pax_global_header00006660000000000000000000000064151344330020014505gustar00rootroot0000000000000052 comment=f00a8c1f0af727ffe5ed35f3b2d0b1a7eb4b65bb expressjs-cors-f00a8c1/000077500000000000000000000000001513443300200151035ustar00rootroot00000000000000expressjs-cors-f00a8c1/.eslintrc.yml000066400000000000000000000002241513443300200175250ustar00rootroot00000000000000root: true env: node: true rules: indent: ["error", 2, { "SwitchCase": 1 }] quotes: ["error", "single"] space-in-parens: ["error", "never"] expressjs-cors-f00a8c1/.github/000077500000000000000000000000001513443300200164435ustar00rootroot00000000000000expressjs-cors-f00a8c1/.github/dependabot.yml000066400000000000000000000005041513443300200212720ustar00rootroot00000000000000version: 2 updates: - package-ecosystem: github-actions directory: / schedule: interval: monthly - package-ecosystem: npm directory: / schedule: interval: monthly open-pull-requests-limit: 10 ignore: - dependency-name: "*" update-types: ["version-update:semver-major"] expressjs-cors-f00a8c1/.github/workflows/000077500000000000000000000000001513443300200205005ustar00rootroot00000000000000expressjs-cors-f00a8c1/.github/workflows/ci.yml000066400000000000000000000127771513443300200216340ustar00rootroot00000000000000name: ci on: - pull_request - push permissions: contents: read jobs: test: permissions: checks: write # for coverallsapp/github-action to create new checks contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest strategy: matrix: name: - Node.js 0.10 - Node.js 0.12 - io.js 1.x - io.js 2.x - io.js 3.x - Node.js 4.x - Node.js 5.x - Node.js 6.x - Node.js 7.x - Node.js 8.x - Node.js 9.x - Node.js 10.x - Node.js 11.x - Node.js 12.x - Node.js 13.x - Node.js 14.x - Node.js 15.x - Node.js 16.x - Node.js 17.x - Node.js 18.x - Node.js 19.x - Node.js 20.x - Node.js 21.x - Node.js 22.x - Node.js 23.x - Node.js 24.x - Node.js 25.x include: - name: Node.js 0.10 node-version: "0.10" npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - name: Node.js 0.12 node-version: "0.12" npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - name: io.js 1.x node-version: "1" npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - name: io.js 2.x node-version: "2" npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - name: io.js 3.x node-version: "3" npm-i: mocha@3.5.3 nyc@10.3.2 supertest@2.0.0 - name: Node.js 4.x node-version: "4" npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - name: Node.js 5.x node-version: "5" npm-i: mocha@5.2.0 nyc@11.9.0 supertest@3.4.2 - name: Node.js 6.x node-version: "6" npm-i: mocha@6.2.2 nyc@14.1.1 - name: Node.js 7.x node-version: "7" npm-i: mocha@6.2.2 nyc@14.1.1 supertest@6.1.6 - name: Node.js 8.x node-version: "8" npm-i: mocha@7.2.0 nyc@14.1.1 - name: Node.js 9.x node-version: "9" npm-i: mocha@7.2.0 nyc@14.1.1 supertest@6.1.6 - name: Node.js 10.x node-version: "10" npm-i: mocha@8.3.2 - name: Node.js 11.x node-version: "11" npm-i: mocha@8.4.0 supertest@6.1.6 - name: Node.js 12.x node-version: "12" - name: Node.js 13.x node-version: "13" npm-i: mocha@9.2.2 supertest@6.1.6 - name: Node.js 14.x node-version: "14" - name: Node.js 15.x node-version: "15" npm-i: "supertest@6.1.6" - name: Node.js 16.x node-version: "16" - name: Node.js 17.x node-version: "17" - name: Node.js 18.x node-version: "18" - name: Node.js 19.x node-version: "19" - name: Node.js 20.x node-version: "20" - name: Node.js 21.x node-version: "21" - name: Node.js 22.x node-version: "22" - name: Node.js 23.x node-version: "23" - name: Node.js 24.x node-version: "24" - name: Node.js 25.x node-version: "25" steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Node.js ${{ matrix.node-version }} shell: bash -eo pipefail -l {0} run: | nvm install --default ${{ matrix.node-version }} dirname "$(nvm which ${{ matrix.node-version }})" >> "$GITHUB_PATH" - name: Configure npm run: | if [[ "$(npm config get package-lock)" == "true" ]]; then npm config set package-lock false else npm config set shrinkwrap false fi - name: Install npm module(s) ${{ matrix.npm-i }} run: npm install --save-dev ${{ matrix.npm-i }} if: matrix.npm-i != '' - name: Setup Node.js version-specific dependencies shell: bash run: | # eslint for linting # - remove on Node.js < 10 if [[ "$(cut -d. -f1 <<< "${{ matrix.node-version }}")" -lt 10 ]]; then node -pe 'Object.keys(require("./package").devDependencies).join("\n")' | \ grep -E '^eslint(-|$)' | \ sort -r | \ xargs -n1 npm rm --silent --save-dev fi - name: Install Node.js dependencies run: npm install - name: List environment id: list_env shell: bash run: | echo "node@$(node -v)" echo "npm@$(npm -v)" npm -s ls ||: (npm -s ls --depth=0 ||:) | awk -F'[ @]' 'NR>1 && $2 { print "::set-output name=" $2 "::" $3 }' - name: Run tests shell: bash run: | if npm -ps ls nyc | grep -q nyc; then npm run test-ci else npm test fi - name: Lint code if: steps.list_env.outputs.eslint != '' run: npm run lint - name: Collect code coverage uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # master if: steps.list_env.outputs.nyc != '' with: github-token: ${{ secrets.GITHUB_TOKEN }} flag-name: run-${{ matrix.test_number }} parallel: true coverage: permissions: checks: write # for coverallsapp/github-action to create new checks needs: test runs-on: ubuntu-latest steps: - name: Upload code coverage uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # master with: github-token: ${{ secrets.github_token }} parallel-finished: true expressjs-cors-f00a8c1/.github/workflows/codeql.yml000066400000000000000000000046441513443300200225020ustar00rootroot00000000000000# For most projects, this workflow file will not need changing; you simply need # to commit it to your repository. # # You may wish to alter this file to override the set of languages analyzed, # or to provide custom queries or build logic. # # ******** NOTE ******** # We have attempted to detect the languages in your repository. Please check # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # name: "CodeQL" on: push: branches: ["master"] pull_request: # The branches below must be a subset of the branches