CORS issue when responding with error

[gerob]

Using Angular to create a SPA, it works fine as long as my API isn't responding with an error. Take for example this code:

try {
     return User::findOrFail($user_id);
} catch (ModelNotFoundException $e) {
     throw new ResourceException("No user record found.");
}

If the user is found, Angular successfully retrieves the data. However if the record does not exist then this error is thrown.

XMLHttpRequest cannot load http://api.example.com/users/. 
No 'Access-Control-Allow-Origin' header is present on the requested resource. 
Origin 'http://my-angular-site.com' is therefore not allowed access. 

Successful requests have these headers:

Access-Control-Allow-Origin →*
Cache-Control →no-cache, private
Connection →keep-alive
Content-Type →application/json
Server →nginx
Transfer-Encoding →chunked
X-Frame-Options →SAMEORIGIN
date →Fri, 23 May 2014 13:27:26 GMT

Responses provided by throwing an error have these headers:

Cache-Control →no-cache, private
Connection →keep-alive
Content-Type →application/json
Server →nginx
Transfer-Encoding →chunked
X-Frame-Options →SAMEORIGIN
date →Fri, 23 May 2014 13:31:29 GMT

UPDATE:

If I use the following code then returning the errors works.

try {
     return User::findOrFail($user_id);
} catch (ModelNotFoundException $e) {
     header('Access-Control-Allow-Origin: *');
     throw new ResourceException("No user record found.");
}

[jasonlewis]

I'll have to look at a way of easily allowing custom headers when dealing with errors (and success) responses.

[philsturgeon]

Can you use this afterFilter to make sure the custom header is added regardless?

$this->afterFilter(function ($route, $req, $resp) {
    $resp->headers->set('Access-Control-Allow-Origin', '*');
    return $resp;
});

[ingro]

@philsturgeon thanks for your suggestion!

Anyway this works only for the requests that are handled in full by the Controller itself, I actually use a before filter that throws a Dingo's 'StoreResourceFailedException' on validation errors, maybe this cause the Controller (and it's after filter) to never run?

Take a look at https://github.com/barryvdh/laravel-cors

[ingro]

Thank you @MartinOlsansky, that packaged was helpful!

[jasonlewis]

You can use the response builder now to add custom headers when returning errors. I've also just pushed a fix so you can also supply headers with the exceptions by passing them as an array at the appropriate parameter.

throw new ResourceException('No user record found.', null, null, ['Access-Control-Allow-Origin', '*']);

[ingro]

Neat! Laravel Cors gave me some problems, I will try your fix as soon as I can!

[davidstanley01]

Using the league/oauth2 package along with the laravel package from lucadegasperi, there is no (clean) way to add the CORS header when a token is invalid. The response is generated in Http/Middleware/Authentication@authenticate which then calls Http/Response@makeFromExisting. This completely bypasses the After filters.

For now, I just added $response->headers->set('Access-Control-Allow-Origin', '*'); right above the return statement.

[davidstanley01]

I ended up just writing my own middleware (and service provider) to ensure the header was always present on error responses and then just registered the service provider BEFORE the dingo provider. Works like a charm.

[jasonlewis]

Sounds like an older version of the package (0.6.*)? 0.7.*@dev uses filters instead of middleware and it fires the after filters.

[Atorich]

I have the same issue.
How I can provide CORS headers when I throw exceptions assumed there https://github.com/dingo/api/wiki/Returning-Errors ?

I handle it in App::after filter but it is not present when I throw this exceptions

[davidstanley01]

This is the middleware I'm using (until I can upgrade to the next version of Dingo).

<?php namespace MMGY\Services\Http;

use Symfony\Component\HttpKernel\HttpKernelInterface;
use Symfony\Component\HttpFoundation\Request as SymfonyRequest;

class CorsHeader implements HttpKernelInterface {

    /**
     * The wrapped kernel implementation.
     */
    protected $app;

    /**
     * Class Constructor
     * @param  \Symfony\Component\HttpKernel\HttpKernelInterface  $app
     * @return void
     */
    public function __construct(HttpKernelInterface $app)
    {
        $this->app = $app;
    }

    /**
     * Handle the given request and get the response.
     * @implements HttpKernelInterface::handle
     * @param  \Symfony\Component\HttpFoundation\Request  $request
     * @param  int   $type
     * @param  bool  $catch
     * @return \Symfony\Component\HttpFoundation\Response
     */
    public function handle(SymfonyRequest $request, $type = HttpKernelInterface::MASTER_REQUEST, $catch = true)
    {
        // Handle on passed down request
        $response = $this->app->handle($request, $type, $catch);

        $response->headers->set('Access-Control-Allow-Origin', '*');

        return $response;
    }

}

Then, the service provider to register the above middleware:

<?php namespace MMGY\Services\Http;

use MMGY\Services\Http\CorsHeader;
use Illuminate\Support\ServiceProvider;

class HttpServiceProvider extends ServiceProvider
{
    /**
     * Register the binding
     * @return void
     */
    public function register()
    {
        // Register CORS Header middleware
        $this->app->middleware(new CorsHeader($this->app));

    }
}

Finally, register the service provider BEFORE the dingo provider in app/config/app.php.

[kabelo38]

upon successful records this works well for me using .htaccess file

Header set Cache-Control "no-cache, no-store, must-revalidate" Header set Access-Control-Allow-Origin "*" Header set Pragma "no-cache" Header set Expires 0

$user = User::findOrFail('1');
try {
return $this->response->item($user , new UserTransformer);

} catch (ModelNotFoundException $e) {

   throw new ResourceException("No user record found."); //this does not work
  return 'No user record found.'; //this works but poor coding

}