I am using Laravel 5.8 and I am separating out my frontend and backend and currently testing on my localhost.
I've fixed some terrible CORS issues, and I do not want to install an external composer package to fix such a simple issue.
I'm simply initiating a user's session by a GET request to /user to set the session cookies, start session, and get the CSRF token.
Everything works, 200 responses and no CORS errors, though the cookies are not getting saved.
Access-Control-Allow-Credentials: true is set.
This is a problem because, in order to log in, the CSRF token and the cookies must match. So if the user does not have the cookies set there is no way to safely authenticate.
As the cookie domain, I am using http://localhost
// The global Axios config I'm using to make all requests.
const main_axios = axios.create({
baseURL: process.env.ROOT_API + process.env.API_VERSION,
withCredentials: true,
headers : {
'Content-Type': 'application/x-www-form-urlencoded',
},
});
GET Request to /user to init cookies, session, and get csrf token:
Host: localhost:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/
Origin: http://localhost:8080
DNT: 1
Connection: keep-alive
Cache-Control: max-age=0
Response: ( 200 )
HTTP/1.1 200 OK
Host: localhost:8000
Date: Tue, 24 Sep 2019 14:45:02 -0400
Connection: close
X-Powered-By: PHP/7.2.11
Cache-Control: no-cache, private
Date: Tue, 24 Sep 2019 18:45:02 GMT
Content-Type: application/json
Access-Control-Allow-Headers: Origin, Content-Type, Accept, Authorization, DNT, X-Requested-With, Application
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:8080
Set-Cookie: XSRF-TOKEN=<...>; expires=Tue, 24-Sep-2019 20:45:02 GMT; Max-Age=7200; path=/; domain=http://localhost
Set-Cookie: smartgames_session=<...>; expires=Tue, 24-Sep-2019 20:45:02 GMT; Max-Age=7200; path=/; domain=http://localhost
Response Body
{"token":"8yNgrCV8YNs9fU46rSHky2vonzqrmN0S8blxzUWM"}
The Set-Cookies do not get saved in the browser.
console.log(document.cookie);
""
The console shows no CORS warnings that I was getting beforehand.:
Cors middleware:
class Cors
{
public function handle($request, Closure $next)
{
return $next($request)
->header('Access-Control-Allow-Headers', 'Origin, Content-Type, Accept, Authorization, DNT, X-Requested-With, Application')
->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
->header('Access-Control-Allow-Credentials', 'true')
->header('Access-Control-Allow-Origin', 'http://localhost:8080');
}
}
Kernel:
protected $middleware = [
\App\Http\Middleware\Cors::class,
...
];
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\Cors::class,
...
],
...
];
protected $routeMiddleware = [
'cors' => \App\Http\Middleware\Cors::class,
...
];
protected $middlewarePriority = [
\App\Http\Middleware\Cors::class,
...
];
routes:
Route::group(['middleware' => ['cors']], function () {
// to get cookies and get csrf
Route::get('/user', 'API\v1\UserController@user_init');
Auth::routes();
});
before starting server
$ php artisan cache:clear && php artisan route:cache && php artisan serve
Any help is much appreciated, I've been banging my head on this for a long while. Thank you all