above branches: ["master"] schedule: - cron: "0 0 * * 1" permissions: contents: read jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: languages: javascript # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) # - name: Autobuild # uses: github/codeql-action/autobuild@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun # If the Autobuild fails above, remove it and uncomment the following three lines. # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. # - run: | # echo "Run, Build Application using script" # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: category: "/language:javascript"expressjs-cors-f00a8c1/.github/workflows/scorecard.yml000066400000000000000000000056451513443300200232020ustar00rootroot00000000000000# This workflow uses actions that are not certified by GitHub. They are provided # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. name: Scorecard supply-chain security on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '16 21 * * 1' push: branches: [ "master" ] # Declare default permissions as read only. permissions: read-all jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest permissions: # Needed to upload the results to code-scanning dashboard. security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write # Uncomment the permissions below if installing in a private repository. # contents: read # actions: read steps: - name: "Checkout code" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: "Run analysis" uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 with: results_file: results.sarif results_format: sarif # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecard on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. # repo_token: ${{ secrets.SCORECARD_TOKEN }} # Public repositories: # - Publish results to OpenSSF REST API for easy access by consumers # - Allows the repository to include the Scorecard badge. # - See https://github.com/ossf/scorecard-action#publishing-results. # For private repositories: # - `publish_results` will always be set to `false`, regardless # of the value entered here. publish_results: true # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: SARIF file path: results.sarif retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2 with: sarif_file: results.sarifexpressjs-cors-f00a8c1/.gitignore000066400000000000000000000001051513443300200170670ustar00rootroot00000000000000.nyc_output/ coverage/ node_modules/ npm-debug.log package-lock.json expressjs-cors-f00a8c1/HISTORY.md000066400000000000000000000024411513443300200165670ustar00rootroot000000000000002.8.6 / 2026-01-22 ================== * Improve documentation (API, context, examples...) * Remove additional markdown files from tarball 2.8.5 / 2018-11-04 ================== * Fix setting `maxAge` option to `0` 2.8.4 / 2017-07-12 ================== * Work-around Safari bug in default pre-flight response 2.8.3 / 2017-03-29 ================== * Fix error when options delegate missing `methods` option 2.8.2 / 2017-03-28 ================== * Fix error when frozen options are passed * Send "Vary: Origin" when using regular expressions * Send "Vary: Access-Control-Request-Headers" when dynamic `allowedHeaders` 2.8.1 / 2016-09-08 ================== This release only changed documentation. 2.8.0 / 2016-08-23 ================== * Add `optionsSuccessStatus` option 2.7.2 / 2016-08-23 ================== * Fix error when Node.js running in strict mode 2.7.1 / 2015-05-28 ================== * Move module into expressjs organization 2.7.0 / 2015-05-28 ================== * Allow array of matching condition as `origin` option * Allow regular expression as `origin` option 2.6.1 / 2015-05-28 ================== * Update `license` in package.json 2.6.0 / 2015-04-27 ================== * Add `preflightContinue` option * Fix "Vary: Origin" header added for "*" expressjs-cors-f00a8c1/LICENSE000066400000000000000000000021071513443300200161100ustar00rootroot00000000000000(The MIT License) Copyright (c) 2013 Troy Goode Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. expressjs-cors-f00a8c1/README.md000066400000000000000000000261241513443300200163670ustar00rootroot00000000000000# cors [![NPM Version][npm-image]][npm-url] [![NPM Downloads][downloads-image]][downloads-url] [![Build Status][github-actions-ci-image]][github-actions-ci-url] [![Test Coverage][coveralls-image]][coveralls-url] CORS is a [Node.js](https://nodejs.org/en/) middleware for [Express](https://expressjs.com/)/[Connect](https://github.com/senchalabs/connect) that sets [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS) response headers. These headers tell browsers which origins can read responses from your server. > [!IMPORTANT] > **How CORS Works:** This package sets response headers—it doesn't block requests. CORS is enforced by browsers: they check the headers and decide if JavaScript can read the response. Non-browser clients (curl, Postman, other servers) ignore CORS entirely. See the [MDN CORS guide](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS) for details. * [Installation](#installation) * [Usage](#usage) * [Simple Usage](#simple-usage-enable-all-cors-requests) * [Enable CORS for a Single Route](#enable-cors-for-a-single-route) * [Configuring CORS](#configuring-cors) * [Configuring CORS w/ Dynamic Origin](#configuring-cors-w-dynamic-origin) * [Enabling CORS Pre-Flight](#enabling-cors-pre-flight) * [Customizing CORS Settings Dynamically per Request](#customizing-cors-settings-dynamically-per-request) * [Configuration Options](#configuration-options) * [Common Misconceptions](#common-misconceptions) * [License](#license) * [Original Author](#original-author) ## Installation This is a [Node.js](https://nodejs.org/en/) module available through the [npm registry](https://www.npmjs.com/). Installation is done using the [`npm install` command](https://docs.npmjs.com/downloading-and-installing-packages-locally): ```sh $ npm install cors ``` ## Usage ### Simple Usage (Enable *All* CORS Requests) ```javascript var express = require('express') var cors = require('cors') var