dongyi9298 2016-03-17 17:28
浏览 106
已采纳

Laravel 5 / Nginx - 在Web服务器级别设置的CORS标头的奇怪行为

I am facing up this problem:

I set CORS headers in nginx, in this way:

add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET,POST,PUT,OPTIONS";
add_header Access-Control-Allow-Headers "Keep-Alive,User-Agent,X-Requested-With,Cache-Control,Content-Type";

I need to call my API endpoint to authenticate an user and release a JWT. What is happening is that if the authentication goes fine, the server respond with the following headers:

Access-Control-Allow-Headers →Keep-Alive,User-Agent,X-Requested-With,Cache-Control,Content-Type
Access-Control-Allow-Methods →GET,POST,PUT,OPTIONS
Access-Control-Allow-Origin →*
Cache-Control →no-cache
Connection →keep-alive
Content-Encoding →gzip
Content-Type →application/json
Date →Thu, 17 Mar 2016 17:13:34 GMT
Server →nginx
Strict-Transport-Security →max-age=10886400; includeSubdomains
Transfer-Encoding →chunked
Vary →Accept-Encoding
X-Content-Type-Options →nosniff
X-Frame-Options →SAMEORIGIN
X-XSS-Protection →1; mode=block

But, if credentials are invalid, I get these ones:

Cache-Control →no-cache
Connection →keep-alive
Content-Encoding →gzip
Content-Type →application/json
Date →Thu, 17 Mar 2016 17:14:58 GMT
Server →nginx
Transfer-Encoding →chunked
Vary →Accept-Encoding

In other words, correct credentials give me a 200 status code with CORS headers, while wrong credentials give me 401 status code without CORS headers

Here is the auth method of User controller:

public function authenticate(Requests\AuthenticateUserRequest $request)
    {
        $credentials = $request->only('username', 'password');
        $customClaims = ['tfa' => null];

        try
        {
            // attempt to verify the credentials and create a token for the user
            if (!$token = JWTAuth::attempt($credentials, $customClaims))
            {
                // when this is the response, CORS headers are not set by nginx 
                return response()->json(Utils::standardResponse(false, 'Invalid credentials'), 401);
            }
        } catch (JWTException $e)
        {
            // something went wrong whilst attempting to encode the token
            return response()->json(Utils::standardResponse(false, 'Could not create token'), 500);
        }

       [...email notification and other stuff...]

        // all good so return the token
        return response()->json(Utils::standardResponse(true, '', compact('token')));
    }

N.B. i am testing with Postman, but the actual problem is that without CORS headers I can't read the response in browser (which uses XHR through React fetch)

  • 写回答

1条回答 默认 最新

  • duannue2455 2016-03-18 20:15
    关注

    Figured out. Nginx add_header does set headers only on successful responses (200 status code).

    I did need to use headers_more nginx's module. In particular, I did:

    more_set_headers "Access-Control-Allow-Origin: *";
    more_set_headers "Access-Control-Allow-Methods: GET,POST,PUT";
    more_set_headers "Access-Control-Allow-Headers: Keep-Alive,User-Agent,X-Requested-With,Cache-Control,Content-Type";
    

    As suggested in the documentation,

    If either -s or -t is not specified or has an empty list value, then no match is required. Therefore, the following directive set the Server output header to the custom value for any status code and any content type:

    more_set_headers "Server: my_server";

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥66 定制开发肯德基自动化网站下单软件
  • ¥20 vscode虚拟环境依赖包未安装
  • ¥15 odoo17关于owl开发js代码问题
  • ¥15 光纤中多普勒频移公式的推导
  • ¥15 怎么制作一个人脸识别门禁系统
  • ¥20 大华dss监控平台网络关闭登不进去
  • ¥15 请使用蚁群算法解决下列问题,并给出我完整的代码
  • ¥20 关于php录入完成后,批量更新数据库
  • ¥15 请教往复密封润滑问题
  • ¥15 cocos creator发布ios包