CORS: "Method not allowed" for preflight requests

pedrorezende

Hi everyone,

I'm having some problems with CORS while trying to consume Flarum API resources (ex. /api/discussions/123). It seems that Flarum HTTP\Server blocks the preflight request because OPTIONS are not set as a valid route method.

Debugging the PHP code, I saw that a MethodNotAllowedException is being thrown by Flarum\Http\Middleware\DispatchRoute class.

So I have two questions: 1) is there any configuration I can do to bypass OPTIONS requests from that verification? 2) How to properly add a Middleware to Flarum without changing the package code? (i.e. what would be the equivalent to Laravel's app/Http/Kernel.php file?)

Thank you all! 🙂

clarkwinkelmann

pedrorezende I'm successfully using CORS requests on one of my websites, but I'm only using simple requests so there's no preflight request in my case. I have however implemented a middleware to whitelist origins, but I'll need to update the code for the latest Flarum before I can share it.

I do see that OPTIONS requests are not supported by Flarum. Maybe someone else has already experience with this. Possibly this could also be fixed at the webserver level without having to deal with Flarum at all?

To make local modifications to your Flarum there are two solutions:

Create an extension that you don't publish online but just install through a workbench folder
Use Flarum's root extend.php to do everything an extension can do without creating an actual extension

In this case you might want to make use of the Middleware extender and feature https://docs.flarum.org/extend/middleware.html

pedrorezende

clarkwinkelmann Thank you very much for your reply! I'm already extending some Flarum features but I think I skipped the middleware docs. I'll check them and get back to this thread as soon as I have a solution implemented.

pedrorezende

Hi! I've implemented a simple and naive solution for this problem, but it worked perfectly on my case. Maybe it can help someone else in the future, so I'm sharing it here. If you find any potential problem with this solution, please let me know.

1) Created an extension following this guide https://docs.flarum.org/extend/start.html#architecture

2) Created a Middleware following the instructions clarkwinkelmann referred: https://docs.flarum.org/extend/middleware.html#adding-middleware-in-your-extension . This Middleware verifies for allowed origins and bypass OPTIONS requests if they're coming from the whitelisted origins.


<?php
namespace MyProject\Middleware;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;

class HandleCorsMiddleware implements MiddlewareInterface
{
  protected function parseOriginUrl($referrerUrl)
  {
    $referrerUrlStructure = parse_url($referrerUrl);
    $origin = $referrerUrlStructure['scheme'] . '://' . $referrerUrlStructure['host'];
    if (isset($referrerUrlStructure['port']) && $referrerUrlStructure['port']) {
      $origin .= ':' . $referrerUrlStructure['port'];
    }

    return $origin;
  }

  protected function setAccessControlHeaders($url)
  {
    header('Access-Control-Allow-Origin: ' . $url);
    header('Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS');
    header('Access-Control-Allow-Headers: Origin, Authorization, Content-Type, X-Auth-Token');
    header("Access-Control-Allow-Credentials: true");
  }

  public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
  {
    $headers = $request->getHeaders();
    $referrer = $headers['referer'] ?? '';
    $whitelistedOrigin = false;

    if ($referrer) {
      $config = app('flarum.config');
      $allowedOrigins = $config['allowed_origins'];
      $originUrl = $this->parseOriginUrl($referrer[0]);

      if (in_array($originUrl, $allowedOrigins)) {
        $whitelistedOrigin = true;
        $this->setAccessControlHeaders($originUrl);
      }
    }

    if ($whitelistedOrigin && $referrer && $request->getMethod() === 'OPTIONS') {
      header('Status: 200');
      exit;
    }

    return $handler->handle($request);
  }
}

3) Added my Middleware to extend.php

use Flarum\Extend;
use MyProject\Middleware\HandleCorsMiddleware;
return [
  (new Extend\Middleware('api'))->add(HandleCorsMiddleware::class)
];

4) Added the allowed origins to my config.php file

return array(
  'debug' => true,
  ...
  'allowed_origins' => [
    'http://localhost:3000',
    'https://example.com',
    'https://staging.example.com',
  ]
);

Kaczuc

Can you explain how to add this code if I'm using docker containerization?