app = express() // Adds headers: Access-Control-Allow-Origin: * app.use(cors()) app.get('/products/:id', function (req, res, next) { res.json({msg: 'Hello'}) }) app.listen(80, function () { console.log('web server listening on port 80') }) ``` ### Enable CORS for a Single Route ```javascript var express = require('express') var cors = require('cors') var app = express() // Adds headers: Access-Control-Allow-Origin: * app.get('/products/:id', cors(), function (req, res, next) { res.json({msg: 'Hello'}) }) app.listen(80, function () { console.log('web server listening on port 80') }) ``` ### Configuring CORS See the [configuration options](#configuration-options) for details. ```javascript var express = require('express') var cors = require('cors') var app = express() var corsOptions = { origin: 'http://example.com', optionsSuccessStatus: 200 // some legacy browsers (IE11, various SmartTVs) choke on 204 } // Adds headers: Access-Control-Allow-Origin: http://example.com, Vary: Origin app.get('/products/:id', cors(corsOptions), function (req, res, next) { res.json({msg: 'Hello'}) }) app.listen(80, function () { console.log('web server listening on port 80') }) ``` ### Configuring CORS w/ Dynamic Origin This module supports validating the origin dynamically using a function provided to the `origin` option. This function will be passed a string that is the origin (or `undefined` if the request has no origin), and a `callback` with the signature `callback(error, origin)`. The `origin` argument to the callback can be any value allowed for the `origin` option of the middleware, except a function. See the [configuration options](#configuration-options) section for more information on all the possible value types. This function is designed to allow the dynamic loading of allowed origin(s) from a backing datasource, like a database. ```javascript var express = require('express') var cors = require('cors') var app = express() var corsOptions = { origin: function (origin, callback) { // db.loadOrigins is an example call to load // a list of origins from a backing database db.loadOrigins(function (error, origins) { callback(error, origins) }) } } // Adds headers: Access-Control-Allow-Origin: , Vary: Origin app.get('/products/:id', cors(corsOptions), function (req, res, next) { res.json({msg: 'Hello'}) }) app.listen(80, function () { console.log('web server listening on port 80') }) ``` ### Enabling CORS Pre-Flight Certain CORS requests are considered 'complex' and require an initial `OPTIONS` request (called the "pre-flight request"). An example of a 'complex' CORS request is one that uses an HTTP verb other than GET/HEAD/POST (such as DELETE) or that uses custom headers. To enable pre-flighting, you must add a new OPTIONS handler for the route you want to support: ```javascript var express = require('express') var cors = require('cors') var app = express() app.options('/products/:id', cors()) // preflight for DELETE app.del('/products/:id', cors(), function (req, res, next) { res.json({msg: 'Hello'}) }) app.listen(80, function () { console.log('web server listening on port 80') }) ``` You can also enable pre-flight across-the-board like so: ```javascript app.options('*', cors()) // include before other routes ``` NOTE: When using this middleware as an application level middleware (for example, `app.use(cors())`), pre-flight requests are already handled for all routes. ### Customizing CORS Settings Dynamically per Request For APIs that require different CORS configurations for specific routes or requests, you can dynamically generate CORS options based on the incoming request. The `cors` middleware allows you to achieve this by passing a function instead of static options. This function is called for each incoming request and must use the callback pattern to return the appropriate CORS options. The function accepts: 1. **`req`**: - The incoming request object. 2. **`callback(error, corsOptions)`**: - A function used to return the computed CORS options. - **Arguments**: - **`error`**: Pass `null` if there’s no error, or an error object to indicate a failure. - **`corsOptions`**: An object specifying the CORS policy for the current request. Here’s an example that handles both public routes and restricted, credential-sensitive routes: ```javascript var dynamicCorsOptions = function(req, callback) { var corsOptions; if (req.path.startsWith('/auth/connect/')) { // Access-Control-Allow-Origin: http://mydomain.com, Access-Control-Allow-Credentials: true, Vary: Origin corsOptions = { origin: 'http://mydomain.com', credentials: true }; } else { // Access-Control-Allow-Origin: * corsOptions = { origin: '*' }; } callback(null, corsOptions); }; app.use(cors(dynamicCorsOptions)); app.get('/auth/connect/twitter', function (req, res) { res.send('Hello'); }); app.get('/public', function (req, res) { res.send('Hello'); }); app.listen(80, function () { console.log('web server listening on port 80') }) ``` ## Configuration Options * `origin`: Configures the **Access-Control-Allow-Origin** CORS header. Possible values: - `Boolean` - set `origin` to `true` to reflect the [request origin](https://datatracker.ietf.org/doc/html/draft-abarth-origin-09), as defined by `req.header('Origin')`, or set it to `false` to disable CORS. - `String` - set `origin` to a specific origin. For example, if you set it to - `"http://example.com"` only requests from "http://example.com" will be allowed. - `"*"` for all domains to be allowed. - `RegExp` - set `origin` to a regular expression pattern which will be used to test the request origin. If it's a match, the request origin will be reflected. For example the pattern `/example\.com$/` will reflect any request that is coming from an origin ending with "example.com". - `Array` - set `origin` to an array of valid origins. Each origin can be a `String` or a `RegExp`. For example `["http://example1.com", /\.example2\.com$/]` will accept any request from "http://example1.com" or from a subdomain of "example2.com". - `Function` - set `origin` to a function implementing some custom