Laravel 8 CORS issue getting 403 OPTIONS

  cors, laravel, php

I deployed my laravel application on CPanel using Sanctum for SPA.
The frontend is using Vue. The application is running on https://test.application.com and the backend is https://api.test.application.com

The application runs just fine on localhost. But when I moved to CPanel I keep getting the 403 for OPTIONS

api.php

Route::post('/login', [AuthController::class, 'auth']);
Route::group(['middleware' => ['auth:sanctum']], function() {
    Route::get('/comercial/page/{pageSize}', [ComercialController::class, 'all'])->middleware(['can:isTodos']);
    Route::get('/residencial/page/{pageSize}', '[email protected]')->middleware(['can:isAdmin']);
});

cors

'paths' => ['api/*', 'sanctum/csrf-cookie'],

    'allowed_methods' => ['OPTIONS', 'GET', 'POST'],

    'allowed_origins' => ['https://test.application.com'],

    'allowed_origins_patterns' => [],
    //'x-requested-with', 'client-security-token', 
    'allowed_headers' => [ 'Content-Type', 'Origin', 'Authorization', 'Accept', 'Set-Cookie', 'XSRF-TOKEN'],

    'exposed_headers' => [],

    'max_age' => 1000,

    'supports_credentials' => true,

public_html/api/.htaccess

RewriteOptions inherit
<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    #Manter essas linhas
    Header always set Access-Control-Allow-Origin "https://test.application.com"
    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
    Header always set Access-Control-Max-Age "1000"
    #client-security-token,, x-requested-with,
    Header always set Access-Control-Allow-Headers "Content-Type, Origin, Authorization, Accept,  Set-Cookie, XSRF-TOKEN"
    Header always set Access-Control-Allow-Credentials "true" 
    
    RewriteEngine On

    # Handle Authorization Header
    RewriteCond %{HTTPS:Authorization} .
    RewriteRule .* - [E=HTTPS_AUTHORIZATION:%{HTTPS:Authorization}]

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Send Requests To Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

.env

CORS_ALLOWED_ORIGINS=test.application.com

SESSION_DOMAIN=.test.application.com
SANCTUM_STATEFUL_DOMAINS=test.application.com,http://test.application.com,https://test.application.com

Main issue

Request URL: https://api.test.application.com/api/login
Request Method: OPTIONS
Status Code: 403 Forbidden
Remote Address: 162.214.210.231:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type, x-requested-with, Content-Type, origin, authorization, accept, client-security-token, Set-Cookie, XSRF-TOKEN, Access-Control-Allow-Origin
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT
Access-Control-Allow-Origin: https://test.application.com
Access-Control-Max-Age: 1000
Cache-Control: no-cache, private
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Date: Fri, 10 Sep 2021 01:11:15 GMT
Keep-Alive: timeout=5, max=100
Server: Apache
Transfer-Encoding: chunked
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Access-Control-Request-Headers: content-type,x-xsrf-token
Access-Control-Request-Method: POST
Connection: keep-alive
Host: api.test.application.com
Origin: https://test.application.com
Referer: https://test.application.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36

Access to XMLHttpRequest at 'https://api.test.application.com/api/login' from origin 'https://test.application.com' 
has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status. 

Kindly is there anyone that could assist me on this issue?

Source: Laravel

Leave a Reply