Merge branch 'main' of github.com:fastify/fastify-cors

Signed-off-by: Matteo Collina <[email protected]>

Author: mcollina

.github/workflows/ci.yml

@@ -14,6 +14,9 @@ on:
       - 'docs/**'
       - '*.md'
 
+permissions:
+  contents: read
+
 jobs:
   test:
     permissions:

LICENSE

@@ -1,6 +1,8 @@
 MIT License
 
-Copyright (c) 2018 Fastify
+Copyright (c) 2018-present The Fastify team
+
+The Fastify team members are listed at https://github.com/fastify/fastify#team.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -19,9 +19,8 @@ npm i @fastify/cors
 | `^10.x`        | `^5.x`          |
 | `^8.x`         | `^4.x`          |
 | `^7.x`         | `^3.x`          |
-| `^3.x`         | `^2.x`          |
-| `^1.x`         | `^1.x`          |
-
+| `>=3.x <7.x`   | `^2.x`          |
+| `>=1.x <3.x`   | `^1.x`          |
 
 Please note that if a Fastify version is out of support, then so are the corresponding versions of this plugin
 in the table above.
@@ -76,6 +75,10 @@ You can use it as is without passing any option or you can configure it as expla
 * `preflight`: Disables preflight by passing `false`. Default: `true`.
 * `strictPreflight`: Enforces strict requirements for the CORS preflight request headers (**Access-Control-Request-Method** and **Origin**) as defined by the [W3C CORS specification](https://www.w3.org/TR/2020/SPSD-cors-20200602/#resource-preflight-requests). Preflight requests without the required headers result in 400 errors when set to `true`. Default: `true`.
 * `hideOptionsRoute`: Hides the options route from documentation built using [@fastify/swagger](https://github.com/fastify/fastify-swagger). Default: `true`.
+* `logLevel`: Sets the Fastify log level **only** for the internal CORS pre-flight `OPTIONS *` route.  
+  Pass `'silent'` to suppress these requests in your logs, or any valid Fastify
+  log level (`'trace'`, `'debug'`, `'info'`, `'warn'`, `'error'`, `'fatal'`).  
+  Default: inherits Fastify’s global log level.
 
 #### :warning: DoS attacks
 

index.js

@@ -46,13 +46,14 @@ function fastifyCors (fastify, opts, next) {
   fastify.decorateRequest('corsPreflightEnabled', false)
 
   let hideOptionsRoute = true
+  let logLevel
+
   if (typeof opts === 'function') {
     handleCorsOptionsDelegator(opts, fastify, { hook: defaultOptions.hook }, next)
   } else if (opts.delegator) {
     const { delegator, ...options } = opts
     handleCorsOptionsDelegator(delegator, fastify, options, next)
   } else {
-    if (opts.hideOptionsRoute !== undefined) hideOptionsRoute = opts.hideOptionsRoute
     const corsOptions = normalizeCorsOptions(opts)
     validateHook(corsOptions.hook, next)
     if (hookWithPayload.indexOf(corsOptions.hook) !== -1) {
@@ -65,14 +66,17 @@ function fastifyCors (fastify, opts, next) {
       })
     }
   }
+  if (opts.logLevel !== undefined) logLevel = opts.logLevel
+  if (opts.hideOptionsRoute !== undefined) hideOptionsRoute = opts.hideOptionsRoute
 
   // The preflight reply must occur in the hook. This allows fastify-cors to reply to
   // preflight requests BEFORE possible authentication plugins. If the preflight reply
   // occurred in this handler, other plugins may deny the request since the browser will
   // remove most headers (such as the Authentication header).
   //
   // This route simply enables fastify to accept preflight requests.
-  fastify.options('*', { schema: { hide: hideOptionsRoute } }, (req, reply) => {
+
+  fastify.options('*', { schema: { hide: hideOptionsRoute }, logLevel }, (req, reply) => {
     if (!req.corsPreflightEnabled) {
       // Do not handle preflight requests if the origin option disabled CORS
       reply.callNotFound()

package.json

@@ -60,13 +60,13 @@
   ],
   "devDependencies": {
     "@fastify/pre-commit": "^2.1.0",
-    "@types/node": "^22.0.0",
+    "@types/node": "^24.0.8",
     "c8": "^10.1.2",
     "cors": "^2.8.5",
     "eslint": "^9.17.0",
     "fastify": "^5.0.0",
     "neostandard": "^0.12.0",
-    "tsd": "^0.31.1",
+    "tsd": "^0.32.0",
     "typescript": "~5.8.2"
   },
   "dependencies": {