logic. The function takes the request origin as the first parameter and a callback (called as `callback(err, origin)`, where `origin` is a non-function value of the `origin` option) as the second. * `methods`: Configures the **Access-Control-Allow-Methods** CORS header. Expects a comma-delimited string (ex: 'GET,PUT,POST') or an array (ex: `['GET', 'PUT', 'POST']`). * `allowedHeaders`: Configures the **Access-Control-Allow-Headers** CORS header. Expects a comma-delimited string (ex: 'Content-Type,Authorization') or an array (ex: `['Content-Type', 'Authorization']`). If not specified, defaults to reflecting the headers specified in the request's **Access-Control-Request-Headers** header. * `exposedHeaders`: Configures the **Access-Control-Expose-Headers** CORS header. Expects a comma-delimited string (ex: 'Content-Range,X-Content-Range') or an array (ex: `['Content-Range', 'X-Content-Range']`). If not specified, no custom headers are exposed. * `credentials`: Configures the **Access-Control-Allow-Credentials** CORS header. Set to `true` to pass the header, otherwise it is omitted. * `maxAge`: Configures the **Access-Control-Max-Age** CORS header. Set to an integer to pass the header, otherwise it is omitted. * `preflightContinue`: Pass the CORS preflight response to the next handler. * `optionsSuccessStatus`: Provides a status code to use for successful `OPTIONS` requests, since some legacy browsers (IE11, various SmartTVs) choke on `204`. The default configuration is the equivalent of: ```json { "origin": "*", "methods": "GET,HEAD,PUT,PATCH,POST,DELETE", "preflightContinue": false, "optionsSuccessStatus": 204 } ``` ## Common Misconceptions ### "CORS blocks requests from disallowed origins" **No.** Your server receives and processes every request. CORS headers tell the browser whether JavaScript can read the response—not whether the request is allowed. ### "CORS protects my API from unauthorized access" **No.** CORS is not access control. Any HTTP client (curl, Postman, another server) can call your API regardless of CORS settings. Use authentication and authorization to protect your API. ### "Setting `origin: 'http://example.com'` means only that domain can access my server" **No.** It means browsers will only let JavaScript from that origin read responses. The server still responds to all requests. ## License [MIT License](http://www.opensource.org/licenses/mit-license.php) ## Original Author [Troy Goode](https://github.com/TroyGoode) ([troygoode@gmail.com](mailto:troygoode@gmail.com)) [coveralls-image]: https://img.shields.io/coveralls/expressjs/cors/master.svg [coveralls-url]: https://coveralls.io/r/expressjs/cors?branch=master [downloads-image]: https://img.shields.io/npm/dm/cors.svg [downloads-url]: https://npmjs.com/package/cors [github-actions-ci-image]: https://img.shields.io/github/actions/workflow/status/expressjs/cors/ci.yml?branch=master&label=ci [github-actions-ci-url]: https://github.com/expressjs/cors?query=workflow%3Aci [npm-image]: https://img.shields.io/npm/v/cors.svg [npm-url]: https://npmjs.com/package/cors expressjs-cors-f00a8c1/lib/000077500000000000000000000000001513443300200156515ustar00rootroot00000000000000expressjs-cors-f00a8c1/lib/index.js000066400000000000000000000146731513443300200173310ustar00rootroot00000000000000(function () { 'use strict'; var assign = require('object-assign'); var vary = require('vary'); var defaults = { origin: '*', methods: 'GET,HEAD,PUT,PATCH,POST,DELETE', preflightContinue: false, optionsSuccessStatus: 204 }; function isString(s) { return typeof s === 'string' || s instanceof String; } function isOriginAllowed(origin, allowedOrigin) { if (Array.isArray(allowedOrigin)) { for (var i = 0; i < allowedOrigin.length; ++i) { if (isOriginAllowed(origin, allowedOrigin[i])) { return true; } } return false; } else if (isString(allowedOrigin)) { return origin === allowedOrigin; } else if (allowedOrigin instanceof RegExp) { return allowedOrigin.test(origin); } else { return !!allowedOrigin; } } function configureOrigin(options, req) { var requestOrigin = req.headers.origin, headers = [], isAllowed; if (!options.origin || options.origin === '*') { // allow any origin headers.push([{ key: 'Access-Control-Allow-Origin', value: '*' }]); } else if (isString(options.origin)) { // fixed origin headers.push([{ key: 'Access-Control-Allow-Origin', value: options.origin }]); headers.push([{ key: 'Vary', value: 'Origin' }]); } else { isAllowed = isOriginAllowed(requestOrigin, options.origin); // reflect origin headers.push([{ key: 'Access-Control-Allow-Origin', value: isAllowed ? requestOrigin : false }]); headers.push([{ key: 'Vary', value: 'Origin' }]); } return headers; } function configureMethods(options) { var methods = options.methods; if (methods.join) { methods = options.methods.join(','); // .methods is an array, so turn it into a string } return { key: 'Access-Control-Allow-Methods', value: methods }; } function configureCredentials(options) { if (options.credentials === true) { return { key: 'Access-Control-Allow-Credentials', value: 'true' }; } return null; } function configureAllowedHeaders(options, req) { var allowedHeaders = options.allowedHeaders || options.headers; var headers = []; if (!allowedHeaders) { allowedHeaders = req.headers['access-control-request-headers']; // .headers wasn't specified, so reflect the request headers headers.push([{ key: 'Vary', value: 'Access-Control-Request-Headers' }]); } else if (allowedHeaders.join) { allowedHeaders = allowedHeaders.join(','); // .headers is an array, so turn it into a string } if (allowedHeaders && allowedHeaders.length) { headers.push([{ key: 'Access-Control-Allow-Headers', value: allowedHeaders }]); } return headers; } function configureExposedHeaders(options) { var headers = options.exposedHeaders; if (!headers) { return null; } else if (headers.join) { headers = headers.join(','); // .headers is an array, so turn it into a string } if (headers && headers.length) { return { key: 'Access-Control-Expose-Headers', value: headers }; } return null; } function configureMaxAge(options) { var