Awilum
February 23, 2020, 5:05pm
1
I am using this middleware for slim3 https://github.com/tuupola/cors-middleware
Here is my code to enable CORS Middleware
and here is my API
function validate_delivery_entries_token($request, $flextype) : bool
{
return Filesystem::has(PATH['tokens'] . '/delivery/entries/' . $request->getQueryParams()['token'] . '/token.yaml');
}
/**
* Fetch entry(entries)
*
* endpoint: /api/delivery/entries
*/
$app->get('/api/delivery/entries', function (Request $request, Response $response) use ($flextype) {
// Get Query Params
$query = $request->getQueryParams();
// Set variables
$id = $query['id'];
$args = isset($query['args']) ? $query['args'] : null;
if ($flextype['registry']->get('flextype.api.entries.enabled')) {
I am testing my APIhttps://flextype.org/api/delivery/entries?id=en&token=1a48b9de0494240759c6f85366aaa53d
with https://reqbin.com and I don’t see CORS unfortunately.
Server: nginx/1.14.1
Date: Sun, 23 Feb 2020 17:00:17 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: PHPSESSID=a666c631f8bf297ae47dc4268ced67cc; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Encoding: gzip
because of this issue, I can’t use my API in js app’s: https://svelte.dev/repl/e25e8814cc064868b67dad11c90ed029?version=3.19.0
any ideas why it is so ?
odan
February 23, 2020, 7:57pm
2
Access to fetch at 'https://flextype.org/api/delivery/entries?id=en&token=1a48b9de0494240759c6f85366aaa53d'
from origin 'null' has been blocked by CORS policy:
The 'Access-Control-Allow-Origin' header contains the invalid value ''.
Have the server send the header with a valid value, or, if an opaque
response serves your needs, set the request's mode to 'no-cors' to
fetch the resource with CORS disabled.
The ‘Access-Control-Allow-Origin’ header contains the invalid value ‘’.
Please check your CORS preflight request routes and the CORS preflight response headers for invalid values.
Awilum
February 23, 2020, 11:05pm
3
my data is not valid ? or this $app->add(new CorsMiddleware()); not enough ?
odan
February 24, 2020, 6:51pm
4
According to the error message this is not enough, because the origin value cannot be empty.
Try this:
$app->add(new CorsMiddleware([
"origin" => ["*"],
"methods" => ["GET", "POST", "PUT", "PATCH", "DELETE"],
"headers.allow" => [],
"headers.expose" => [],
"credentials" => false,
"cache" => 0,
]));
This will change the response header Access-Control-Allow-Origin to *.
Awilum
February 25, 2020, 11:47am
5
@odan
I was trying this new example of using Tuupola\Middleware\CorsMiddleware but I still do not see headers, so I don’t know what is wrong really there, and how it will work then on live.
So. I am trying example from Slim 3 doc about CORS, for me it works:
API request:https://test.flextype.org/api/delivery/entries?id=home&token=6d3356131d1bac120a21362a7bac8f42
Postman says it is ok, as I understand:
Svelte fetch, works:
but is it ok ? please review my code:
$app->options('/{routes:.+}', function ($request, $response, $args) {
return $response;
});
$app->add(function ($req, $res, $next) {
$response = $next($req, $res);
return $response
->withHeader('Access-Control-Allow-Origin', '*')
->withHeader('Access-Control-Allow-Headers', 'X-Requested-With, Content-Type, Accept, Origin, Authorization')
->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, PATCH, OPTIONS');
});
/**
* Init plugins
*/
$flextype['plugins']->init($flextype, $app);
/**
* Init themes
*/
show original
odan
February 25, 2020, 7:56pm
6
The response headers are looking good
but is it ok ? please review my code:
Honestly, I’m not a big fan of this fallback solution because it never works for me:
$app->options('/{routes:.+}', function ($request, $response, $args) {...
and
$app->map(['GET', 'POST', 'PUT', 'DELETE', 'PATCH'], '/{routes:.+}', function($req, $res) {...
How I solved it:
Remove all catch-all routes
Implement your own CorsMiddleware
Use explicit routes for all OPTIONS routes / CORS preflight requests
If you send Authorization headers like Authorization: Bearer 12345 you also have to return a Access-Control-Allow-Credentials: true in your response header.
Here is my blog post: Slim 4 - CORS | Daniel Opitz - Blog
Awilum
February 25, 2020, 8:49pm
7
Thanks, but it is for Slim4. I think it is may not work In Slim 3, can you help, with this for Slim3 ? what are differents there ?
odan
February 25, 2020, 8:56pm
8
The difference is that Slim 3 has no PSR-15 MiddlewareInterface. But you can rewrite it to a callable middleware like this: https://github.com/odan/prisma/blob/master/src/Middleware/CorsMiddleware.php
Awilum
February 26, 2020, 11:50am
9
Okey, I am was trying to create and use as middleware, but then I think … can we do it just like this ?
$app->get('/api/delivery/entries', function (Request $request, Response $response) use ($flextype) {
...
// Return response
return $response->withJson($data, $response_code)
->withHeader('Access-Control-Allow-Origin', '*')
->withHeader('Access-Control-Allow-Headers', 'X-Requested-With, Content-Type, Accept, Origin, Authorization')
->withHeader('Access-Control-Allow-Methods', 'GET');
});
Postman says that headers are okey, at least I see them.
what do you think @odan ?
Awilum
February 26, 2020, 12:00pm
10
or even just
return $response
->withJson($data, $response_code)
->withHeader('Access-Control-Allow-Origin', '*');
odan
February 26, 2020, 9:44pm
11
No this is not enough, because you would have
to much duplicated code
incorrect / missing / invalid response headers
no CORS preflight requests routes (OPTION requests)
… and I think, it will not work.
Awilum
February 27, 2020, 9:21pm
12
fetch works okey for this request