Dynamic CORS options in Laravel

Typically used to configure custom allowed origins per user/account, so that your users can access your HTTP API from different domains without getting CORS errors.

Under the hood, this middleware dynamically sets Laravel's default CORS configuration options. Basically, it's a wrapper for calls like...

config("cors.allowed_origins", ["https://www.example.com"]);

... where the list of of allowed origins would dynamically change, for example come from the user's account settings.

Installation

composer require audunru/dynamic-cors

You will have to replace Laravel's default HandleCors middleware with a version that extends audunru\DynamicCors\Middleware\HandleCors.

Ensure that you are manually managing Laravel's default global middleware.
Remove \Illuminate\Http\Middleware\HandleCors::class from the middleware stack.
Create a new file app/Http/Middleware/UserCors.php.

You can place this wherever you want, and of course name it according to what it does in your application.

This is an example where a user has a list of per-user allowed origins, perhaps controlled by themselves in the application UI.


namespace App\Http\Middleware;

use Closure;
use audunru\DynamicCors\Middleware\HandleCors;

class UserCors extends HandleCors
{
    public function handle($request, Closure $next)
    {
        $user = Auth::user();

        $this->allowedOrigins = array_merge(
            [config('app.url')],
            $user->allowedOrigins // Note: allowedOrigins does not exist by default, it's something you would have to create. Or make something completely different
        );

        return parent::handle($request, $next);
    }
}

audunru\DynamicCors\Middleware\HandleCors has protected properties for allowedOrigins and all the other CORS service settings. Any properties that you set in your middleware will be used by the CORS service. Properties that you don't set will use the value set in cors.php.