Proper way to enable CORS on Restler 3 API

StackOverflow https://stackoverflow.com/questions/19387817

  •  30-06-2022
  •  | 
  •  

Вопрос

Restler3 is truly incredible!

We have a "public" API, a "management" API with API_KEY based Access Control, and we would like another API protected by CORS (no API_KEY).

The new CORS protected API would be used to protect all of our javascript ajax calls. We want to centralize all of the ajax server-side code into one API with consistent entry and exit points.

We have set the following Restler defaults. 

Defaults::$crossOriginResourceSharing = true;
Defaults::$accessControlAllowOrigin = 'https://www.mydomain.com';

Is this the correct technique?

How do we confirm the security is working properly?

For reference, here is the index.php that we have created for this new API.

// get the document root from apache and make sure that there is a trailing slash
$document_root = rtrim($_SERVER['DOCUMENT_ROOT'], '/') . '/';

// autoload Restler
// note: this code was provided by Arul to address issues with autoloading Swift and Aws
$loader = require_once $document_root . 'vendor/autoload.php';
$loader->setUseIncludePath(true);
class_alias('Luracast\\Restler\\Restler', 'Restler');

// import namespaces
use Luracast\Restler\Defaults;
use Luracast\Restler\Restler;

// setup versioning
Defaults::$useUrlBasedVersioning = true;

// setup CORS on this API
Defaults::$crossOriginResourceSharing = true;
Defaults::$accessControlAllowOrigin = 'https://www.mydomain.com';

// instantiate restler
$r = new Restler();

// support both Json and Xml formats
$r->setSupportedFormats('JsonFormat', 'XmlFormat');

// api version
$r->setAPIVersion(1);

// create resources.json at API Root for use by API Explorer
$r->addAPIClass('Luracast\\Restler\\Resources');

// autoload the Diagnostics class in the v1 folder
$r->addAPIClass('Diagnostics');

// start
$r->handle();

Response Headers.

Date: Tue, 15 Oct 2013 17:50:12 GMT
X-Powered-By: PHP/5.3.27
Connection: Keep-Alive
Content-Length: 50
Server: Apache
Content-Type: text/html
Keep-Alive: timeout=5, max=94
Это было полезно?

Решение

Yup, You are doing it right for CORS

For testing it try calling the api method through javascript. If it works for a domain which is not enabled, that shows its not working

Similarly if it does not work for a domain that is enabled, that is wrong too

Лицензировано под: CC-BY-SA с атрибуция
Не связан с StackOverflow
scroll top