CORS: as been blocked by CORS policy: Response to preflight request doesn't pass access control check and Laravel 6



  • I’m trying to log in using quasar-app-extension-auth-token-based over quasar 1.2.1 against a Laravel 6-based API with Passport.

    To keep up the problem I found the post that talked about Laravel-Cors, and even then, it doesn’t work for me.

    My app in quasar runs with quasar dev over a local port, but the API is in a virtual machine with a domain name.

    Access to XMLHttpRequest at 'http://albariddev.castris.develop/api/v1/login' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
    

    quasar.extensions.json

    {
      "auth-token-based": {
        "register_route": "/auth/register",
        "verification_route": "/auth/verify",
        "login_route": "/api/v1/login", // My API Route for login but on erro I see orginla rute of package /auth/login
        "password_forgot_route": "/auth/password/forgot",
        "password_reset_route": "/auth/password/reset",
        "fetch_user_route": "/auth/user",
        "superuser_functionality": true
      }
    }
    

    On postman work fine.

    https://albariddev.castris.develop/api/v1/login?email=user@email.com&password=MyPassword
    
    {
        "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6ImNmMjFmYzFjYmEwZjhlNzIzYmRiMmFjMjBjMDk2MDE1YzUxNWUwZmNlOGM4OWM1NWU3Y2Q4MjhiNDBkZmUwNDJlN2RjMTVkZjQ1ZmJhNDkwIn0.eyJhdWQiOiIxIiwianRpIjoiY2YyMWZjMWNiYTBmOGU3MjNiZGIyYWMyMGMwOTYwMTVjNTE1ZTBmY2U4Yzg5YzU1ZTdjZDgyOGI0MGRmZTA0MmU3ZGMxNWRmNDVmYmE0OTAiLCJpYXQiOjE1NzEzNTE2NDYsIm5iZiI6MTU3MTM1MTY0NiwiZXhwIjoxNjAyOTc0MDQ2LCJzdWIiOiIxIiwic2NvcGVzIjpbXX0.YMHaYAu9OJ0Y63uEUh10A0W3HD4iCIMnq1vUlrD2hTgXYdVyISJ1QW1gjCDFD6foH21pdx71CXB3ibml-vzeVRnxnpWi9gI2jc6XOQvDRbpup6fDsrDZq1KIcgtZm_uEJQjvbgCYRd1x5OK7Lv_keoCAYySekx0vU4S4wNoT9btyiAX9Y7usXkVcuSYGwK4yaLdUyR2-AVR0uR3EcOK57liZ0m54e1jrcWbqi4mX5QWXoCMdglanJkvky49HRAdIswyCcRi5Xkemmk_31xi5gY9bzvaElnPRGSnloo4yv73CapVY0SDLbpBBeq6gLX9O05xNUBzU9c3NsvnoHhBQ8CGiTf3gs4fDLJ0_ZPnm2zR3MESFNuo7VD92OoNYRNIkbmUMXjAquwc50txASYRGWqS241H2Nh9q1Hb_-TnyOtwNONOmNzPOEokrKV4eRP5N5cqaR4KoFFXyQ7m-p_uVHEzRD7N5VFRnZ8X-2lz5hqKUzLXcfZEAvTHFv-2bZbourQGmhJkOvgvZCNHP7jQPvmVz2kD_oNS1onqkFNPoGZpEgiPgSlm7EoFKFc2bjzjnW8X2R4VhzijJVXIAKspH6ZOQsFD8QH3h5Sx9MNe5ZBnJ5SAQ3h_ztVAfe2Oa09OkW96AVoCG0dUKsL1jMacibE1rriW6E0XD0-6KBknRD4g",
        "token_type": "Bearer"
    }
    

    Apreciate some help.



  • @Castris there’s a laravel package that handles cors set it up in your server https://github.com/barryvdh/laravel-cors.



  • I’ve installed this package and setup with the least sensitivity. That is why I am going here.

    'supportsCredentials' => false,
        'allowedOrigins' => ['*'],
        'allowedOriginsPatterns' => ['*'],
        'allowedHeaders' => ['*'],
        'allowedMethods' => ['*'],
        'exposedHeaders' => ['*'],
        'maxAge' => 0,
    ];
    

    In Kernel.php

    protected $middleware = [
    ...
    \Barryvdh\Cors\HandleCors::class,
    ];
    

    Also tried to Disabling CSRF protection for my API

    App\Http\Middleware\VerifyCsrfToken:

    protected $except = [
        'api/*'
    ];
    

    That said, I think the best way would be to know if the package sends a token, in the same way as Postman does, but I can’t find a way to do it given the poor documentation of the package.



  • Well, you can also set up a reverse proxy (openresty/nginx) and have CORS handled at that level. It would solve ALL the problems with EVERYTHING 🙂
    Where ALL==every access control request from client, and EVERYTHING==every api/rest/openapi/webservice/endpoint on backend side regardless of used technology (php, python, node, c#, etc.).


Log in to reply