From ef41e0060a94c37d4a066d2ca85c5a0945999b1b Mon Sep 17 00:00:00 2001 From: snipe Date: Tue, 23 Jul 2019 17:17:01 -0700 Subject: [PATCH 1/8] Added CORS support to API --- app/Http/Kernel.php | 1 + composer.json | 1 + composer.lock | 116 +++++++++++++++++++++++++++++++++++++++++++- config/cors.php | 23 +++++++++ 4 files changed, 140 insertions(+), 1 deletion(-) create mode 100644 config/cors.php diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index 25bbb7f81a63..14fc378299ae 100644 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -46,6 +46,7 @@ class Kernel extends HttpKernel 'api' => [ 'throttle:120,1', 'auth:api', + \Barryvdh\Cors\HandleCors::class, ], ]; diff --git a/composer.json b/composer.json index b920a2aed4c8..aad02bdb4441 100644 --- a/composer.json +++ b/composer.json @@ -6,6 +6,7 @@ "type": "project", "require": { "php": ">=7.1.2", + "barryvdh/laravel-cors": "^0.11.3", "barryvdh/laravel-debugbar": "^3.2", "doctrine/cache": "^1.8", "doctrine/common": "^2.10", diff --git a/composer.lock b/composer.lock index 4ff057f907db..d1014faf0c5a 100644 --- a/composer.lock +++ b/composer.lock @@ -4,8 +4,60 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "content-hash": "f8b40b743ea544f650ac6c4d8c7a6eda", + "content-hash": "83584cbcfed9d4b063847283c0472606", "packages": [ + { + "name": "asm89/stack-cors", + "version": "1.2.0", + "source": { + "type": "git", + "url": "https://github.com/asm89/stack-cors.git", + "reference": "c163e2b614550aedcf71165db2473d936abbced6" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/asm89/stack-cors/zipball/c163e2b614550aedcf71165db2473d936abbced6", + "reference": "c163e2b614550aedcf71165db2473d936abbced6", + "shasum": "" + }, + "require": { + "php": ">=5.5.9", + "symfony/http-foundation": "~2.7|~3.0|~4.0", + "symfony/http-kernel": "~2.7|~3.0|~4.0" + }, + "require-dev": { + "phpunit/phpunit": "^5.0 || ^4.8.10", + "squizlabs/php_codesniffer": "^2.3" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.2-dev" + } + }, + "autoload": { + "psr-4": { + "Asm89\\Stack\\": "src/Asm89/Stack/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Alexander", + "email": "iam.asm89@gmail.com" + } + ], + "description": "Cross-origin resource sharing library and stack middleware", + "homepage": "https://github.com/asm89/stack-cors", + "keywords": [ + "cors", + "stack" + ], + "time": "2017-12-20T14:37:45+00:00" + }, { "name": "bacon/bacon-qr-code", "version": "2.0.0", @@ -55,6 +107,68 @@ "homepage": "https://github.com/Bacon/BaconQrCode", "time": "2018-04-25T17:53:56+00:00" }, + { + "name": "barryvdh/laravel-cors", + "version": "v0.11.3", + "source": { + "type": "git", + "url": "https://github.com/barryvdh/laravel-cors.git", + "reference": "c95ac944f2f20a17949aae6645692dfd3b402bca" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/barryvdh/laravel-cors/zipball/c95ac944f2f20a17949aae6645692dfd3b402bca", + "reference": "c95ac944f2f20a17949aae6645692dfd3b402bca", + "shasum": "" + }, + "require": { + "asm89/stack-cors": "^1.2", + "illuminate/support": "5.5.x|5.6.x|5.7.x|5.8.x", + "php": ">=7", + "symfony/http-foundation": "^3.1|^4", + "symfony/http-kernel": "^3.1|^4" + }, + "require-dev": { + "laravel/framework": "^5.5", + "orchestra/testbench": "3.3.x|3.4.x|3.5.x|3.6.x|3.7.x", + "phpunit/phpunit": "^4.8|^5.2|^7.0", + "squizlabs/php_codesniffer": "^2.3" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "0.11-dev" + }, + "laravel": { + "providers": [ + "Barryvdh\\Cors\\ServiceProvider" + ] + } + }, + "autoload": { + "psr-4": { + "Barryvdh\\Cors\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Barry