maxAge = (typeof options.maxAge === 'number' || options.maxAge) && options.maxAge.toString() if (maxAge && maxAge.length) { return { key: 'Access-Control-Max-Age', value: maxAge }; } return null; } function applyHeaders(headers, res) { for (var i = 0, n = headers.length; i < n; i++) { var header = headers[i]; if (header) { if (Array.isArray(header)) { applyHeaders(header, res); } else if (header.key === 'Vary' && header.value) { vary(res, header.value); } else if (header.value) { res.setHeader(header.key, header.value); } } } } function cors(options, req, res, next) { var headers = [], method = req.method && req.method.toUpperCase && req.method.toUpperCase(); if (method === 'OPTIONS') { // preflight headers.push(configureOrigin(options, req)); headers.push(configureCredentials(options)) headers.push(configureMethods(options)) headers.push(configureAllowedHeaders(options, req)); headers.push(configureMaxAge(options)) headers.push(configureExposedHeaders(options)) applyHeaders(headers, res); if (options.preflightContinue) { next(); } else { // Safari (and potentially other browsers) need content-length 0, // for 204 or they just hang waiting for a body res.statusCode = options.optionsSuccessStatus; res.setHeader('Content-Length', '0'); res.end(); } } else { // actual response headers.push(configureOrigin(options, req)); headers.push(configureCredentials(options)) headers.push(configureExposedHeaders(options)) applyHeaders(headers, res); next(); } } function middlewareWrapper(o) { // if options are static (either via defaults or custom options passed in), wrap in a function var optionsCallback = null; if (typeof o === 'function') { optionsCallback = o; } else { optionsCallback = function (req, cb) { cb(null, o); }; } return function corsMiddleware(req, res, next) { optionsCallback(req, function (err, options) { if (err) { next(err); } else { var corsOptions = assign({}, defaults, options); var originCallback = null; if (corsOptions.origin && typeof corsOptions.origin === 'function') { originCallback = corsOptions.origin; } else if (corsOptions.origin) { originCallback = function (origin, cb) { cb(null, corsOptions.origin); }; } if (originCallback) { originCallback(req.headers.origin, function (err2, origin) { if (err2 || !origin) { next(err2); } else { corsOptions.origin = origin; cors(corsOptions, req, res, next); } }); } else { next(); } } }); }; } // can pass either an options hash, an options delegate, or nothing module.exports = middlewareWrapper; }()); expressjs-cors-f00a8c1/package.json000066400000000000000000000016361513443300200173770ustar00rootroot00000000000000{ "name": "cors", "description": "Node.js CORS middleware", "version": "2.8.6", "author": "Troy Goode (https://github.com/troygoode/)", "license": "MIT", "keywords": [ "cors", "express", "connect", "middleware" ], "repository": "expressjs/cors", "funding": { "type": "opencollective", "url": "https://opencollective.com/express" }, "main": "./lib/index.js", "dependencies": { "object-assign": "^4", "vary": "^1" }, "devDependencies": { "after": "0.8.2", "eslint": "7.30.0", "express": "4.21.2", "mocha": "9.2.2", "nyc": "15.1.0", "supertest": "6.1.3" }, "files": [ "lib/index.js" ], "engines": { "node": ">= 0.10" }, "scripts": { "test": "npm run lint && npm run test-ci", "test-ci": "nyc --reporter=lcov --reporter=text mocha --require test/support/env", "lint": "eslint lib test" } } expressjs-cors-f00a8c1/test/000077500000000000000000000000001513443300200160625ustar00rootroot00000000000000expressjs-cors-f00a8c1/test/.eslintrc.yml000066400000000000000000000000231513443300200205010ustar00rootroot00000000000000env: mocha: true expressjs-cors-f00a8c1/test/error-response.js000066400000000000000000000026511513443300200214110ustar00rootroot00000000000000(function () { 'use strict'; var express = require('express'), supertest = require('supertest'), cors = require('../lib'); var app; /* -------------------------------------------------------------------------- */ app = express(); app.use(cors()); app.post('/five-hundred', function (req, res, next) { next(new Error('nope')); }); app.post('/four-oh-one', function (req, res, next) { next(new Error('401')); }); app.post('/four-oh-four', function (req, res, next) { next(); }); app.use(function (err, req, res, next) { if (err.message === '401') { res.status(401).send('unauthorized'); } else { next(err); } }); /* -------------------------------------------------------------------------- */ describe('error response', function () { it('500', function (done) { supertest(app) .post('/five-hundred') .expect(500) .expect('Access-Control-Allow-Origin', '*') .expect(/Error: nope/) .end(done) }); it('401', function (done) { supertest(app) .post('/four-oh-one') .expect(401) .expect('Access-Control-Allow-Origin', '*') .expect('unauthorized') .end(done) }); it('404', function (done) { supertest(app) .post('/four-oh-four') .expect(404) .expect('Access-Control-Allow-Origin', '*') .end(done) }); }); }()); expressjs-cors-f00a8c1/test/example-app.js000066400000000000000000000041721513443300200206350ustar00rootroot00000000000000(function () { 'use strict'; var express = require('express'), supertest = require('supertest'), cors = require('../lib'); var simpleApp, complexApp; /* -------------------------------------------------------------------------- */ simpleApp = express(); simpleApp.head('/', cors(), function (req, res) { res.status(204).send(); }); simpleApp.get('/', cors(), function (req, res) { res.send('Hello World (Get)'); }); simpleApp.post('/', cors(), function (req, res) { res.send('Hello World (Post)'); }); /* -------------------------------------------------------------------------- */ complexApp = express(); complexApp.options('/', cors()); complexApp.delete('/', cors(), function (req, res) { res.send('Hello World (Delete)'); }); /* -------------------------------------------------------------------------- */ describe('example app(s)', function () { describe('simple methods', function () { it('GET works', function (done) { supertest(simpleApp) .get('/') .expect(200) .expect('Access-Control-Allow-Origin', '*') .expect('Hello