带有 JWT 身份验证的 Laravel 5.3 CORS

Question

我对 Laravel 5.3 CORS 有疑问。我在这个问题上搜索了很多，发现很多推荐 barryvdh 用于 CORS。然而这并没有奏效，我发现有人提到这可能是由于使用 tymondesigns jwt-auth 模块造成的。有人建议通过设置绕过它

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Headers: Authorization, Content-Type');

在 api.php 文件中。这会导致如下响应：

Failed to load https://example.com/api/v1/members/1: Method PUT is not allowed by Access-Control-Allow-Methods in preflight response.

为了解决这个问题，我添加了

header('Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT');

到上面两行。然而，这给我留下了一个新问题：

PUT https://example.com/api/v1/members/1 403 (Forbidden)
Failed to load https://example.com/api/v1/members/1: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://example.com' is therefore not allowed access. The response had HTTP status code 403.

有什么建议可以解决这个问题吗？

Answer 1

如果这只发生在生产环境中，请务必检查您的 nginx 配置文件。这可能是由于以下设置：

add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";

尝试将这些注释掉，看看是否能解决问题，然后一一取消注释，并根据需要进行调整。

Answer 2

你可以使用三种方式来解决这个问题：

1) 使用 barrvay/laravel-cors

'supportsCredentials' => false,
    'allowedOrigins' => ['http://localhost:4200'],
    'allowedHeaders' => ['Content-Type','Accept','Authorization'],
    'allowedMethods' => ['GET','POST','PUT', 'PATCH', 'OPTIONS', 'DELETE'],
    'exposedHeaders' => ['Content-Disposition', 'x-total-count', 'x-filename'],
    'maxAge' => 0,
    'hosts' => ['*'],

2) 本地主机使用 Chrome 插件 (Moesif CORS)

3) 构建一个 CORS 中间件并将所有 cors 标头放入其中

    namespace App\Http\Middleware;

use Closure;

class Cors {
    public function handle($request, Closure $next)
    {
        return $next($request)
            ->header('Access-Control-Allow-Origin', '*')
            ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
    }
}