0

I have cloned slim skeleton (https://github.com/slimphp/Slim-Skeleton) which already have CORS implemented. But still when API calls OPTIONS before GET, it sends 405 ERROR "Method not allowed. Must be one of: GET"

Here is my route where I face this error. $group->get('/users', ListUsersAction::class);

    $app->group('', function (Group $group) {
        $group->post('/user/create', CreateUsersAction::class);
        $group->get('/users', ListUsersAction::class);
        $group->get('/user/{id}', ViewUserAction::class);
    })->add(AuthenticationMiddleware::class);

The same route is working from postman. And same route is working if I remove Authorization token from header.

Execution does not even reach to first line of "AuthenticationMiddleware".

However I tested it by adding same option route without "AuthenticationMiddleware".

like this:

    $app->options('/users', function(Request $request, Response $response) {return $response;});

    $app->group('', function (Group $group) {
        $group->post('/user/create', CreateUsersAction::class);
        $group->get('/users', ListUsersAction::class);
        $group->get('/user/{id}', ViewUserAction::class);
    })->add(AuthenticationMiddleware::class);

This is working. So I guess I forgot to add some code or I did any miskate which causing the error, or the skeleton has a bug.

Can anyone help on this? Thanks in advance.

Ankur
  • 519
  • 8
  • 15
  • This is a known "bug" in the documentation and in the skeleton. Better use explicit `options()` routes for the CORS preflight requests. [Example](https://odan.github.io/2019/11/24/slim4-cors) – odan Nov 27 '19 at 07:55
  • @odan Thanks for taking time to comment and engaging with the question. Below is the answer I found (Wildcard `OPTIONS` route). -- similar to what you suggested. – Ankur Nov 27 '19 at 19:12

2 Answers2

1

Okay I found the solution.

You can use a wildcard OPTIONS request to avoid this issue / error. Below is an example:

$app->options('/{routes:.+}', function ($request, $response, $args) {
    return $response;
});

I have tested it and currently working fine for me.

In my test, as mentioned, I tried it by creating OPTIONS route for /users, it was working but creating OPTINOS route for all API route get created is doesn't make sense, here is the solution as wildcard OPTIONS route.

thanks @odan for taking time to comment, but wildcard OPTIONS route is better solution.

Ankur
  • 519
  • 8
  • 15
  • Your welcome. Have you also tried requests to not existing routes and requests where the route exists but not the specific http method? – odan Nov 28 '19 at 13:09
  • As per https://howtodoinjava.com/spring-restful/http-options-request-handler/ The HTTP OPTIONS method is used to describe the communication options for the target resource. This method allows the client to determine the options and/or requirements associated with a resource, or the capabilities of a server, without implying a resource action or initiating a resource retrieval. So putting options as wildcard will not affect any security. If you request on any non-exist route, it will normally send you 404. – Ankur Nov 29 '19 at 14:08
0

I just added options all route, where I wanted use:

Example If I use it in /api/user route, then I add this code:

$app->options('/api/user', function ($request, $response, $args) {
    return $response;
});
Zoltán Bata
  • 36
  • 1
  • 2