测试分支-部署-优化跨域报错

app/common/middleware/AllowCrossDomain.php

@@ -21,46 +21,6 @@ class AllowCrossDomain implements MiddlewareInterface
         'Access-Control-Allow-Headers'     => '*',
     ];
 
-    /**
-     * 根据 Origin 与配置写入 Access-Control-Allow-Origin。
-     * 注意：* 与 Access-Control-Allow-Credentials:true 不能同时出现，故通配时去掉 Credentials。
-     */
-    private static function applyCorsOrigin(Request $request, array $header): array
-    {
-        $origin = $request->header('origin');
-        if (is_array($origin)) {
-            $origin = $origin[0] ?? '';
-        }
-        $origin = is_string($origin) ? trim($origin) : '';
-
-        $corsDomain = array_map('trim', explode(',', config('buildadmin.cors_request_domain', '')));
-        $corsDomain[] = $request->host(true);
-        $wildcard = in_array('*', $corsDomain);
-
-        if ($origin !== '') {
-            $info = parse_url($origin);
-            $host = '';
-            if (is_array($info)) {
-                $host = $info['host'] ?? '';
-            }
-            $allowed = $wildcard
-                || in_array($origin, $corsDomain)
-                || in_array($host, $corsDomain)
-                || ($host === 'localhost' || $host === '127.0.0.1');
-            if ($allowed) {
-                $header['Access-Control-Allow-Origin'] = $origin;
-            }
-            return $header;
-        }
-
-        if ($wildcard) {
-            $header['Access-Control-Allow-Origin'] = '*';
-            unset($header['Access-Control-Allow-Credentials']);
-        }
-
-        return $header;
-    }
-
     /**
      * 返回 CORS 预检（OPTIONS）响应，供路由直接调用（Webman 未匹配路由时不走中间件）
      */
@@ -72,7 +32,24 @@ class AllowCrossDomain implements MiddlewareInterface
             'Access-Control-Allow-Methods'      => 'GET, POST, PUT, DELETE, PATCH, OPTIONS',
             'Access-Control-Allow-Headers'      => 'Content-Type, Authorization, batoken, ba-user-token, think-lang',
         ];
-        $header = self::applyCorsOrigin($request, $header);
+        $origin = $request->header('origin');
+        if (is_array($origin)) {
+            $origin = $origin[0] ?? '';
+        }
+        $origin = is_string($origin) ? trim($origin) : '';
+        if ($origin !== '') {
+            $info = parse_url($origin);
+            $host = $info['host'] ?? '';
+            $corsDomain = array_map('trim', explode(',', config('buildadmin.cors_request_domain', '')));
+            $corsDomain[] = $request->host(true);
+            $allowed = in_array('*', $corsDomain)
+                || in_array($origin, $corsDomain)
+                || in_array($host, $corsDomain)
+                || ($host === 'localhost' || $host === '127.0.0.1');
+            if ($allowed) {
+                $header['Access-Control-Allow-Origin'] = $origin;
+            }
+        }
         return response('', 204, $header);
     }
 
@@ -83,7 +60,29 @@ class AllowCrossDomain implements MiddlewareInterface
             return $handler($request);
         }
 
-        $header = self::applyCorsOrigin($request, $this->header);
+        $header = $this->header;
+
+        $origin = $request->header('origin');
+        if (is_array($origin)) {
+            $origin = $origin[0] ?? '';
+        }
+        $origin = is_string($origin) ? trim($origin) : '';
+
+        if ($origin !== '') {
+            $info = parse_url($origin);
+            $host = $info['host'] ?? '';
+            $corsDomain = array_map('trim', explode(',', config('buildadmin.cors_request_domain', '')));
+            $corsDomain[] = $request->host(true);
+
+            $allowed = in_array('*', $corsDomain)
+                || in_array($origin, $corsDomain)
+                || in_array($host, $corsDomain)
+                || ($host === 'localhost' || $host === '127.0.0.1');
+
+            if ($allowed) {
+                $header['Access-Control-Allow-Origin'] = $origin;
+            }
+        }
 
         if ($request->method() === 'OPTIONS') {
             return response('', 204, $header);