I am using Laravel 10 backend with Angular 16 frontend
I am getting a CORS error when making a unauthenticated call. I do not get this error when there is a valid token attached to the request. I also do not get a CORS error when I remove the auth:sanctum middleware.
Access to XMLHttpRequest at 'http://localhost:8000/api/v2/users/me' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Request headers:
GET /api/v2/users/me HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-CA,en;q=0.9,he-IL;q=0.8,he;q=0.7,en-GB;q=0.6,en-US;q=0.5,la;q=0.4,fr;q=0.3
Cache-Control: no-cache
Connection: keep-alive
Cookie: pma_lang=en; phpMyAdmin=b4708404aa4a47a5854f53dc4b36fede; pmaUser-1=F9OmtR4PCLTe%2FX65GbCS0KKlWY9xTZA4OOsBQ%2BwByKXngw2rxuSx%2Fvr%2BSTw%3D; pmaAuth-1=I1DZbqIl0TCZSFJZSjkcL2CC243C3DR8xxxlj%2BV90EiDlZJC6Ve4G5KQd6u73QFNbVCSDNQDghAI04m61HIG3YWW; laravel_session=eyJpdiI6InJRalZMSmZRZHpscElHbjdiL2JPMEE9PSIsInZhbHVlIjoiYXBFV3QxNjljZVpmTkdvbks4N0JHbjlLZTdJWWo0bmRySU5DVDJ1UG9JRUlFOE4reDRqaENqeUJOMk5ZSllFYW42V1cvQjYwNCs4TFNEUnN2UmJyQVpBVmIvYVlVbVJDV3ErQlkrK1dENmFCaS9YblhQZHlVOER3MWRDeWZya2giLCJtYWMiOiJkYjQ3ZjgyMDk1YTE5NTlmYTQ0NjNkNGM4Njk4ZTZjM2QwOWVjMTIyOWRmZDQzNmY5Nzc3ZWIxN2UyZWE3YWJmIiwidGFnIjoiIn0%3D;
DNT: 1
Host: localhost:8000
Origin: http://localhost:4200
Pragma: no-cache
Referer: http://localhost:4200/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
TenantSubdomain: localhost:4200
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"`
Response headers:
`HTTP/1.1 403 Forbidden
Server: nginx/1.25.0
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache, private
Date: Sun, 21 Jul 2024 11:43:49 GMT
My middleware:
Route::middleware([
'throttle:v2',
'auth:sanctum',
'is.tenant',
LastActionAgo::class,
'idempotency',
])
cors.php
<?php
return [
'paths' => ['api/*', 'sanctum/csrf-cookie', 'lease-application-pdf/*', 'broadcasting/auth'],
'allowed_methods' => ['GET', 'PUT', 'PATCH', 'POST', 'DELETE'],
'allowed_origins' => ['*', 'ionic://localhost', 'http://localhost:4200'],
'allowed_origins_patterns' => [],
'allowed_headers' => [
'baggage', // used by Sentry
'sentry-trace', // used by Sentry
'token',
'Content-Type',
'authorization',
'QPAppType',
'PQCompanySubdomain',
'TenantSubdomain',
'X-XSRF-TOKEN',
'X-CSRF-TOKEN',
'User-Agent',
'Cache-Control',
'Pragma',
'X-Requested-With',
'Idempotency-Key',
],
'exposed_headers' => [
'token',
'Content-Type',
'authorization',
'QPAppType',
'PQCompanySubdomain',
'TenantSubdomain',
'X-XSRF-TOKEN',
'X-CSRF-TOKEN',
'Is-Replay',
],
'max_age' => 1728000,
'supports_credentials' => true,
];
After login:
Request headers:
GET /api/v2/users/me HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-CA,en;q=0.9,he-IL;q=0.8,he;q=0.7,en-GB;q=0.6,en-US;q=0.5,la;q=0.4,fr;q=0.3
