#2941: Cors, accessControlAllowHeaders in option request (prepend pre… (

#2943) Co-authored-by: John A. De Goes <[email protected]>
zio · Aug 16, 2024 · 4f94eef · 4f94eef
1 parent 3d1ef0c
commit 4f94eef
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 1 deletion.
diff --git a/zio-http/jvm/src/test/scala/zio/http/internal/middlewares/CorsSpec.scala b/zio-http/jvm/src/test/scala/zio/http/internal/middlewares/CorsSpec.scala
@@ -35,7 +35,73 @@ object CorsSpec extends ZIOHttpSpec with HttpAppTestExtensions {
     Response(Status.InternalServerError, body = Body.fromString(cause.prettyPrint))
   } @@ cors(CorsConfig(allowedMethods = AccessControlAllowMethods(Method.GET)))
 
+  val appAllowAllHeaders = Routes(
+    Method.GET / "success" -> handler(Response.ok),
+  ).handleErrorCause { cause =>
+    Response(Status.InternalServerError, body = Body.fromString(cause.prettyPrint))
+  } @@ cors(
+    CorsConfig(
+      allowedOrigin = { case _ =>
+        Some(Header.AccessControlAllowOrigin.All)
+      },
+      allowedMethods = Header.AccessControlAllowMethods.All,
+      allowedHeaders = Header.AccessControlAllowHeaders.All,
+    ),
+  )
+
+  val appNoServerHeaders = Routes(
+    Method.GET / "success" -> handler(Response.ok),
+  ).handleErrorCause { cause =>
+    Response(Status.InternalServerError, body = Body.fromString(cause.prettyPrint))
+  } @@ cors(
+    CorsConfig(
+      allowedOrigin = { case _ =>
+        Some(Header.AccessControlAllowOrigin.All)
+      },
+      allowedMethods = Header.AccessControlAllowMethods.All,
+      allowedHeaders = Header.AccessControlAllowHeaders.None,
+    ),
+  )
+
   override def spec = suite("CorsSpec")(
+    test("OPTIONS request with allowAllHeaders server config") {
+      val request =
+        Request
+          .options(URL(Path.root / "success"))
+          .copy(
+            headers = Headers(
+              Header.Origin("http", "test-env"),
+              Header.AccessControlRequestMethod(Method.GET),
+            ),
+          )
+
+      for {
+        res <- appAllowAllHeaders.runZIO(request)
+      } yield assertTrue(
+        extractStatus(res) == Status.NoContent,
+        res.hasHeader(Header.AccessControlAllowCredentials.Allow),
+        res.hasHeader(Header.AccessControlAllowHeaders.All),
+      )
+    },
+    test("OPTIONS request with no headers allowed in server config") {
+      val request =
+        Request
+          .options(URL(Path.root / "success"))
+          .copy(
+            headers = Headers(
+              Header.Origin("http", "test-env"),
+              Header.AccessControlRequestMethod(Method.GET),
+            ),
+          )
+
+      for {
+        res <- appNoServerHeaders.runZIO(request)
+      } yield assertTrue(
+        extractStatus(res) == Status.NoContent,
+        res.hasHeader(Header.AccessControlAllowCredentials.Allow),
+        !res.hasHeader(Header.AccessControlAllowHeaders.All),
+      )
+    },
     test("OPTIONS request") {
       val request = Request
         .options(URL(Path.root / "success"))

diff --git a/zio-http/shared/src/main/scala/zio/http/Middleware.scala b/zio-http/shared/src/main/scala/zio/http/Middleware.scala
@@ -170,7 +170,7 @@ object Middleware extends HandlerAspects {
 
     new Middleware[Any] {
       def apply[Env1, Err](routes: Routes[Env1, Err]): Routes[Env1, Err] =
-        (routes @@ aspect) :+ optionsRoute
+        optionsRoute +: (routes @@ aspect)
     }
   }