World (Get)') .end(done) }); it('HEAD works', function (done) { supertest(simpleApp) .head('/') .expect(204) .expect('Access-Control-Allow-Origin', '*') .end(done) }); it('POST works', function (done) { supertest(simpleApp) .post('/') .expect(200) .expect('Access-Control-Allow-Origin', '*') .expect('Hello World (Post)') .end(done) }); }); describe('complex methods', function () { it('OPTIONS works', function (done) { supertest(complexApp) .options('/') .expect(204) .expect('Access-Control-Allow-Origin', '*') .end(done) }); it('DELETE works', function (done) { supertest(complexApp) .del('/') .expect(200) .expect('Access-Control-Allow-Origin', '*') .expect('Hello World (Delete)') .end(done) }); }); }); }()); expressjs-cors-f00a8c1/test/issue-2.js000066400000000000000000000022401513443300200177050ustar00rootroot00000000000000(function () { 'use strict'; var express = require('express'), supertest = require('supertest'), cors = require('../lib'); var app, corsOptions; /* -------------------------------------------------------------------------- */ app = express(); corsOptions = { origin: true, methods: ['POST'], credentials: true, maxAge: 3600 }; app.options('/api/login', cors(corsOptions)); app.post('/api/login', cors(corsOptions), function (req, res) { res.send('LOGIN'); }); /* -------------------------------------------------------------------------- */ describe('issue #2', function () { it('OPTIONS works', function (done) { supertest(app) .options('/api/login') .set('Origin', 'http://example.com') .expect(204) .expect('Access-Control-Allow-Origin', 'http://example.com') .end(done) }); it('POST works', function (done) { supertest(app) .post('/api/login') .set('Origin', 'http://example.com') .expect(200) .expect('Access-Control-Allow-Origin', 'http://example.com') .expect('LOGIN') .end(done) }); }); }()); expressjs-cors-f00a8c1/test/support/000077500000000000000000000000001513443300200175765ustar00rootroot00000000000000expressjs-cors-f00a8c1/test/support/env.js000066400000000000000000000000401513443300200207160ustar00rootroot00000000000000 process.env.NODE_ENV = 'test'; expressjs-cors-f00a8c1/test/test.js000066400000000000000000000526041513443300200174060ustar00rootroot00000000000000'use strict' var EventEmitter = require('events').EventEmitter var util = require('util') ;(function () { 'use strict'; var after = require('after') var assert = require('assert') var cors = require('..') var fakeRequest = function (method, headers) { return new FakeRequest(method, headers) } var fakeResponse = function () { return new FakeResponse() } describe('cors', function () { it('does not alter `options` configuration object', function () { var options = Object.freeze({ origin: 'custom-origin' }); assert.doesNotThrow(function () { cors(options); }) }); it('passes control to next middleware', function (done) { // arrange var req, res, next; req = fakeRequest('GET'); res = fakeResponse(); next = function () { done(); }; // act cors()(req, res, next); }); it('shortcircuits preflight requests', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() res.on('finish', function () { assert.equal(res.statusCode, 204) cb() }) cors()(req, res, function (err) { cb(err || new Error('should not be called')) }) }); it('can configure preflight success response status code', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() res.on('finish', function () { assert.equal(res.statusCode, 200) cb() }) // act cors({ optionsSuccessStatus: 200 })(req, res, function (err) { cb(err || new Error('should not be called')) }) }); it('doesn\'t shortcircuit preflight requests with preflightContinue option', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() res.on('finish', function () { cb(new Error('should not be called')) }) cors({ preflightContinue: true })(req, res, function (err) { if (err) return cb(err) setTimeout(cb, 10) }) }); it('normalizes method names', function (done) { var cb = after(1, done) var req = new FakeRequest('options') var res = new FakeResponse() res.on('finish', function () { assert.equal(res.statusCode, 204) cb() }) cors()(req, res, function (err) { cb(err || new Error('should not be called')) }) }); it('includes Content-Length response header', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() res.on('finish', function () { assert.equal(res.getHeader('Content-Length'), '0') cb() }) cors()(req, res, function (err) { cb(err || new Error('should not be called')) }) }); it('no options enables default CORS to all origins', function (done) { // arrange var req, res, next; req = fakeRequest('GET'); res = fakeResponse(); next = function () { // assert assert.equal(res.getHeader('Access-Control-Allow-Origin'), '*') assert.equal(res.getHeader('Access-Control-Allow-Methods'), undefined) done(); }; // act cors()(req, res, next); }); it('OPTION call with no options enables default CORS to all origins and methods', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() res.on('finish', function () { assert.equal(res.statusCode, 204) assert.equal(res.getHeader('Access-Control-Allow-Origin'), '*') assert.equal(res.getHeader('Access-Control-Allow-Methods'), 'GET,HEAD,PUT,PATCH,POST,DELETE') cb() }) cors()(req, res, function (err) { cb(err || new Error('should not be called')) }) }); describe('passing static options', function () { it('overrides defaults', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() var options = { origin: 'http://example.com', methods: ['FOO', 'bar'], headers: ['FIZZ', 'buzz'], credentials: true, maxAge: 123 }; res.on('finish', function () { assert.equal(res.statusCode, 204) assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://example.com') assert.equal(res.getHeader('Access-Control-Allow-Methods'), 'FOO,bar') assert.equal(res.getHeader('Access-Control-Allow-Headers'), 'FIZZ,buzz') assert.equal(res.getHeader('Access-Control-Allow-Credentials'), 'true') assert.equal(res.getHeader('Access-Control-Max-Age'), '123') cb() }) cors(options)(req, res, function (err) { cb(err || new Error('should not be called')) }) }); it('matches request origin against regexp', function(done) { var req = fakeRequest('GET'); var res = fakeResponse(); var options = { origin: /:\/\/(.