Level 75
See if this is helpful: https://laracasts.com/discuss/channels/vue/cors-no-access-control-allow-origin-header-is-present
Sep 23, 2021
14
Level 5
Laravel 8 api autorization header cors
I have an api/books endpoint that returns books in json format. (currently without authorization).
I have a vuejs mobile app that makes the axios call to the books endpoint. I receive the json with success. But as soon as I add the authorization header at the axios call I get a cors error:
'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource'.
My config/cors.php:
<?php
return [
/*
|--------------------------------------------------------------------------
| Cross-Origin Resource Sharing (CORS) Configuration
|--------------------------------------------------------------------------
|
| Here you may configure your settings for cross-origin resource sharing
| or "CORS". This determines what cross-origin operations may execute
| in web browsers. You are free to adjust these settings as needed.
|
| To learn more: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
|
*/
'paths' => ['api/*', 'sanctum/csrf-cookie'],
'allowed_methods' => ['*'],
'allowed_origins' => ['*'],
'allowed_origins_patterns' => [],
'allowed_headers' => ['Authorization'],
'exposed_headers' => [],
'max_age' => 0,
'supports_credentials' => false,
];
I can't allow an origin because it is a mobile app with a token to authenticate.
Level 5
@jlrdw thank you for the response. I tried adding these headers to from that question to the routes/api.php but sadly that doesn't work :(
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE');
header('Access-Control-Allow-Headers: Content-Type, X-Auth-Token, Origin, Authorization');
Level 75
@MarcelWeidum Just wondering if you missed any config steps. Also don't forget to clear config cache after any changes.
Level 5
@jlrdw thank you for thinking with me, but sadly clearing the (config) cache doesn't work.
Level 29
https://laravel.com/docs/8.x/sanctum#cors-and-cookies
set this to true
'supports_credentials' => true,
Level 5
@frankielee thank you for your reply, but that is for session and cookie sharing. But I don't use a specific domain but a mobile app without a web address.
Level 80
@MarcelWeidum A mobile app is still making a network request, and is therefore going to have an origin.
Re-read the link that @frankielee gave to:
You should ensure that your application's CORS configuration is returning the
Access-Control-Allow-Credentialsheader with a value ofTrue. This may be accomplished by setting thesupports_credentialsoption within your application'sconfig/cors.phpconfiguration file totrue.**
The supports_credentials credentials option is nothing to do with sessions or cookies.
1 like
Level 5
@martinbean I gave it a run. But not working either. support_credential = true on server-side. Axios side: withCredentials = true
Level 1
Here's what happened to me, If we using the cors middleware of Laravel, don't return OPTION response in Nginx or Apache. It's conflicting. Hope it useful for you.
Level 5
@Kiddo I don't know what you mean. Can you explain this a little bit so I can try something?
Level 1
@MarcelWeidum Well, I mean make sure the OPTIONS reuqest is handled by Laravel itself.
So, we should make sure some points in WebServer (e.g. Nginx or Apache):
1.The WebServer support OPTIONS request.
2.Don't manually handle OPTIONS request in WebServer.
For example, some people usually add rule in Nginx to resolve cross, like:
location / {
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin *;
add_header Content-Length 0;
add_header Content-Type text/plain;
// May be more add_header xxx;
return 204;
}
}
Level 5
@Kiddo I already posted what was my issue and how I fixed it. Thank you for trying to help though.
Level 5
Turns out it had nothing to do with the CORS config, my server (direct admin) didn't support OPTIONS request. You can enable it like this: https://help.directadmin.com/item.php?id=700 (but also add OPTIONS after GET:DELETE.)
1 like
Please or to participate in this conversation.