vd. Heuvel", + "email": "barryvdh@gmail.com" + } + ], + "description": "Adds CORS (Cross-Origin Resource Sharing) headers support in your Laravel application", + "keywords": [ + "api", + "cors", + "crossdomain", + "laravel" + ], + "time": "2019-02-26T18:08:30+00:00" + }, { "name": "barryvdh/laravel-debugbar", "version": "v3.2.3", diff --git a/config/cors.php b/config/cors.php new file mode 100644 index 000000000000..e9b90f8b33a9 --- /dev/null +++ b/config/cors.php @@ -0,0 +1,23 @@ + false, + 'allowedOrigins' => ['*'], + 'allowedOriginsPatterns' => [], + 'allowedHeaders' => ['*'], + 'allowedMethods' => ['*'], + 'exposedHeaders' => [], + 'maxAge' => 0, + +]; From ae6048a6ea88246953a0fdcff1211d412643d449 Mon Sep 17 00:00:00 2001 From: snipe Date: Tue, 23 Jul 2019 18:02:27 -0700 Subject: [PATCH 2/8] Changed order so CORS will still work if throttle hit --- app/Http/Kernel.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index 14fc378299ae..da3c5092b910 100644 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -44,9 +44,9 @@ class Kernel extends HttpKernel ], 'api' => [ + \Barryvdh\Cors\HandleCors::class, 'throttle:120,1', 'auth:api', - \Barryvdh\Cors\HandleCors::class, ], ]; From 41b226e5fcff0f5c523177c3ecaa02612ed2a31b Mon Sep 17 00:00:00 2001 From: snipe Date: Tue, 23 Jul 2019 18:02:51 -0700 Subject: [PATCH 3/8] Added APP_CORS_ALLOWED_ORIGINS env option --- .env.example | 1 + config/cors.php | 24 ++++++++++++++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/.env.example b/.env.example index d495111d78ab..dfc5e4562749 100644 --- a/.env.example +++ b/.env.example @@ -66,6 +66,7 @@ SECURE_COOKIES=false # -------------------------------------------- REFERRER_POLICY=same-origin ENABLE_CSP=false +APP_CORS_ALLOWED_ORIGINS=null # -------------------------------------------- # OPTIONAL: CACHE SETTINGS diff --git a/config/cors.php b/config/cors.php index e9b90f8b33a9..2f004e7cb4ea 100644 --- a/config/cors.php +++ b/config/cors.php @@ -1,5 +1,25 @@ false, - 'allowedOrigins' => ['*'], + 'allowedOrigins' => $allowed_origins, 'allowedOriginsPatterns' => [], 'allowedHeaders' => ['*'], - 'allowedMethods' => ['*'], + 'allowedMethods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'], 'exposedHeaders' => [], 'maxAge' => 0, From 82f91cb944fafbe39fd4d7127193c3ae53a8d91e Mon Sep 17 00:00:00 2001 From: snipe Date: Tue, 23 Jul 2019 18:03:53 -0700 Subject: [PATCH 4/8] Fixed typo --- config/cors.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/cors.php b/config/cors.php index 2f004e7cb4ea..31c0eddc8344 100644 --- a/config/cors.php +++ b/config/cors.php @@ -11,7 +11,7 @@ * installation to modify these values without modifying the code. * * If APP_CORS_ALLOWED_ORIGINS is not set in the .env or is null (for example if no one added it - * after amn upgrade from a previous version that didn't include it in the .env.example), + * after an upgrade from a previous version that didn't include it in the .env.example), * set it to * to allow all. If there is a value, either a single url or a comma-delimited * list of urls, explode that out into an array to whitelist just those urls. * From 8a7bafb57597c2a0d7712d53501e1278351b4c5a Mon Sep 17 00:00:00 2001 From: snipe Date: Tue, 23 Jul 2019 18:05:07 -0700 Subject: [PATCH 5/8] Clarified header comments --- config/cors.