CORS and AUTH behaviors causing conflict.

I am building an API in Yii2 and have added CORS and authentication. This works fine for all Create/Read/Update/Delete actions but not for custom actions. Has anyone experienced this before?


['class' => 'yii\rest\UrlRule', 'controller' => 'api/v1/user', 'pluralize' => false],

Controller Behaviors: Class extends ActiveController

public function behaviors()


    return ArrayHelper::merge([

            'corsFilter' => [

                'class' => Cors::className(),



                'class' => HttpBearerAuth::className(),

                'except' => ['options',




        ], parent::behaviors()



As mentioned, actions for CRUD are fine but a custom action such as will respond with a 401 Unauthorised response.

Is it not possible to get CORS and auth to work together on custom actions?

I should add that the issue (401) occurs only when a browser makes the OPTIONS request. Normal requests (curl,Postman) are not affected. The issue seems to occur with the RESTful,Cors,Auth combination.

Edit: I have confirmed that the corsFilter is the first behavior in the behavior array. From what I understand the Cors filter should return the headers to the client and then exit before the auth filter is invoked.

Not sure, but maybe look at adding TEST to ‘Access-Control-Allow-Methods: GET,POST,PUT,DELETE’;

It’s just a GET request to the action actionTest() so it doesn’t need changing.