Merge pull request #5011 from ThisIsMissEm/feat/add-api-cors

Adjust CORS configuration to support API & OAuth Routes

app/Http/Kernel.php

@@ -14,12 +14,12 @@ class Kernel extends HttpKernel
      * @var array
      */
     protected $middleware = [
+        \Illuminate\Http\Middleware\HandleCors::class,
         \Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
         \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
+        \App\Http\Middleware\TrustProxies::class,
         \App\Http\Middleware\TrimStrings::class,
         \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
-        \App\Http\Middleware\TrustProxies::class,
-        \Illuminate\Http\Middleware\HandleCors::class,
     ];
 
     /**

config/cors.php

@@ -22,7 +22,9 @@ return [
      * Example: ['api/*']
      */
     'paths' => [
-        '.well-known/*'
+        '.well-known/*',
+        'api/*',
+        'oauth/*'
     ],
 
     /*
@@ -48,7 +50,8 @@ return [
     /*
      * Sets the Access-Control-Expose-Headers response header with these headers.
      */
-    'exposed_headers' => [],
+    // TODO: Add support for rate-limit related headers
+    'exposed_headers' => ['Link'],
 
     /*
      * Sets the Access-Control-Max-Age response header when > 0.
@@ -59,4 +62,4 @@ return [
      * Sets the Access-Control-Allow-Credentials header.
      */
     'supports_credentials' => false,
-];
+];