403, + ], + /* * Preflight request will respond with value for the max age header. */ From 3e440790c78913bc76a447bf6eec54b7aebb9b84 Mon Sep 17 00:00:00 2001 From: Joshua Noyes Date: Wed, 7 Mar 2018 15:09:20 +0000 Subject: [PATCH 38/42] Add forbiddenMessage and forbiddenStatus to CorsProfile --- src/Cors.php | 5 ++++- src/CorsProfile/CorsProfile.php | 4 ++++ src/CorsProfile/DefaultProfile.php | 18 ++++++++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/src/Cors.php b/src/Cors.php index 9260338..fd81ec2 100644 --- a/src/Cors.php +++ b/src/Cors.php @@ -69,6 +69,9 @@ protected function handlePreflightRequest() protected function forbiddenResponse() { - return response('Forbidden (cors).', 403); + return response( + $this->corsProfile->forbiddenMessage(), + $this->corsProfile->forbiddenStatus() + ); } } diff --git a/src/CorsProfile/CorsProfile.php b/src/CorsProfile/CorsProfile.php index 194b1a0..9abadc5 100644 --- a/src/CorsProfile/CorsProfile.php +++ b/src/CorsProfile/CorsProfile.php @@ -19,4 +19,8 @@ public function addPreflightHeaders($response); public function maxAge(): int; public function isAllowed(): bool; + + public function forbiddenMessage(): string; + + public function forbiddenStatus(): int; } diff --git a/src/CorsProfile/DefaultProfile.php b/src/CorsProfile/DefaultProfile.php index 6a4987a..8a2d46c 100644 --- a/src/CorsProfile/DefaultProfile.php +++ b/src/CorsProfile/DefaultProfile.php @@ -60,6 +60,24 @@ public function isAllowed(): bool return in_array($this->request->header('Origin'), $this->allowOrigins()); } + public function forbiddenMessage(): string + { + if (!is_string(config('cors.default_profile.forbidden_response.message'))) { + return 'Forbidden (cors).'; + } + + return config('cors.default_profile.forbidden_response.message'); + } + + public function forbiddenStatus(): int + { + if (!is_integer(config('cors.default_profile.forbidden_response.status'))) { + return 403; + } + + return config('cors.default_profile.forbidden_response.status'); + } + protected function toString(array $array): string { return implode(', ', $array); From 45d66cf32c238222f9f337ce5a26856a1b574310 Mon Sep 17 00:00:00 2001 From: Joshua Noyes Date: Wed, 7 Mar 2018 15:11:05 +0000 Subject: [PATCH 39/42] Add test for custom forbidden responses --- tests/CorsTest.php | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/tests/CorsTest.php b/tests/CorsTest.php index c233295..0b7a830 100644 --- a/tests/CorsTest.php +++ b/tests/CorsTest.php @@ -46,7 +46,24 @@ public function it_will_send_a_403_for_invalid_requests() $this ->sendRequest('POST', 'https://laravel.com') - ->assertStatus(403); + ->assertStatus(403) + ->assertSee('Forbidden (cors).'); + } + + /** @test */ + public function it_sends_the_custom_forbidden_response_for_invalid_requests() + { + $forbiddenMessage = 'Custom forbidden message'; + $forbiddenStatus = 400; + + config()->set('cors.default_profile.allow_origins', ['https://spatie.be']); + config()->set('cors.default_profile.forbidden_response.message', $forbiddenMessage); + config()->set('cors.default_profile.forbidden_response.status', $forbiddenStatus); + + $this + ->sendRequest('POST', 'https://laravel.com') + ->assertStatus($forbiddenStatus) + ->assertSee($forbiddenMessage); } public function sendRequest(string $method, string $origin) From c160d2dbfd1d04f090fb219dac2a26b3fc7d570f Mon Sep 17 00:00:00 2001 From: Joshua Noyes Date: Wed, 7 Mar 2018 15:22:22 +0000 Subject: [PATCH 40/42] Update README.md --- README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.md b/README.md index 24035cb..11e132a 100644 --- a/README.md +++ b/README.md @@ -80,6 +80,11 @@ return [ 'Origin', 'Authorization', ], + + 'forbidden_response' => [ + 'message' => 'Forbidden (cors).', + 'status' => 403, + ], /* * Preflight request will respond with value for the max age header. @@ -155,6 +160,22 @@ class UserBasedCorsProfile extends DefaultProfile; } ``` +You can specify a custom HTTP status code and message for the response sent when a request is forbidden by adding the appropriate methods to your custom profile class. In this example, we make use of Laravel's Localization feature: + + +```php + public function forbiddenMessage(): string + { + return __('errors.cors.forbidden'); + } + + + public function forbiddenStatus(): int + { + return 400; + } +``` + Don't forget to register your profile in the config file. ```php From 556ee65d738a6a502c8a4ed5f15a74c0d8e24315 Mon Sep 17 00:00:00 2001 From: Joshua Noyes Date: Wed, 7 Mar 2018 15:48:57 +0000 Subject: [PATCH 41/42] StyleCI fixes --- src/CorsProfile/DefaultProfile.