Authorization: Bearer 32|72Qi6OhFqrHOq7mrcTMNroT6OoNJSK626ZnB4cWyd46e9988
Cache-Control: no-cache
Connection: keep-alive
Cookie: pma_lang=en; phpMyAdmin=b4708404aa4a47a5854f53dc4b36fede; pmaUser-1=F9OmtR4PCLTe%2FX65GbCS0KKlWY9xTZA4OOsBQ%2BwByKXngw2rxuSx%2Fvr%2BSTw%3D; pmaAuth-1=I1DZbqIl0TCZSFJZSjkcL2CC243C3DR8xxxlj%2BV90EiDlZJC6Ve4G5KQd6u73QFNbVCSDNQDghAI04m61HIG3YWW; remember_web_3dc7a913ef5fd4b890ecabe3487085573e16cf82=eyJpdiI6InZ1eFg1WEJWcm9oT29Qd2E3bEpRRkE9PSIsInZhbHVlIjoiVXpNWDlRMzRoSlpBbElqdnNhaU9SbTJxSk53Y1hDMDdtWlY3Qkg2V0lZai9SNk40bENqNTJIM3hlNU1rZElZb0RDbU8ranEwT0RmendrY2tNYUhJWUpkZThtS1AvNkpKbmRFT05XaHZzekkyaE94bkxQLytLbnl1RUNqRmVTVWFWZGttS3pOU2RGeVJyL3dsK3JVSU1Da2E5V0J6RFdMeStEN2pWeUNESkdJQkdxRWFtanVyRXRPS1NtcmNISzMzL09hV2o1ZDhKc3d4ZlhuT3RrTysxZmF1bjZrUVZ4MFlaK0JaYVZSSWxuMD0iLCJtYWMiOiJhMzFmMjA2YTFhZTRjOGE0MTAzMmFhMjkzYTVmMWNhN2VjMGEyODUxMjYzNDFhOGE4MDA4NDIwOWFkYmU4MTNjIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IklNMDZ4bEZHUSt3RThYRFRJUDNPUVE9PSIsInZhbHVlIjoiMnI0ZmR6ZWNTZ0UwaGpCM01taW9lekpyTjBPaE9uNUNMakFhOVBrNzRWWUE4b1FxRkREZ3FsY0N1YkZFU0Q1K2hjZDUzR1VRaERVQ2VtOHlzYkpPNlBSamxwZG1YMjhNK1lwaVBBVUhhM3cyanZUQWNEVmErL2FHc01VNk1hZmYiLCJtYWMiOiJjNTI0MWExMmQ3NWExNDM5YjJkNWYxZjJiZTNhNGRkN2JkM2I4NGZhYWJkYmFiNmU0Yzc2YmVkZDc1MWUwNWQyIiwidGFnIjoiIn0%3D
DNT: 1
Host: localhost:8000
Origin: http://localhost:4200
Pragma: no-cache
Referer: http://localhost:4200/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
TenantSubdomain: localhost:4200
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Response Headers:
HTTP/1.1 200 OK
Server: nginx/1.25.0
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache, private
Date: Sun, 21 Jul 2024 12:01:18 GMT
X-RateLimit-Limit: 400
X-RateLimit-Remaining: 399
Access-Control-Allow-Origin: http://localhost:4200
Vary: Origin
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: token, Content-Type, authorization, QPAppType, PQCompanySubdomain, TenantSubdomain, X-XSRF-TOKEN, X-CSRF-TOKEN, Is-Replay
Set-Cookie: laravel_session=eyJpdiI6IkhzTy80ZHhWbEVWR3RSYkFCZ1lmVVE9PSIsInZhbHVlIjoiSnFlSFFPSFNCRVRQcmdvaWhhV2ZEajE5UjFpOXpWcTd3N2h5STNwRkkyMVN4Y2NNdGpOOFg0cUNnSDZ1ZXU0Q1NqU3ZKVlZmeFpyUXJHcmhuS2MzVGNZd1NDeXFNekh3UG1nU0NnV2Z5SDRiWkdoRnNPZnZUNmF6NGs4WlZ6NFoiLCJtYWMiOiI4NjA2YWFmYTZiOTliNzM4Y2RiYWYzYzI0YzgyNzE3MTQwZjhmNjllNjhhOGFiZGZmMWUzNTE2NjUwODNlZDUyIiwidGFnIjoiIn0%3D; expires=Sun, 21 Jul 2024 14:01:18 GMT; Max-Age=7200; path=/; secure; httponly; samesite=none
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Why isn’t supports_credentials => true in cors.php adding the Access-Control-Allow-Credentials?