+\.)?example.com$/ } cors(options)(req, res, function(err) { assert.ifError(err) assert.equal(res.getHeader('Access-Control-Allow-Origin'), req.headers.origin) assert.equal(res.getHeader('Vary'), 'Origin') return done(); }); }); it('matches request origin against array of origin checks', function(done) { var req = fakeRequest('GET'); var res = fakeResponse(); var options = { origin: [ /foo\.com$/, 'http://example.com' ] } cors(options)(req, res, function(err) { assert.ifError(err) assert.equal(res.getHeader('Access-Control-Allow-Origin'), req.headers.origin) assert.equal(res.getHeader('Vary'), 'Origin') return done(); }); }); it('doesn\'t match request origin against array of invalid origin checks', function(done) { var req = fakeRequest('GET'); var res = fakeResponse(); var options = { origin: [ /foo\.com$/, 'bar.com' ] }; cors(options)(req, res, function(err) { assert.ifError(err) assert.equal(res.getHeader('Access-Control-Allow-Origin'), undefined) assert.equal(res.getHeader('Vary'), 'Origin') return done(); }); }); it('origin of false disables cors', function (done) { // arrange var req, res, next, options; options = { origin: false, methods: ['FOO', 'bar'], headers: ['FIZZ', 'buzz'], credentials: true, maxAge: 123 }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { // assert assert.equal(res.getHeader('Access-Control-Allow-Origin'), undefined) assert.equal(res.getHeader('Access-Control-Allow-Methods'), undefined) assert.equal(res.getHeader('Access-Control-Allow-Headers'), undefined) assert.equal(res.getHeader('Access-Control-Allow-Credentials'), undefined) assert.equal(res.getHeader('Access-Control-Max-Age'), undefined) done(); }; // act cors(options)(req, res, next); }); it('can override origin', function (done) { // arrange var req, res, next, options; options = { origin: 'http://example.com' }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { // assert assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://example.com') done(); }; // act cors(options)(req, res, next); }); it('includes Vary header for specific origins', function (done) { // arrange var req, res, next, options; options = { origin: 'http://example.com' }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { // assert assert.equal(res.getHeader('Vary'), 'Origin') done(); }; // act cors(options)(req, res, next); }); it('appends to an existing Vary header', function (done) { // arrange var req, res, next, options; options = { origin: 'http://example.com' }; req = fakeRequest('GET'); res = fakeResponse(); res.setHeader('Vary', 'Foo'); next = function () { // assert assert.equal(res.getHeader('Vary'), 'Foo, Origin') done(); }; // act cors(options)(req, res, next); }); it('origin defaults to *', function (done) { // arrange var req, res, next; req = fakeRequest('GET'); res = fakeResponse(); next = function () { // assert assert.equal(res.getHeader('Access-Control-Allow-Origin'), '*') done(); }; // act cors()(req, res, next); }); it('specifying true for origin reflects requesting origin', function (done) { // arrange var req, res, next, options; options = { origin: true }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { // assert assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://example.com') done(); }; // act cors(options)(req, res, next); }); it('should allow origin when callback returns true', function (done) { var req, res, next, options; options = { origin: function (sentOrigin, cb) { cb(null, true); } }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://example.com') done(); }; cors(options)(req, res, next); }); it('should not allow origin when callback returns false', function (done) { var req, res, next, options; options = { origin: function (sentOrigin, cb) { cb(null, false); } }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { assert.equal(res.getHeader('Access-Control-Allow-Origin'), undefined) assert.equal(res.getHeader('Access-Control-Allow-Methods'), undefined) assert.equal(res.getHeader('Access-Control-Allow-Headers'), undefined) assert.equal(res.getHeader('Access-Control-Allow-Credentials'), undefined) assert.equal(res.getHeader('Access-Control-Max-Age'), undefined) done(); }; cors(options)(req, res, next); }); it('should not override options.origin callback', function (done) { var req, res, next, options; options = { origin: function (sentOrigin, cb) { cb(null, sentOrigin === 'http://example.com') } }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://example.com') }; cors(options)(req, res, next); req = fakeRequest('GET', { 'origin': 'http://localhost' }); res = fakeResponse(); next = function () { assert.equal(res.getHeader('Access-Control-Allow-Origin'), undefined) assert.equal(res.getHeader('Access-Control-Allow-Methods'), undefined) assert.equal(res.getHeader('Access-Control-Allow-Headers'), undefined) assert.equal(res.getHeader('Access-Control-Allow-Credentials'), undefined) assert.equal(res.getHeader('Access-Control-Max-Age'), undefined) done(); }; cors(options)(req, res, next); }); it('can override methods', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() var options = { methods: ['method1', 'method2'] }; res.on('finish', function () { assert.equal(res.statusCode, 204) assert.equal(res.getHeader('Access-Control-Allow-Methods'), 'method1,method2') cb() }) cors(options)(req, res, function (err) { cb(err || new Error('should not be called')) }) }); it('methods defaults to GET, HEAD, PUT, PATCH, POST, DELETE', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() res.on('finish', function () { assert.equal(res.statusCode, 204) assert.equal(res.getHeader('Access-Control-Allow-Methods'), 'GET,HEAD,PUT,PATCH,POST,DELETE') cb() }) cors()(req, res, function (err) { cb(err || new Error('should not be called')) }) }); it('can specify allowed headers as array', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() res.on('finish', function () { assert.strictEqual(res.getHeader('Access-Control-Allow-Headers'), 