Fixed cors implementation

app/Http/Kernel.php

@@ -19,6 +19,7 @@ class Kernel extends HttpKernel
         \App\Http\Middleware\TrimStrings::class,
         \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
         \App\Http\Middleware\TrustProxies::class,
+        \App\Http\Middleware\Cors::class,
     ];
 
     /**
@@ -61,7 +62,6 @@ class Kernel extends HttpKernel
         'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
         '2fa' => \App\Http\Middleware\VerifyTwoFactorAuth::class,
-        'cors' => \App\Http\Middleware\Cors::class,
     ];
 
     /**

app/Http/Middleware/Cors.php

@@ -15,9 +15,44 @@ class Cors
      */
     public function handle($request, Closure $next)
     {
-        return $next($request)
-            ->header('Access-Control-Allow-Origin', '*')
-            ->header('Access-Control-Allow-Methods', 'GET, POST, PATCH, PUT, DELETE, OPTIONS')
-            ->header('Access-Control-Allow-Headers', 'Origin, Content-Type, Accept, Authorization, X-Requested-With');
+        if (! $this->isCorsRequest($request)) {
+            return $next($request);
+        }
+
+        if (! in_array($request->getMethod(), ['POST', 'OPTIONS'])) {
+            return response('Forbidden cors method', 403);
+        }
+
+        if ($request->getMethod() === 'OPTIONS') {
+            return $this->handlePreflightRequest();
+        }
+
+        $response = $next($request);
+
+        $response->headers->set('Access-Control-Allow-Origin', '*');
+        $response->headers->set('Access-Control-Expose-Headers', 'Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma');
+
+        return $response;
+    }
+
+    protected function isCorsRequest($request): bool
+    {
+        if (! $request->headers->has('Origin')) {
+            return false;
+        }
+
+        return $request->headers->get('Origin') !== $request->getSchemeAndHttpHost();
+    }
+
+    protected function handlePreflightRequest()
+    {
+        $response = response(null, 204);
+
+        $response->headers->set('Access-Control-Allow-Origin', '*');
+        $response->headers->set('Access-Control-Allow-Methods', 'POST, OPTIONS');
+        $response->headers->set('Access-Control-Allow-Headers', 'Origin, Content-Type, Accept, Authorization, X-Requested-With');
+        $response->headers->set('Access-Control-Max-Age', 60 * 60 * 24);
+
+        return $response;
     }
 }

resources/css/app.css

@@ -6,6 +6,10 @@ html {
   font-size: 16px;
 }
 
+[v-cloak] {
+  display: none;
+}
+
 @tailwind components;
 
 /* Add custom components here... */

resources/views/layouts/app.blade.php

@@ -21,7 +21,7 @@
     <link href="{{ mix('css/app.css') }}" rel="stylesheet">
 </head>
 <body class="bg-grey-50 antialiased text-grey-900">
-    <div id="app">
+    <div id="app" v-cloak>
 
         @include('nav.nav')
 

routes/api.php

@@ -12,7 +12,7 @@
 */
 
 Route::group([
-  'middleware' => ['cors', 'verified'],
+  'middleware' => ['verified'],
   'prefix' => 'v1'
 ], function () {
     Route::post('/aliases', 'Api\AliasApiController@store');