From 654e72ceb535ef508c37808d81af762ce11562f7 Mon Sep 17 00:00:00 2001
From: James Brooks <james@alt-three.com>
Date: Sat, 26 Jan 2019 10:37:24 +0000
Subject: [PATCH 1/2] Fixes CORS headers. Closes #3413

---
 .../Providers/RouteServiceProvider.php        |  4 +--
 app/Http/Kernel.php                           |  6 ++--
 app/Http/Middleware/VerifyCsrfToken.php       | 33 +++++++++++++++++++
 app/Http/Routes/ApiRoutes.php                 |  2 +-
 config/cors.php                               | 17 ++++++----
 5 files changed, 49 insertions(+), 13 deletions(-)
 create mode 100644 app/Http/Middleware/VerifyCsrfToken.php

diff --git a/app/Foundation/Providers/RouteServiceProvider.php b/app/Foundation/Providers/RouteServiceProvider.php
index 9a17c2a6ec44..b375e5a50b56 100644
--- a/app/Foundation/Providers/RouteServiceProvider.php
+++ b/app/Foundation/Providers/RouteServiceProvider.php
@@ -11,7 +11,6 @@
 
 namespace CachetHQ\Cachet\Foundation\Providers;
 
-use Barryvdh\Cors\HandleCors;
 use CachetHQ\Cachet\Http\Middleware\Acceptable;
 use CachetHQ\Cachet\Http\Middleware\Authenticate;
 use CachetHQ\Cachet\Http\Middleware\Timezone;
@@ -22,12 +21,12 @@
 use CachetHQ\Cachet\Http\Routes\SignupRoutes;
 use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
 use Illuminate\Cookie\Middleware\EncryptCookies;
-use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
 use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
 use Illuminate\Routing\Middleware\SubstituteBindings;
 use Illuminate\Routing\Router;
 use Illuminate\Session\Middleware\StartSession;
 use Illuminate\View\Middleware\ShareErrorsFromSession;
+use CachetHQ\Cachet\Http\Middleware\VerifyCsrfToken;
 
 /**
  * This is the route service provider.
@@ -171,7 +170,6 @@ protected function mapForBrowser(Router $router, $routes, $applyAlwaysAuthentica
     protected function mapOtherwise(Router $router, $routes, $applyAlwaysAuthenticate)
     {
         $middleware = [
-            HandleCors::class,
             SubstituteBindings::class,
             Acceptable::class,
             Timezone::class,
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 775f4691803d..fe4494847d1b 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -24,6 +24,7 @@
 use Illuminate\Auth\Middleware\Authorize;
 use Illuminate\Foundation\Http\Kernel as HttpKernel;
 use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode;
+use Barryvdh\Cors\HandleCors;
 
 class Kernel extends HttpKernel
 {
@@ -33,8 +34,8 @@ class Kernel extends HttpKernel
      * @var array
      */
     protected $middleware = [
-        TrustProxies::class,
-        CheckForMaintenanceMode::class,
+        // TrustProxies::class,
+        // CheckForMaintenanceMode::class,
     ];
 
     /**
@@ -45,6 +46,7 @@ class Kernel extends HttpKernel
     protected $routeMiddleware = [
         'admin'       => Admin::class,
         'can'         => Authorize::class,
+        'cors'        => HandleCors::class,
         'auth'        => Authenticate::class,
         'auth.api'    => ApiAuthentication::class,
         'guest'       => RedirectIfAuthenticated::class,
diff --git a/app/Http/Middleware/VerifyCsrfToken.php b/app/Http/Middleware/VerifyCsrfToken.php
new file mode 100644
index 000000000000..213645b73441
--- /dev/null
+++ b/app/Http/Middleware/VerifyCsrfToken.php
@@ -0,0 +1,33 @@
+<?php
+
+/*
+ * This file is part of Cachet.
+ *
+ * (c) Alt Three Services Limited
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace CachetHQ\Cachet\Http\Middleware;
+
+use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
+
+class VerifyCsrfToken extends Middleware
+{
+    /**
+     * Indicates whether the XSRF-TOKEN cookie should be set on the response.
+     *
+     * @var bool
+     */
+    protected $addHttpCookie = true;
+
+    /**
+     * The URIs that should be excluded from CSRF verification.
+     *
+     * @var array
+     */
+    protected $except = [
+        '/api/*'
+    ];
+}
\ No newline at end of file
diff --git a/app/Http/Routes/ApiRoutes.php b/app/Http/Routes/ApiRoutes.php
index 2db792595e97..b56902d3635b 100644
--- a/app/Http/Routes/ApiRoutes.php
+++ b/app/Http/Routes/ApiRoutes.php
@@ -40,7 +40,7 @@ public function map(Registrar $router)
             'namespace'  => 'Api',
             'prefix'     => 'api/v1',
         ], function (Registrar $router) {
-            $router->group(['middleware' => ['auth.api']], function (Registrar $router) {
+            $router->group(['middleware' => ['auth.api', 'cors']], function (Registrar $router) {
                 $router->get('components', 'ComponentController@index');
                 $router->get('components/groups', 'ComponentGroupController@index');
                 $router->get('components/groups/{component_group}', 'ComponentGroupController@show');
diff --git a/config/cors.php b/config/cors.php
index fb12f8c9df49..a1079ccfa667 100644
--- a/config/cors.php
+++ b/config/cors.php
@@ -10,6 +10,7 @@
  */
 
