vary origin on delegated options (#292)

Author: laat

index.js

@@ -104,7 +104,7 @@ function handleCorsOptionsDelegator (optionsResolver, fastify, opts, next) {
       fastify.addHook(hook, function handleCors (req, reply, payload, next) {
         const ret = optionsResolver(req)
         if (ret && typeof ret.then === 'function') {
-          ret.then(options => addCorsHeadersHandler(fastify, normalizeCorsOptions(options), req, reply, next)).catch(next)
+          ret.then(options => addCorsHeadersHandler(fastify, normalizeCorsOptions(options, true), req, reply, next)).catch(next)
           return
         }
         next(new Error('Invalid CORS origin option'))
@@ -114,7 +114,7 @@ function handleCorsOptionsDelegator (optionsResolver, fastify, opts, next) {
       fastify.addHook(hook, function handleCors (req, reply, next) {
         const ret = optionsResolver(req)
         if (ret && typeof ret.then === 'function') {
-          ret.then(options => addCorsHeadersHandler(fastify, normalizeCorsOptions(options), req, reply, next)).catch(next)
+          ret.then(options => addCorsHeadersHandler(fastify, normalizeCorsOptions(options, true), req, reply, next)).catch(next)
           return
         }
         next(new Error('Invalid CORS origin option'))
@@ -128,15 +128,15 @@ function handleCorsOptionsCallbackDelegator (optionsResolver, fastify, req, repl
     if (err) {
       next(err)
     } else {
-      addCorsHeadersHandler(fastify, normalizeCorsOptions(options), req, reply, next)
+      addCorsHeadersHandler(fastify, normalizeCorsOptions(options, true), req, reply, next)
     }
   })
 }
 
 /**
  * @param {import('./types').FastifyCorsOptions} opts
  */
-function normalizeCorsOptions (opts) {
+function normalizeCorsOptions (opts, dynamic) {
   const corsOptions = { ...defaultOptions, ...opts }
   if (Array.isArray(opts.origin) && opts.origin.indexOf('*') !== -1) {
     corsOptions.origin = '*'
@@ -148,11 +148,12 @@ function normalizeCorsOptions (opts) {
     // strings are applied directly and any other value is ignored
     corsOptions.cacheControl = null
   }
+  corsOptions.dynamic = dynamic || false
   return corsOptions
 }
 
 function addCorsHeadersHandler (fastify, options, req, reply, next) {
-  if (typeof options.origin !== 'string' && options.origin !== false) {
+  if ((typeof options.origin !== 'string' && options.origin !== false) || options.dynamic) {
     // Always set Vary header for non-static origin option
     // https://fetch.spec.whatwg.org/#cors-protocol-and-http-caches
     addOriginToVaryHeader(reply)

test/cors.test.js

@@ -124,7 +124,7 @@ test('Should add cors headers (custom values)', t => {
 })
 
 test('Should support dynamic config (callback)', t => {
-  t.plan(18)
+  t.plan(16)
 
   const configs = [{
     origin: 'example.com',
@@ -177,9 +177,9 @@ test('Should support dynamic config (callback)', t => {
       'access-control-allow-origin': 'example.com',
       'access-control-allow-credentials': 'true',
       'access-control-expose-headers': 'foo, bar',
-      'content-length': '2'
+      'content-length': '2',
+      vary: 'Origin'
     })
-    t.notMatch(res.headers, { vary: 'Origin' })
   })
 
   fastify.inject({
@@ -202,9 +202,9 @@ test('Should support dynamic config (callback)', t => {
       'access-control-allow-headers': 'baz, foo',
       'access-control-max-age': '321',
       'cache-control': '456',
-      'content-length': '0'
+      'content-length': '0',
+      vary: 'Origin'
     })
-    t.notMatch(res.headers, { vary: 'Origin' })
   })
 
   fastify.inject({
@@ -221,7 +221,7 @@ test('Should support dynamic config (callback)', t => {
 })
 
 test('Should support dynamic config (Promise)', t => {
-  t.plan(26)
+  t.plan(23)
 
   const configs = [{
     origin: 'example.com',
@@ -282,9 +282,9 @@ test('Should support dynamic config (Promise)', t => {
       'access-control-allow-origin': 'example.com',
       'access-control-allow-credentials': 'true',
       'access-control-expose-headers': 'foo, bar',
-      'content-length': '2'
+      'content-length': '2',
+      vary: 'Origin'
     })
-    t.notMatch(res.headers, { vary: 'Origin' })
   })
 
   fastify.inject({
@@ -306,9 +306,9 @@ test('Should support dynamic config (Promise)', t => {
       'access-control-allow-methods': 'GET',
       'access-control-allow-headers': 'baz, foo',
       'access-control-max-age': '321',
-      'content-length': '0'
+      'content-length': '0',
+      vary: 'Origin'
     })
-    t.notMatch(res.headers, { vary: 'Origin' })
     t.equal(res.headers['cache-control'], undefined, 'cache-control omitted (invalid value)')
   })
 