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/cors.php b/config/cors.php index 31c0eddc8344..8d3b665babf7 100644 --- a/config/cors.php +++ b/config/cors.php @@ -10,8 +10,8 @@ * overwritten later), this enables the person managing the Snipe-IT * installation to modify these values without modifying the code. * - * If APP_CORS_ALLOWED_ORIGINS is not set in the .env or is null (for example if no one added it - * after an upgrade from a previous version that didn't include it in the .env.example), + * If APP_CORS_ALLOWED_ORIGINS is not set in the .env (for example if no one added it + * after an upgrade from a previous version that didn't include it in the .env.example) or is null, * set it to * to allow all. If there is a value, either a single url or a comma-delimited * list of urls, explode that out into an array to whitelist just those urls. * From 56753fa4cd6bab567bc8e0cf18d81803572a16d3 Mon Sep 17 00:00:00 2001 From: snipe Date: Tue, 23 Jul 2019 18:07:45 -0700 Subject: [PATCH 6/8] More clarification --- config/cors.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/config/cors.php b/config/cors.php index 8d3b665babf7..70a2237b0122 100644 --- a/config/cors.php +++ b/config/cors.php @@ -2,8 +2,8 @@ /** * --------------------------------------------------------------------- - * THIS IS NOT PART OF THE ORIGINAL CORS PACKAGE. IT IS A MODIFICATION - * BY SNIPE-IT TO ALLOW ADDING ALLOWED ORIGINS VIA THE ENV. + * THIS IS $allowed_origins code IS NOT PART OF THE ORIGINAL CORS PACKAGE. + * IT IS A MODIFICATION BY SNIPE-IT TO ALLOW ADDING ALLOWED ORIGINS VIA THE ENV. * --------------------------------------------------------------------- * * Since we don't really want people editing config files (lest they get @@ -14,12 +14,17 @@ * after an upgrade from a previous version that didn't include it in the .env.example) or is null, * set it to * to allow all. If there is a value, either a single url or a comma-delimited * list of urls, explode that out into an array to whitelist just those urls. - * */ $allowed_origins = env('APP_CORS_ALLOWED_ORIGINS') !== null ? explode(',', env('APP_CORS_ALLOWED_ORIGINS')) : ['*']; +/** + * Original Laravel CORS package config file modifications end here + * + */ + + return [ /* From d40f06373eff2d273b06588aa9dfe8bf5ec52baf Mon Sep 17 00:00:00 2001 From: snipe Date: Tue, 23 Jul 2019 18:23:39 -0700 Subject: [PATCH 7/8] DIsable CORS allowed origins by default to replicate existing behavior --- config/cors.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/cors.php b/config/cors.php index 70a2237b0122..0aa4b8cef486 100644 --- a/config/cors.php +++ b/config/cors.php @@ -16,8 +16,8 @@ * list of urls, explode that out into an array to whitelist just those urls. */ -$allowed_origins = env('APP_CORS_ALLOWED_ORIGINS') !== null ? - explode(',', env('APP_CORS_ALLOWED_ORIGINS')) : ['*']; +$allowed_origins = env('CORS_ALLOWED_ORIGINS') !== null ? + explode(',', env('CORS_ALLOWED_ORIGINS')) : []; /** * Original Laravel CORS package config file modifications end here From 141b0b410b30fa97aff333de371a448308a3d0cc Mon Sep 17 00:00:00 2001 From: snipe Date: Tue, 23 Jul 2019 18:23:51 -0700 Subject: [PATCH 8/8] Change variable name to be clearer --- .env.example | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.env.example b/.env.example index dfc5e4562749..d48dcb47883a 100644 --- a/.env.example +++ b/.env.example @@ -66,7 +66,7 @@ SECURE_COOKIES=false # -------------------------------------------- REFERRER_POLICY=same-origin ENABLE_CSP=false -APP_CORS_ALLOWED_ORIGINS=null +CORS_ALLOWED_ORIGINS=null # -------------------------------------------- # OPTIONAL: CACHE SETTINGS