CORS for api

.env.example

@@ -66,6 +66,7 @@ SECURE_COOKIES=false
 # --------------------------------------------
 REFERRER_POLICY=same-origin
 ENABLE_CSP=false
+CORS_ALLOWED_ORIGINS=null
 
 # --------------------------------------------
 # OPTIONAL: CACHE SETTINGS

app/Http/Kernel.php

@@ -44,6 +44,7 @@ class Kernel extends HttpKernel
         ],
 
         'api' => [
+            \Barryvdh\Cors\HandleCors::class,
             'throttle:120,1',
             'auth:api',
         ],

composer.json

@@ -6,6 +6,7 @@
   "type": "project",
     "require": {
     "php": ">=7.1.2",
+    "barryvdh/laravel-cors": "^0.11.3",
     "barryvdh/laravel-debugbar": "^3.2",
     "doctrine/cache": "^1.8",
     "doctrine/common": "^2.10",

config/cors.php

@@ -0,0 +1,48 @@
+<?php
+
+/**
+ * ---------------------------------------------------------------------
+ * THIS IS $allowed_origins code IS NOT PART OF THE ORIGINAL CORS PACKAGE.
+ * IT IS A MODIFICATION BY SNIPE-IT TO ALLOW ADDING ALLOWED ORIGINS VIA THE ENV.
+ * ---------------------------------------------------------------------
+ *
+ * Since we don't really want people editing config files (lest they get
+ * overwritten later), this enables the person managing the Snipe-IT
+ * installation to modify these values without modifying the code.
+ *
+ * If APP_CORS_ALLOWED_ORIGINS is not set in the .env (for example if no one added it
+ * after an upgrade from a previous version that didn't include it in the .env.example) or is null,
+ * set it to * to allow all. If there is a value, either a single url or a comma-delimited
+ * list of urls, explode that out into an array to whitelist just those urls.
+ */
+
+$allowed_origins = env('CORS_ALLOWED_ORIGINS') !== null ?
+    explode(',', env('CORS_ALLOWED_ORIGINS')) : [];
+
+/**
+ * Original Laravel CORS package config file modifications end here
+ *
+ */
+
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | Laravel CORS
+    |--------------------------------------------------------------------------
+    |
+    | allowedOrigins, allowedHeaders and allowedMethods can be set to array('*')
+    | to accept any value.
+    |
+    */
+
+    'supportsCredentials' => false,
+    'allowedOrigins' => $allowed_origins,
+    'allowedOriginsPatterns' => [],
+    'allowedHeaders' => ['*'],
+    'allowedMethods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
+    'exposedHeaders' => [],
+    'maxAge' => 0,
+
+];