@@ -332,9 +332,9 @@ test('Should support dynamic config (Promise)', t => {
       'access-control-allow-headers': 'baz, foo',
       'access-control-max-age': '321',
       'cache-control': 'public, max-age=456', // cache-control included (custom string)
-      'content-length': '0'
+      'content-length': '0',
+      vary: 'Origin'
     })
-    t.notMatch(res.headers, { vary: 'Origin' })
   })
 
   fastify.inject({

test/hooks.test.js

@@ -321,7 +321,7 @@ test('Should set hook preSerialization if hook option is set to preSerialization
 })
 
 test('Should support custom hook with dynamic config', t => {
-  t.plan(18)
+  t.plan(16)
 
   const configs = [{
     origin: 'example.com',
@@ -375,9 +375,9 @@ test('Should support custom hook with dynamic config', t => {
       'access-control-allow-origin': 'example.com',
       'access-control-allow-credentials': 'true',
       'access-control-expose-headers': 'foo, bar',
-      'content-length': '2'
+      'content-length': '2',
+      vary: 'Origin'
     })
-    t.notMatch(res.headers, { vary: 'Origin' })
   })
 
   fastify.inject({
@@ -399,9 +399,9 @@ test('Should support custom hook with dynamic config', t => {
       'access-control-allow-methods': 'GET',
       'access-control-allow-headers': 'baz, foo',
       'access-control-max-age': '321',
-      'content-length': '0'
+      'content-length': '0',
+      vary: 'Origin'
     })
-    t.notMatch(res.headers, { vary: 'Origin' })
   })
 
   fastify.inject({
@@ -418,7 +418,7 @@ test('Should support custom hook with dynamic config', t => {
 })
 
 test('Should support custom hook with dynamic config (callback)', t => {
-  t.plan(18)
+  t.plan(16)
 
   const configs = [{
     origin: 'example.com',
@@ -472,9 +472,9 @@ test('Should support custom hook with dynamic config (callback)', t => {
       'access-control-allow-origin': 'example.com',
       'access-control-allow-credentials': 'true',
       'access-control-expose-headers': 'foo, bar',
-      'content-length': '2'
+      'content-length': '2',
+      vary: 'Origin'
     })
-    t.notMatch(res.headers, { vary: 'Origin' })
   })
 
   fastify.inject({
@@ -496,9 +496,9 @@ test('Should support custom hook with dynamic config (callback)', t => {
       'access-control-allow-methods': 'GET',
       'access-control-allow-headers': 'baz, foo',
       'access-control-max-age': '321',
-      'content-length': '0'
+      'content-length': '0',
+      vary: 'Origin'
     })
-    t.notMatch(res.headers, { vary: 'Origin' })
   })
 
   fastify.inject({
@@ -515,7 +515,7 @@ test('Should support custom hook with dynamic config (callback)', t => {
 })
 
 test('Should support custom hook with dynamic config (Promise)', t => {
-  t.plan(18)
+  t.plan(16)
 
   const configs = [{
     origin: 'example.com',
@@ -570,9 +570,9 @@ test('Should support custom hook with dynamic config (Promise)', t => {
       'access-control-allow-origin': 'example.com',
       'access-control-allow-credentials': 'true',
       'access-control-expose-headers': 'foo, bar',
-      'content-length': '2'
+      'content-length': '2',
+      vary: 'Origin'
     })
-    t.notMatch(res.headers, { vary: 'Origin' })
   })
 
   fastify.inject({
@@ -594,9 +594,9 @@ test('Should support custom hook with dynamic config (Promise)', t => {
       'access-control-allow-methods': 'GET',
       'access-control-allow-headers': 'baz, foo',
       'access-control-max-age': '321',
-      'content-length': '0'
+      'content-length': '0',
+      vary: 'Origin'
     })
-    t.notMatch(res.headers, { vary: 'Origin' })
   })
 
   fastify.inject({