Laravel and CORS with barryvdh/laravel-cors -

i'm having odd problem cors in laravel i've struggled on day now. it's different other posts i've seen laravel-cors package such one: laravel angularjs cors using barryvdh/laravel-cors

i've setup package according instructions, , other addition laravel i've made package jwt.

what happening cors working in post requests. can use postman hit authenticate route , looks good, try request no cors headers being sent. i've tried moving different controllers 'unprotected' routes remove possibility jwt interfering doesn't change anything.

here routes.php:

<?php  // unprotected routes route::group(['prefix' => 'api/v1', 'middleware' => 'cors'], function () {   route::post('authenticate', 'authenticatecontroller@authenticate');   route::resource('trips', 'tripcontroller'); // moved unprotected test cors });  // protected routes route::group(['prefix' => 'api/v1', 'middleware' => ['cors', 'jwt.auth']], function () {   route::get('authenticate/user', 'authenticatecontroller@getauthenticateduser');   route::resource('airports', 'airportcontroller');  }); 

and cors.php:

<?php return [     /*      |--------------------------------------------------------------------------      | laravel cors      |--------------------------------------------------------------------------      |      | allowedorigins, allowedheaders , allowedmethods can set array('*')      | accept value, allowed methods have explicitly listed.      |      */     'supportscredentials' => true,     'allowedorigins' => ['*'],     'allowedheaders' => ['*'],     'allowedmethods' => ['get', 'post', 'put', 'options',  'delete'],     'exposedheaders' => [],     'maxage' => 0,     'hosts' => [], ]; 

and 1 of controllers:

<?php  namespace app\http\controllers;  use illuminate\http\request; use jwtauth; use tymon\jwtauth\exceptions\jwtexception;  class authenticatecontroller extends controller {     public function authenticate(request $request)     {         $credentials = $request->only('email', 'password');          try {             // verify credentials , create token user             if (!$token = jwtauth::attempt($credentials)) {                 return response()->json(['error' => 'invalid_credentials'], 401);             }         } catch (jwtexception $e) {             // went wrong             return response()->json(['error' => 'could_not_create_token'], 500);         }          // if no errors encountered can return jwt         return response()->json(compact('token'));     }      public function getauthenticateduser()     {         try {             if (!$user = jwtauth::parsetoken()->authenticate()) {                 return response()->json(['user_not_found'], 404);             }         } catch (tymon\jwtauth\exceptions\tokenexpiredexception $e) {             return response()->json(['token_expired'], $e->getstatuscode());         } catch (tymon\jwtauth\exceptions\tokeninvalidexception $e) {             return response()->json(['token_invalid'], $e->getstatuscode());         } catch (tymon\jwtauth\exceptions\jwtexception $e) {             return response()->json(['token_absent'], $e->getstatuscode());         }          // token valid , have found user via sub claim         return response()->json(compact('user'));     } } 

exclude route group csrf protection. app/http/middleware/verifycsrftoken.php

class verifycsrftoken extends baseverifier {     /**      * uris should excluded csrf verification.      *      * @var array      */     protected $except = [         'api/v1/*'     ]; } 

;)