'header1,header2') assert.equal(res.getHeader('Vary'), undefined) cb() }) cors({ allowedHeaders: ['header1', 'header2'] })(req, res, function (err) { cb(err || new Error('should not be called')) }) }); it('can specify allowed headers as string', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() res.on('finish', function () { assert.equal(res.getHeader('Access-Control-Allow-Headers'), 'header1,header2') assert.equal(res.getHeader('Vary'), undefined) cb() }) cors({ allowedHeaders: 'header1,header2' })(req, res, function (err) { cb(err || new Error('should not be called')) }) }); it('specifying an empty list or string of allowed headers will result in no response header for allowed headers', function (done) { // arrange var req, res, next, options; options = { allowedHeaders: [] }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { // assert assert.equal(res.getHeader('Access-Control-Allow-Headers'), undefined) assert.equal(res.getHeader('Vary'), undefined) done(); }; // act cors(options)(req, res, next); }); it('if no allowed headers are specified, defaults to requested allowed headers', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() res.on('finish', function () { assert.equal(res.getHeader('Access-Control-Allow-Headers'), 'x-header-1, x-header-2') assert.equal(res.getHeader('Vary'), 'Access-Control-Request-Headers') cb() }) cors()(req, res, function (err) { cb(err || new Error('should not be called')) }) }); it('can specify exposed headers as array', function (done) { // arrange var req, res, options, next; options = { exposedHeaders: ['custom-header1', 'custom-header2'] }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { // assert assert.equal(res.getHeader('Access-Control-Expose-Headers'), 'custom-header1,custom-header2') done(); }; // act cors(options)(req, res, next); }); it('can specify exposed headers as string', function (done) { // arrange var req, res, options, next; options = { exposedHeaders: 'custom-header1,custom-header2' }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { // assert assert.equal(res.getHeader('Access-Control-Expose-Headers'), 'custom-header1,custom-header2') done(); }; // act cors(options)(req, res, next); }); it('specifying an empty list or string of exposed headers will result in no response header for exposed headers', function (done) { // arrange var req, res, next, options; options = { exposedHeaders: [] }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { // assert assert.equal(res.getHeader('Access-Control-Expose-Headers'), undefined) done(); }; // act cors(options)(req, res, next); }); it('includes credentials if explicitly enabled', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() res.on('finish', function () { assert.equal(res.getHeader('Access-Control-Allow-Credentials'), 'true') cb() }) cors({ credentials: true })(req, res, function (err) { cb(err || new Error('should not be called')) }) }); it('does not includes credentials unless explicitly enabled', function (done) { // arrange var req, res, next; req = fakeRequest('GET'); res = fakeResponse(); next = function () { // assert assert.equal(res.getHeader('Access-Control-Allow-Credentials'), undefined) done(); }; // act cors()(req, res, next); }); it('includes maxAge when specified', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() res.on('finish', function () { assert.equal(res.getHeader('Access-Control-Max-Age'), '456') cb() }) cors({ maxAge: 456 })(req, res, function (err) { cb(err || new Error('should not be called')) }) }); it('includes maxAge when specified and equals to zero', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() res.on('finish', function () { assert.equal(res.getHeader('Access-Control-Max-Age'), '0') cb() }) cors({ maxAge: 0 })(req, res, function (err) { cb(err || new Error('should not be called')) }) }); it('does not includes maxAge unless specified', function (done) { // arrange var req, res, next; req = fakeRequest('GET'); res = fakeResponse(); next = function () { // assert assert.equal(res.getHeader('Access-Control-Max-Age'), undefined) done(); }; // act cors()(req, res, next); }); }); describe('passing a function to build options', function () { it('handles options specified via callback', function (done) { // arrange var req, res, next, delegate; delegate = function (req2, cb) { cb(null, { origin: 'delegate.com' }); }; req = fakeRequest('GET'); res = fakeResponse(); next = function () { // assert assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'delegate.com') done(); }; // act cors(delegate)(req, res, next); }); it('handles options specified via callback for preflight', function (done) { var cb = after(1, done) var req = new FakeRequest('OPTIONS') var res = new FakeResponse() var delegate = function (req2, cb) { cb(null, { origin: 'delegate.com', maxAge: 1000 }); }; res.on('finish', function () { assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'delegate.com') assert.equal(res.getHeader('Access-Control-Max-Age'), '1000') cb() }) cors(delegate)(req, res, function (err) { cb(err || new Error('should not be called')) }) }); it('handles error specified via callback', function (done) { // arrange var req, res, next, delegate; delegate = function (req2, cb) { cb('some error'); }; req = fakeRequest('GET'); res = fakeResponse(); next = function (err) { // assert assert.equal(err, 'some error') done(); }; // act cors(delegate)(req, res, next); }); }); }); }()); function FakeRequest (method, headers) { this.headers = headers || { 'origin': 'http://example.com', 'access-control-request-headers': 'x-header-1, x-header-2' } this.method = method || 'GET' } function FakeResponse () { this._headers = {} this.statusCode = 200 } util.inherits(FakeResponse, EventEmitter) FakeResponse.prototype.end = function end () { var response = this process.nextTick(function () { response.emit('finish') }) } FakeResponse.prototype.getHeader = function getHeader (name) { var key = name.toLowerCase() return this._headers[key] } FakeResponse.prototype.setHeader = function setHeader (name, value) { var key = name.toLowerCase() this._headers[key] = value }