 return [
+    
     /*
      |--------------------------------------------------------------------------
      | Laravel CORS
@@ -19,11 +20,13 @@
      | to accept any value.
      |
      */
-    'supportsCredentials' => false,
-    'allowedOrigins'      => ['*'],
-    'allowedHeaders'      => ['X-Cachet-Token'],
-    'allowedMethods'      => ['*'],
-    'exposedHeaders'      => [],
-    'maxAge'              => 3600,
-    'hosts'               => [],
+    
+    'supportsCredentials'    => false,
+    'allowedOrigins'         => ['*'],
+    'allowedOriginsPatterns' => [],
+    'allowedHeaders'         => ['X-Cachet-Token'],
+    'allowedMethods'         => ['*'],
+    'exposedHeaders'         => [],
+    'maxAge'                 => 3600,
+
 ];

From ffe9c99f9c1a244394b1be3c5d92a192a63f0fa0 Mon Sep 17 00:00:00 2001
From: James Brooks <james@alt-three.com>
Date: Sat, 26 Jan 2019 10:38:21 +0000
Subject: [PATCH 2/2] Apply fixes from StyleCI

---
 app/Foundation/Providers/RouteServiceProvider.php | 2 +-
 app/Http/Kernel.php                               | 2 +-
 app/Http/Middleware/VerifyCsrfToken.php           | 4 ++--
 config/cors.php                                   | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/Foundation/Providers/RouteServiceProvider.php b/app/Foundation/Providers/RouteServiceProvider.php
index b375e5a50b56..45c01a5d2b34 100644
--- a/app/Foundation/Providers/RouteServiceProvider.php
+++ b/app/Foundation/Providers/RouteServiceProvider.php
@@ -14,6 +14,7 @@
 use CachetHQ\Cachet\Http\Middleware\Acceptable;
 use CachetHQ\Cachet\Http\Middleware\Authenticate;
 use CachetHQ\Cachet\Http\Middleware\Timezone;
+use CachetHQ\Cachet\Http\Middleware\VerifyCsrfToken;
 use CachetHQ\Cachet\Http\Routes\ApiSystemRoutes;
 use CachetHQ\Cachet\Http\Routes\AuthRoutes;
 use CachetHQ\Cachet\Http\Routes\Setup\ApiRoutes as ApiSetupRoutes;
@@ -26,7 +27,6 @@
 use Illuminate\Routing\Router;
 use Illuminate\Session\Middleware\StartSession;
 use Illuminate\View\Middleware\ShareErrorsFromSession;
-use CachetHQ\Cachet\Http\Middleware\VerifyCsrfToken;
 
 /**
  * This is the route service provider.
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index fe4494847d1b..c0079a833167 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -12,6 +12,7 @@
 namespace CachetHQ\Cachet\Http;
 
 use AltThree\Throttle\ThrottlingMiddleware;
+use Barryvdh\Cors\HandleCors;
 use CachetHQ\Cachet\Http\Middleware\Admin;
 use CachetHQ\Cachet\Http\Middleware\ApiAuthentication;
 use CachetHQ\Cachet\Http\Middleware\Authenticate;
@@ -24,7 +25,6 @@
 use Illuminate\Auth\Middleware\Authorize;
 use Illuminate\Foundation\Http\Kernel as HttpKernel;
 use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode;
-use Barryvdh\Cors\HandleCors;
 
 class Kernel extends HttpKernel
 {
diff --git a/app/Http/Middleware/VerifyCsrfToken.php b/app/Http/Middleware/VerifyCsrfToken.php
index 213645b73441..03736d466662 100644
--- a/app/Http/Middleware/VerifyCsrfToken.php
+++ b/app/Http/Middleware/VerifyCsrfToken.php
@@ -28,6 +28,6 @@ class VerifyCsrfToken extends Middleware
      * @var array
      */
     protected $except = [
-        '/api/*'
+        '/api/*',
     ];
-}
\ No newline at end of file
+}
diff --git a/config/cors.php b/config/cors.php
index a1079ccfa667..6e843598bebd 100644
--- a/config/cors.php
+++ b/config/cors.php
@@ -10,7 +10,7 @@
  */
 
 return [
-    
+
     /*
      |--------------------------------------------------------------------------
      | Laravel CORS
@@ -20,7 +20,7 @@
      | to accept any value.
      |
      */
-    
+
     'supportsCredentials'    => false,
     'allowedOrigins'         => ['*'],
     'allowedOriginsPatterns' => [],