流明:启用CORS

Question

我使用Lumen构建了一个API,并希望使用JavaScript和XMLHttpRequest对象来访问它.但每次我的PUT,GET,POST和DELETE请求都转换为OPTIONS - Request.我阅读了很多有CORS信息的网站.我使用以下内容构建中间件:

class CORSMiddleware
{
    public function handle($request, \Closure $next)
    {
      $response = null;
      /* Preflight handle */
      if ($request->isMethod('OPTIONS')) {
         $response = new Response();
      } else {
         $response = $next($request);
      }

      $response->header('Access-Control-Allow-Methods', 'OPTIONS, HEAD, GET, POST, PUT, DELETE');
      $response->header('Access-Control-Allow-Headers', $request->header('Access-Control-Request-Headers'));
      $response->header('Access-Control-Allow-Origin', '*');
      return $response;
    }
}

我的客户代码:

var url = "http://localhost:8000/api/user";
var xmlHttpRequest = new XMLHttpRequest();
xmlHttpRequest.open('PUT', url, false);
xmlHttpRequest.send('{"username": "ABC", "password": "ABC","email": "mail@cool.xyz" }');
if (xmlHttpRequest.status == 200) {
  console.log(xmlHttpRequest.responseText);
}

我的GET请求信息:

Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Origin: null
Connection: keep-alive
Cache-Control: max-age=0

我的回复 - GET请求的信息:

Access-Control-Allow-Methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
Access-Control-Allow-Origin: *
Cache-Control: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Date: Sun, 27 Dec 2015 10:36:51 GMT
Host: localhost:8000
x-powered-by: PHP/7.0.0

我的请求 - PUT请求的信息:

Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: PUT
Origin: null
Connection: keep-alive
Cache-Control: max-age=0

我对PUT请求的响应信息:

Cache-Control: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Date: Sun, 27 Dec 2015 10:36:51 GMT
Host: localhost:8000
x-powered-by: PHP/7.0.0

在预检中没有"Access-Control-Allow - *" - 标题.我不知道为什么; 我用我的lumen-cors-middleware启用它.

Answer 1

在 中Lumen，您需要OPTIONS为每条POST, PUT, DELETE...路线手动设置路线。

这就是我为解决问题所做的。

$app->options('{all:.*}', ['middleware' => 'cors.options', function() {
    return response('');
}]);

上面的路线将为OPTIONS您捕获所有请求。

在cors.options中间件中：

public function handle($request, Closure $next)
{
    return $next($request)
        ->header('Access-Control-Allow-Origin', $_SERVER['HTTP_ORIGIN'])
        ->header('Access-Control-Allow-Methods', 'PUT, POST, DELETE')
        ->header('Access-Control-Allow-Headers', 'Accept, Content-Type,X-CSRF-TOKEN')
        ->header('Access-Control-Allow-Credentials', 'true');
}