test/preflight.test.js

@@ -486,3 +486,105 @@ test('Should support ongoing prefix ', async t => {
     'content-length': '0'
   })
 })
+
+test('Silences preflight logs when logLevel is "silent"', async t => {
+  const logs = []
+  const fastify = Fastify({
+    logger: {
+      level: 'info',
+      stream: {
+        write (line) {
+          try {
+            logs.push(JSON.parse(line))
+          } catch {
+          }
+        }
+      }
+    }
+  })
+
+  await fastify.register(cors, { logLevel: 'silent' })
+
+  fastify.get('/', async () => ({ ok: true }))
+
+  await fastify.ready()
+  t.assert.ok(fastify)
+
+  await fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'https://example.com'
+    }
+  })
+
+  await fastify.inject({ method: 'GET', url: '/' })
+
+  const hasOptionsLog = logs.some(l => l.req && l.req.method === 'OPTIONS')
+  const hasGetLog = logs.some(l => l.req && l.req.method === 'GET')
+
+  t.assert.strictEqual(hasOptionsLog, false)
+  t.assert.strictEqual(hasGetLog, true)
+
+  await fastify.close()
+})
+test('delegator + logLevel:"silent" → OPTIONS logs are suppressed', async t => {
+  t.plan(3)
+
+  const logs = []
+  const app = Fastify({
+    logger: {
+      level: 'info',
+      stream: { write: l => { try { logs.push(JSON.parse(l)) } catch {} } }
+    }
+  })
+
+  await app.register(cors, {
+    delegator: () => ({ origin: '*' }),
+    logLevel: 'silent'
+  })
+
+  app.get('/', () => ({ ok: true }))
+  await app.ready()
+  t.assert.ok(app)
+
+  await app.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'https://example.com'
+    }
+  })
+
+  await app.inject({ method: 'GET', url: '/' })
+
+  const hasOptionsLog = logs.some(l => l.req?.method === 'OPTIONS')
+  const hasGetLog = logs.some(l => l.req?.method === 'GET')
+
+  t.assert.strictEqual(hasOptionsLog, false)
+  t.assert.strictEqual(hasGetLog, true)
+
+  await app.close()
+})
+test('delegator + hideOptionsRoute:false → OPTIONS route is visible', async t => {
+  t.plan(2)
+
+  const app = Fastify()
+
+  app.addHook('onRoute', route => {
+    if (route.method === 'OPTIONS' && route.url === '*') {
+      t.assert.strictEqual(route.schema.hide, false)
+    }
+  })
+
+  await app.register(cors, {
+    delegator: () => ({ origin: '*' }),
+    hideOptionsRoute: false
+  })
+
+  await app.ready()
+  t.assert.ok(app)
+  await app.close()
+})

types/index.d.ts

@@ -1,6 +1,6 @@
 /// <reference types="node" />
 
-import { FastifyInstance, FastifyPluginCallback, FastifyRequest } from 'fastify'
+import { FastifyInstance, FastifyPluginCallback, FastifyRequest, LogLevel } from 'fastify'
 
 type OriginCallback = (err: Error | null, origin: ValueOrArray<OriginType>) => void
 type OriginType = string | boolean | RegExp
@@ -87,7 +87,7 @@ declare namespace fastifyCors {
      */
     optionsSuccessStatus?: number;
     /**
-     * Pass the CORS preflight response to the route handler (default: false).
+     * Pass the CORS preflight response to the route handler (default: true).
      */
     preflight?: boolean;
     /**
@@ -99,6 +99,15 @@ declare namespace fastifyCors {
      * Hide options route from the documentation built using fastify-swagger (default: true).
      */
     hideOptionsRoute?: boolean;
+
+    /**
+     * Sets the Fastify log level specifically for the internal OPTIONS route
+     * used to handle CORS preflight requests. For example, setting this to `'silent'`
+     * will prevent these requests from being logged.
+     * Useful for reducing noise in application logs.
+     * Default: inherits Fastify's global log level.
+      */
+    logLevel?: LogLevel;
   }
 
   export interface FastifyCorsOptionsDelegateCallback { (req: FastifyRequest, cb: (error: Error | null, corsOptions?: FastifyCorsOptions) => void): void }

types/index.test-d.ts

@@ -165,7 +165,8 @@ appHttp2.register(fastifyCors, {
   preflightContinue: false,
   optionsSuccessStatus: 200,
   preflight: false,
-  strictPreflight: false
+  strictPreflight: false,
+  logLevel: 'silent'
 })
 
 appHttp2.register(fastifyCors, {