solution to axios.post cors problem

I created routes as such

$router->post('qt','AnalyticsTracker@index');```

Controller:
```public function response()
  {
    return response('', 200);
  }

And also a middleware on these routes to inject the headers.

I don't use axios but you can likely add content headers.

'options' are only sent via ajax/fetch if you don't add for example application/json or text/plain as custom content headers. I forgot the details on the headers but you should be able to find which content headers are needed to have a request with and without options request depending on your goals. I chose not to use options to minimize server requests. This specific app has over 20k a day

yes, HandleCors won't do the trick alone, you still have to provide Access-Control-Request-Headers & Access-Control-Request-Method to your request.

"provide Access-..." headers, where ?

With axios ? Or In Lumen ?

Before using "HandleCors" I was using this Middleware (by Alex Garrett) :

class Cors
{
    public function handle($request, Closure $next)
    {
        $headers = [
            'Access-Control-Allow-Origin' => '*',
            'Access-Control-Allow-Methods' => 'HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS', 
            'Access-Control-Allow-Headers' => 'Content-Type'
        ];
        
        if ($request->getMethod() === 'OPTIONS') {
            return response(null, 200, $headers);
        }

        $response = $next($request);
        
        foreach ($headers as $key => $value) {
            $response->header($key, $value);
        }
        return $response;
    }
}

I don't have to set the 2 headers using Axios, because I see them in the post request by default :

Access-Control-Request-Headers access-control-allow-origin,content-type

Access-Control-Request-Method POST

Also, CORS works for "axios.get". The problem is just with the "OPTIONS" preflight request.

I'm pretty sure the problem lies on the backend, in Lumen. But the "OPTIONS" request does not even goes at my Cors middleware. If I die at the beginning of the middleware "handle" method, it's not even hit.

How do you have the cors miidleware registered, globally or as group- / routemiddleware?

Options request won't hit any route and because of that, the cors middleware has to be registered as global middleware...

I just noticed my post had a crucial detail fallen off. This time without github formatting...

In your routes file:

$router->options('endpoint','Controller@index'); or the facade Router::options in your case maybe.

And add your Cors middleware here or in the controller constructor

Register your Cors middleware in the http kernel

I have it at the global api group

'api' => [ ... 'cors', ... ]

and here:

protected $routeMiddleware = [ 'auth' => \Illuminate\Auth\Middleware\Authenticate::class,

'cors' => \App\Http\Middleware\Cors::class,

'restricted' => \App\Http\Middleware\RestrictedAccess::class, 'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class, 'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class, 'can' => \Illuminate\Auth\Middleware\Authorize::class, 'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class, 'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class, ];

@NISEKU - Globally

@ARTCORE - But I'm on Lumen, so it's different.

What I tried :

In web.php :

$router->options('/', 'LinkController@testcorsoptions');
$router->post('/', 'LinkController@store');

In bootstrap/app.php :

 $app->middleware([
     App\Http\Middleware\Cors::class,
 ]);

"handle" method in middleware not hit

"testcorsoptions" method not hit.

Again this in the console : Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://blabla.local/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

I also just tried an "OPTIONS" request in postman : I get "405 Not Allowed nginx/1.15.5"

Interesting test here :

LinkController.php :

    public function testcorsoptions()
    {
        return response('HIT!!!', 200);
    }

TEST 1 : In web.php :

$router->options('/', 'LinkController@testcorsoptions');

Using Postman :

"OPTIONS" request to http://myproject.local/ :

405 Not Allowed nginx/1.15.5

BUT!!! : TEST 2 :

In web.php :

$router->options('/something', 'LinkController@testcorsoptions');

Using Postman :

"OPTIONS" request to http://myproject.local/something :

Status 200 OK HIT!!!

So there's something bad about my root "/" !!! What ?

Unbelievable !

Cors is fully working if I post to something else than the root (/) :

$router->post('/something', 'LinkController@store');

Any idea on what's causing "not allowed" for post request on "/" ?

It's the same with both Alex Garrett and Barryvdh middlewares.

Another interesing thing : I "die" at the first line of "public/index.php".

If I do an "OPTIONS" request to "http://myproject.local/something", the "die" works.

But doing an "OPTIONS" request to "http://myproject.local" : "405 Not Allowed nginx/1.15.5". So it is blocked BEFORE hitting "index.php" (before hitting Lumen app).

So it must be somewhere in nginx config ! but where ?

"OPTIONS" request to "http://myproject.local/index.php" WORKS TOO !!!

So I found that an "OPTIONS" request to "http://myproject.local" works with this change in "/etc/nginx/sites-available/myproject.local" :

    # location ~ \.php$ { 
    location ~ \.php$|/$ {

Now I can post to "myproject.local", "myproject.local/index.php", ""myproject.local/someroute"