fix: Undo authorization on OPTIONS requests

config/http/middleware/handlers/cors.json

@@ -15,7 +15,7 @@
         "DELETE"
       ],
       "options_credentials": true,
-      "options_preflightContinue": true,
+      "options_preflightContinue": false,
       "options_exposedHeaders": [
         "Accept-Patch",
         "Accept-Post",

config/ldp/handler/components/operation-handler.json

@@ -5,10 +5,6 @@
       "@id": "urn:solid-server:default:OperationHandler",
       "@type": "WaterfallHandler",
       "handlers": [
-        {
-          "@type": "OptionsOperationHandler",
-          "resourceSet": { "@id": "urn:solid-server:default:CachedResourceSet" }
-        },
         {
           "@type": "GetOperationHandler",
           "store": { "@id": "urn:solid-server:default:ResourceStore" }

src/index.ts

@@ -83,7 +83,6 @@ export * from './http/ldp/DeleteOperationHandler';
 export * from './http/ldp/GetOperationHandler';
 export * from './http/ldp/HeadOperationHandler';
 export * from './http/ldp/OperationHandler';
-export * from './http/ldp/OptionsOperationHandler';
 export * from './http/ldp/PatchOperationHandler';
 export * from './http/ldp/PostOperationHandler';
 export * from './http/ldp/PutOperationHandler';
@@ -106,7 +105,6 @@ export * from './http/output/metadata/WwwAuthMetadataWriter';
 
 // HTTP/Output/Response
 export * from './http/output/response/CreatedResponseDescription';
-export * from './http/output/response/NoContentResponseDescription';
 export * from './http/output/response/OkResponseDescription';
 export * from './http/output/response/ResetResponseDescription';
 export * from './http/output/response/ResponseDescription';

test/integration/Middleware.test.ts

@@ -70,7 +70,7 @@ describe('An http server with middleware', (): void => {
       .set('Access-Control-Request-Headers', 'content-type')
       .set('Access-Control-Request-Method', 'POST')
       .set('Host', 'test.com')
-      .expect(200);
+      .expect(204);
     expect(res.header).toEqual(expect.objectContaining({
       'access-control-allow-origin': '*',
       'access-control-allow-headers': 'content-type',

test/integration/PermissionTable.test.ts

@@ -44,9 +44,13 @@ const allModes = [ AM.read, AM.append, AM.create, AM.write, AM.delete ];
 // For PUT/PATCH/DELETE we return 205 instead of 200/204
 /* eslint-disable no-multi-spaces */
 const table: [string, string, AM[], AM[] | undefined, string, string, number, number][] = [
-  [ 'OPTIONS', 'C/R', [],                     undefined,              '',     '',  401, 401 ],
-  [ 'OPTIONS', 'C/R', [],                     [ AM.read ],            '',     '',  204, 404 ],
-  [ 'OPTIONS', 'C/R', [ AM.read ],            undefined,              '',     '',  204, 404 ],
+  // No authorization headers are sent in an OPTIONS request making it impossible to grant permission.
+  // See https://github.com/CommunitySolidServer/CommunitySolidServer/issues/1246#issuecomment-1087325235
+  // From https://fetch.spec.whatwg.org/#cors-preflight-fetch it follows
+  // that a preflight check should always return an OK response.
+  [ 'OPTIONS', 'C/R', [],                     undefined,              '',     '',  204, 204 ],
+  [ 'OPTIONS', 'C/R', [],                     [ AM.read ],            '',     '',  204, 204 ],
+  [ 'OPTIONS', 'C/R', [ AM.read ],            undefined,              '',     '',  204, 204 ],
 
   [ 'HEAD',    'C/R', [],                     undefined,              '',     '',  401, 401 ],
   [ 'HEAD',    'C/R', [],                     [ AM.read ],            '',     '',  200, 404 ],