AngularJS & Laravel CORS, POST stops after preflig

2019-06-06 10:20发布

站内问答 / JavaScript
401 2 5

This is the story of a bird who wants to work for the post but fails during his preflight test...

App built with Laravel being used as a RESTful API and AngularJS/ionic. My API calls were working fine until...for an unknown reason it stopped. Although I set the withCredentials for the angularJS side of the call, the preflight OPTIONS are not sending a cookie but I am receiving one back from Laravel. How can we disable OPTIONS to return a cookie laravel_session? It messes up the CORS as it sets a new session which will obviously be different on every POST. For Laravel side I use the package Laravel/CORS from @barryvdh with the following configuration:

 '*' => array(
'supportsCredentials' => true,
'allowedOrigins' => array('*'),
'allowedHeaders' => array('*'),
'allowedMethods' => array('POST', 'PUT', 'GET', 'PATCH', 'OPTIONS', 'DELETE'),
'maxAge' => 36000,
'hosts' => array('api.*'),
)

On the Angular side I have the following:

$http({
method: 'POST',
url: 'http://api.blabla.local/banana',
data: data,
withCredentials: true
})

My GET calls work fine and I have one running at start of the app to fetch the CSRF from laravel that I send back when needed.

Right now the following happens:
1. Preflight OPTIONS > request has no cookies for the session. Reponse = 200 with a different session cookie which will cause the CSRF to cause all the time. [thoughts: the withCredentials does not work with the OPTIONS call]
2. POST > fails with 500, in the headers I see no response but it did send the cookie/session [thoughts: credentials are passed to it but they are also the wrong ones since they have changed on server side because of the preflight option]. Error message says it is not authorized origin.

What's going on? I've been trying for hours now and checked a lot of other posts but nothing seems to help! Can I get rid of the preflight, how? Or is the problem somewhere else (server side I'm using Laravel Homestead)? I feel that the real issue is that the OPTIONS returns a session cookie or simply that the request does include one!

Thanks for your help, I've been stuck for hours and I'm going crazzy on that...

2条回答
姐就是有狂的资本
2楼-- · 2019-06-06 11:12

In the filters.php under L4.2 I ended up using this: The problem is old so not sure it's the only thing I did but looks like it:

App::before(function($request)
{
    //
    // Enable CORS 
    // In production, replace * with http://yourdomain.com 
    header("Access-Control-Allow-Origin: http://mydomain.local");
    header('Access-Control-Allow-Credentials: true'); //optional
    if (Request::getMethod() == "OPTIONS") {
        // The client-side application can set only headers allowed in Access-Control-Allow-Headers
        $headers = [
            'Access-Control-Allow-Methods'=> 'GET, POST, PUT, DELETE',
            'Access-Control-Allow-Headers'=> 'Content-Type'
        ];
        return Response::make('You are connected to the API', 200, $headers);
    }

});


App::after(function($request, $response)
{
    //
});
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)