Setting up CORS

CORS - Cross origin resource sharing

A good flowchart for implementing CORS support Reference:

CORS server flowchart

You can test your CORS Support here: http://www.test-cors.org/

You can read the specification here: https://www.w3.org/TR/cors/

The simple solution

For simple CORS requests, the server only needs to add the following header to its response:

  1. Access-Control-Allow-Origin: <domain>, ...

The following code should enable lazy CORS.

  1. $app->options('/{routes:.+}', function ($request, $response, $args) {
  2.     return $response;
  3. });
  5. $app->add(function ($request, $handler) {
  6.     $response = $handler->handle($request);
  7.     return $response
  8.             ->withHeader('Access-Control-Allow-Origin', 'http://mysite')
  9.             ->withHeader('Access-Control-Allow-Headers', 'X-Requested-With, Content-Type, Accept, Origin, Authorization')
  10.             ->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, PATCH, OPTIONS');
  11. });

Add the following route as the last route:

  1. <?php
  2. use Slim\Exception\HttpNotFoundException;
  4. /*
  5.  * Catch-all route to serve a 404 Not Found page if none of the routes match
  6.  * NOTE: make sure this route is defined last
  7.  */
  8. $app->map(['GET', 'POST', 'PUT', 'DELETE', 'PATCH'], '/{routes:.+}', function ($request, $response) {
  9.     throw new HttpNotFoundException($request);
  10. });

Access-Control-Allow-Methods

The following middleware can be used to query Slim’s router and get a list of methods a particular pattern implements.

Here is a complete example application:

  1. <?php
  2. use Slim\Factory\AppFactory;
  3. use Slim\Routing\RouteContext;
  5. require __DIR__ . '/../vendor/autoload.php';
  7. $app = AppFactory::create();
  9. // This middleware will append the response header Access-Control-Allow-Methods with all allowed methods
  10. $app->add(function($request, $handler) {
  11.     $routeContext = RouteContext::fromRequest($request);
  12.     $routingResults = $routeContext->getRoutingResults();
  13.     $methods = $routingResults->getAllowedMethods();
  15.     $response = $handler->handle($request);
  16.     $response = $response->withHeader('Access-Control-Allow-Methods', implode(",", $methods));
  18.     return $response;
  19. });
  21. // The RoutingMiddleware should be added after our CORS middleware so routing is performed first
  22. $app->addRoutingMiddleware();
  24. $app->get("/api/{id}", function($request, $response, $arguments) {
  25.     // ...
  26. });
  28. $app->post("/api/{id}", function($request, $response, $arguments) {
  29.     // ...
  30. });
  32. $app->map(["DELETE", "PATCH"], "/api/{id}", function($request, $response, $arguments) {
  33.     // ...
  34. });
  36. // Pay attention to this when you are using some javascript front-end framework and you are using groups in slim php
  37. $app->group('/api', function () {
  38.     // Due to the behaviour of browsers when sending PUT or DELETE request, you must add the OPTIONS method. Read about preflight.
  39.     $this->map(['PUT', 'OPTIONS'], '/{user_id:[0-9]+}', function ($request, $response, $arguments) {
  40.         // Your code here...
  41.     });
  42. });
  44. $app->run();