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/CorsProfile/DefaultProfile.php b/src/CorsProfile/DefaultProfile.php index 8a2d46c..e6e0170 100644 --- a/src/CorsProfile/DefaultProfile.php +++ b/src/CorsProfile/DefaultProfile.php @@ -62,7 +62,7 @@ public function isAllowed(): bool public function forbiddenMessage(): string { - if (!is_string(config('cors.default_profile.forbidden_response.message'))) { + if (! is_string(config('cors.default_profile.forbidden_response.message'))) { return 'Forbidden (cors).'; } @@ -71,7 +71,7 @@ public function forbiddenMessage(): string public function forbiddenStatus(): int { - if (!is_integer(config('cors.default_profile.forbidden_response.status'))) { + if (! is_int(config('cors.default_profile.forbidden_response.status'))) { return 403; } From de131c07887d12bfc13fea35da68da7ce0b8503d Mon Sep 17 00:00:00 2001 From: Joshua Noyes Date: Thu, 8 Mar 2018 18:06:52 +0000 Subject: [PATCH 42/42] Remove forbiddenMessage() and forbiddenStatus() from CorsProfile to avoid breaking changes --- README.md | 17 +++++------------ src/Cors.php | 7 +++++-- src/CorsProfile/CorsProfile.php | 4 ---- src/CorsProfile/DefaultProfile.php | 18 ------------------ 4 files changed, 10 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index 11e132a..8abce29 100644 --- a/README.md +++ b/README.md @@ -160,20 +160,13 @@ class UserBasedCorsProfile extends DefaultProfile; } ``` -You can specify a custom HTTP status code and message for the response sent when a request is forbidden by adding the appropriate methods to your custom profile class. In this example, we make use of Laravel's Localization feature: - +You can override the default HTTP status code and message returned when a request is forbidden by editing the `forbidden_response` array in your configuration file: ```php - public function forbiddenMessage(): string - { - return __('errors.cors.forbidden'); - } - - - public function forbiddenStatus(): int - { - return 400; - } + 'forbidden_response' => [ + 'message' => 'Your request failed', + 'status' => 400, + ], ``` Don't forget to register your profile in the config file. diff --git a/src/Cors.php b/src/Cors.php index fd81ec2..37079d5 100644 --- a/src/Cors.php +++ b/src/Cors.php @@ -69,9 +69,12 @@ protected function handlePreflightRequest() protected function forbiddenResponse() { + $message = config('cors.default_profile.forbidden_response.message'); + $status = config('cors.default_profile.forbidden_response.status'); + return response( - $this->corsProfile->forbiddenMessage(), - $this->corsProfile->forbiddenStatus() + is_string($message) ? $message : 'Forbidden (cors).', + is_int($status) ? $status : 403 ); } } diff --git a/src/CorsProfile/CorsProfile.php b/src/CorsProfile/CorsProfile.php index 9abadc5..194b1a0 100644 --- a/src/CorsProfile/CorsProfile.php +++ b/src/CorsProfile/CorsProfile.php @@ -19,8 +19,4 @@ public function addPreflightHeaders($response); public function maxAge(): int; public function isAllowed(): bool; - - public function forbiddenMessage(): string; - - public function forbiddenStatus(): int; } diff --git a/src/CorsProfile/DefaultProfile.php b/src/CorsProfile/DefaultProfile.php index e6e0170..6a4987a 100644 --- a/src/CorsProfile/DefaultProfile.php +++ b/src/CorsProfile/DefaultProfile.php @@ -60,24 +60,6 @@ public function isAllowed(): bool return in_array($this->request->header('Origin'), $this->allowOrigins()); } - public function forbiddenMessage(): string - { - if (! is_string(config('cors.default_profile.forbidden_response.message'))) { - return 'Forbidden (cors).'; - } - - return config('cors.default_profile.forbidden_response.message'); - } - - public function forbiddenStatus(): int - { - if (! is_int(config('cors.default_profile.forbidden_response.status'))) { - return 403; - } - - return config('cors.default_profile.forbidden_response.status'); - } - protected function toString(array $array): string { return implode(', ', $array);