I have the following in my behaviors
public function behaviors()
{
$behaviors = parent::behaviors();
$auth = $behaviors['authenticator'] = [
'class' => CompositeAuth::className(),
'authMethods' => [
HttpBearerAuth::className(),
QueryParamAuth::className(),
],
'except' => ['login', 'check-token-validity', 'test-accounts'],
];
unset($behaviors['authenticator']);
$behaviors['corsFilter'] = [
'class' => Cors::className(),
'cors' => [
// 'Origin' => ['*'],
'Access-Control-Allow-Credentials' => true,
'Origin' => static::allowedDomains(),
'Access-Control-Request-Method' => ['POST', 'PUT'],
'Access-Control-Expose-Headers' => ['Access_status_code'],
],
];
$behaviors['verbs'] = [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['POST', 'OPTIONS'],
],
];
$behaviors['authenticator'] = $auth;
//access
return $behaviors;
}
public static function allowedDomains()
{
return [
'http://test1.example.com',
'http://test2.example.com',
];
}
As from the above, I have set origin as the above static domains but when I checked on my ajax request response I found out that the response header origin is set as Access-Control-Allow-Origin: *
Also, I haven't been able to restrict access methods despite setting Access-Control-Request-Method
What else do I need to add for this to work?
