How to beat nasty CORS in Yii?

Writing a REST application. There is a controller test. The treatment of AJAX by default the url of type 127.0.0.1:8000/tests work fine. Trying to add a custom URL. In the controller, create the corresponding action :
public function actionYo()
 { return ['result' => 'YO! Often quite counter intuitive!!!! ']; }


the ranting added

[
 'class' => 'yii\rest\UrlRule',
 'controller' => 'test',
 'extraPatterns' => [
 'GET yo' => 'yo', // 'xxxxx' refers to 'actionXxxxx'
 //tried to dance with a tambourine so - to no avail
 // 'OPTIONS ' yo' => 'yo', // 'xxxxx' refers to 'actionXxxxx'
],
 ],


everything works in postman and the browser NO. Favorite to tears CORS on guard security!
If you use // 'OPTIONS ' yo' => 'yo', // 'xxxxx' refers to 'actionXxxxx' - get 401 Unauthorized,
if only 'GET yo' => 'yo', // 'xxxxx' refers to 'actionXxxxx' , then 404 Not Found

As I understand it, OPTIONS the Yii query Builder , in General, to resolve on their own.
Default URLs are working fine. Cors looks like this (lying in the BaseController which is inherited) :

$behaviors['corsFilter'] = [
 'class' => \yii\filters\Cors::className(),
 'cors' => [ // restrict access to domains:
 'Origin' => [
'http://localhost:8080',

],
 'Access-Control-Request-Method' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],
 'Access-Control-Allow-Credentials' => true,
 'Access-Control-Request-Headers' => ['*'],
 'Access-Control-Max-Age' => 3600 * 5,


],
 ];


Strength and NEURITIS in the outcome. The app itself did not start , because fighting with this....mm..m...b.... bad thing.

Thank you!

UPD the decision prompted a response @josefina_Glover. It varinat work, but to write ranting and for every non-standard action is ...laziness! )))
As you know, Yii provides ActiveController from which we inherited , when you write your REST controllers. It is already defined for the standard action the REST of the ranting. Is there and action for OPTIONS. Thus we can add a rule for the ranting that will send all OPTIONS requests to this action. No need to write crutches for every custom action we need. This is done in two lines :

[
 'class' => 'yii\rest\UrlRule',
 'controller' => ['test', 'best'], // line ODYN - are all controllers, for which this should work
 'extraPatterns' => [
 //line DYVA - this thing will send all action options, it is already there in the parent ActiveController
 'OPTIONS <action:\w+>' => 'options'
],
 ],
April 2nd 20 at 16:51
2 answers
April 2nd 20 at 16:53
Solution
As I understand it, OPTIONS the Yii query Builder , in General, to resolve on their own.


if you do not set up, it won't be anything to resolve.

Need to any opsins request went to route to the same controller which 1) does not require authorization 2) returns all the needed headers. To configure this versatile with routing yii2 me and failed, had to hardcoding different levels of ranting and forward them to a single method.
Thanks for the response!
if you do not set up, it won't be anything to resolve.
default of ranting and work out machine. But custom .... ((
I do not want hostility ((( - Abagail_Bergstrom commented on April 2nd 20 at 16:56
@josefina_Glover
Created a method blanky wrote in ranting and forwarding it, if the OPTIONS request and canceled its authorization. Works. Costalimai )) . Oddly, the dock is similar to PA with a tambourine is not described. Just add a new route in 'extraPatterns' and go to drink beer. If it is not kosher answers will have to do so.
Thank you. - Abagail_Bergstrom commented on April 2nd 20 at 16:59
@Abagail_Bergstrom, routing from yii2 bad at all - josefina_Glover commented on April 2nd 20 at 17:02
@josefina_Glover, I'm not so deeply familiar with the subject. More often "bad" is about the level of the framework :) - Abagail_Bergstrom commented on April 2nd 20 at 17:05
@Abagail_Bergstrom, no, really, there is nothing to compare. In Sehnde you can make a route like: all requests with method Options to send to a specific route.
And all - josefina_Glover commented on April 2nd 20 at 17:08
@josefina_Glover, for Yii that works too!
in ranting :

[
 'class' => 'yii\rest\UrlRule',
 'controller' => ['test', 'best'], // here all the controllers for which this should work
 'extraPatterns' => [
 // this thing will send all action options, it is already there in the parent ActiveController
 'OPTIONS <action:\w+>' => 'options'
],
 ],


voila! as I wrote above - "bad" is about the level of the framework ))) - Abagail_Bergstrom commented on April 2nd 20 at 17:11
@Abagail_Bergstrom, Yes, no, wait, this is not what I wrote) first, if you have, in principle, there is no such controller, and the method OPTIONS - need handling separately. Second, every time you add a new controller I need to remember that it is necessary to add in OPTIONS?
take a look at the routing Zend
'options_methods' => [
 'type' => Method::class,
 'options' => [
 'verb' => 'options',
 'route' => '*',
 'defaults' => [
 'controller' => OptionsController::class,
 'action' => 'options',
]
],
 ]

that's what I call "works". Any method options will go on my controller - josefina_Glover commented on April 2nd 20 at 17:14
@josefina_Glover,

1) what is It like ? If you don't have such a controller, where the options request is addressed to him ?
2) Here I agree. But , IMHO , the need to add the name of the controller in the array is not drawn to a mortal sin. All frameworks have the features of what will be done a little easier. something a little more complicated. - Abagail_Bergstrom commented on April 2nd 20 at 17:17
@Abagail_Bergstrom
when complex routing and paths do not correspond 1 to 1 with the locations of controllers
added in config
0SB0k64.png

not working
SJd1p4O.png

returned the crutch
EFusXrt.png

works
H2CnAbS.png
- josefina_Glover commented on April 2nd 20 at 17:20
But , IMHO , the need to add the name of the controller in the array is not drawn to a mortal sin

for a mortal sin to pull the idea of "if some extra action is fairly straightforward and it is necessary to do so often means you can score"), the Team grows. The project is growing. Lot of simple pieces that need to be done grows and becomes more complex. I'm afraid that in a few years the approach admits some strange actions will cause the team half the time not kodit and spends the time to perform simple actions so it all worked
Think how soon some Joon will realize that it is not added to your controllers this route, if a tester tests its API directly and said that all works? - josefina_Glover commented on April 2nd 20 at 17:23
@josefina_Glover, I think out of the box Yii allows you to quickly throw together a working prototype. Quick and easy. If things get complicated, you need to look in the direction of the Custom URL Rule class. I myself untill June , but I know the medium size projects in which a common back end for the muzzle of the website and rest api, and much more.And works flawlessly. I like the kinder, it was generally difficult to understand where that comes from. For half an hour crawling through the code. And the elders felt quite comfortable. Hated :) .Perhaps specialization Yii - small and medium-sized projects. Either initially, all must be designed-to be written by people with experience and brains. Then everything will not run into the shoals of the framework. - Abagail_Bergstrom commented on April 2nd 20 at 17:26
April 2nd 20 at 16:55
I see the config, it has all the necessary data. On its basis it is possible to write a few lines of code that will generate the desired headlines.

So as if in response comes the header Access-Control-Allow-Origin: http://localhost:8080then try to add it to the list of headers in the config. Personally, I was happy with it.
Access-Control-Allow-Origin is configured properly. In the config :

'Origin' => [
 'http://localhost:8080',


also , I wrote that
Default URLs are working properly
. Ie problem only occurs when you try to add your action, not the default. - Abagail_Bergstrom commented on April 2nd 20 at 16:58

Find more questions by tags CORSRESTful APIYii