Setting up CORS

CORS - Cross origin resource sharing

A good flowchart for implementing CORS support Reference:

CORS server flowchart

You can test your CORS Support here: http://www.test-cors.org/

You can read the specification here: https://www.w3.org/TR/cors/

The simple solution

For simple CORS requests, the server only needs to add the following header to its response:

Access-Control-Allow-Origin: <domain>, … | *

The following code should enable lazy CORS.

  1. $app->options('/{routes:.+}', function ($request, $response, $args) {
  2.     return $response;
  3. });
  5. $app->add(function ($req, $res, $next) {
  6.     $response = $next($req, $res);
  7.     return $response
  8.             ->withHeader('Access-Control-Allow-Origin', 'http://mysite')
  9.             ->withHeader('Access-Control-Allow-Headers', 'X-Requested-With, Content-Type, Accept, Origin, Authorization')
  10.             ->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, PATCH, OPTIONS');
  11. });

Add the following route as the last route:

  1. // Catch-all route to serve a 404 Not Found page if none of the routes match
  2. // NOTE: make sure this route is defined last
  3. $app->map(['GET', 'POST', 'PUT', 'DELETE', 'PATCH'], '/{routes:.+}', function($req, $res) {
  4.     $handler = $this->notFoundHandler; // handle using the default Slim page not found handler
  5.     return $handler($req, $res);
  6. });

Access-Control-Allow-Methods

The following middleware can be used to query Slim’s router and get a list of methods a particular pattern implements.

Here is a complete example application:

  1. require __DIR__ . "/vendor/autoload.php";
  3. // This Slim setting is required for the middleware to work
  4. $app = new Slim\App([
  5.     "settings"  => [
  6.         "determineRouteBeforeAppMiddleware" => true,
  7.     ]
  8. ]);
  10. // This is the middleware
  11. // It will add the Access-Control-Allow-Methods header to every request
  13. $app->add(function($request, $response, $next) {
  14.     $route = $request->getAttribute("route");
  16.     $methods = [];
  18.     if (!empty($route)) {
  19.         $pattern = $route->getPattern();
  21.         foreach ($this->router->getRoutes() as $route) {
  22.             if ($pattern === $route->getPattern()) {
  23.                 $methods = array_merge_recursive($methods, $route->getMethods());
  24.             }
  25.         }
  26.         //Methods holds all of the HTTP Verbs that a particular route handles.
  27.     } else {
  28.         $methods[] = $request->getMethod();
  29.     }
  31.     $response = $next($request, $response);
  34.     return $response->withHeader("Access-Control-Allow-Methods", implode(",", $methods));
  35. });
  37. $app->get("/api/{id}", function($request, $response, $arguments) {
  38. });
  40. $app->post("/api/{id}", function($request, $response, $arguments) {
  41. });
  43. $app->map(["DELETE", "PATCH"], "/api/{id}", function($request, $response, $arguments) {
  44. });
  46. // Pay attention to this when you are using some javascript front-end framework and you are using groups in slim php
  47. $app->group('/api', function () {
  48.     // Due to the behaviour of browsers when sending PUT or DELETE request, you must add the OPTIONS method. Read about preflight.
  49.     $this->map(['PUT', 'OPTIONS'], '/{user_id:[0-9]+}', function ($request, $response, $arguments) {
  50.         // Your code here...
  51.     });
  52. });
  54. $app->run();

A big thank you to tuupola for coming up with this!