From a634b4830cba3a0689865783f61628f2c7c1b7d8 Mon Sep 17 00:00:00 2001
From: Mathieu Carbou <mathieu.carbou@gmail.com>
Date: Fri, 26 Sep 2025 14:03:44 +0200
Subject: [PATCH] Fix CORS behavior when credentials flag is set to true.

When credential flag is set to true, origin cannot be set to * (browser contraint).

So we mimic the same behavior by answering back in `Access-Control-Allow-Origin` header the `Origin `value, but only if the user set origin to * in the CORS middleware settings.

Ref: https://github.com/ESP32Async/ESPAsyncWebServer/issues/294

Fix #294.
---
 src/ESPAsyncWebServer.h |  8 +++++++-
 src/Middleware.cpp      | 13 +++++++++----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/ESPAsyncWebServer.h b/src/ESPAsyncWebServer.h
index 7d5eea17e..9c150dbaa 100644
--- a/src/ESPAsyncWebServer.h
+++ b/src/ESPAsyncWebServer.h
@@ -891,7 +891,13 @@ class AsyncCorsMiddleware : public AsyncMiddleware {
     _maxAge = seconds;
   }
 
-  void addCORSHeaders(AsyncWebServerResponse *response);
+#ifndef ESP8266
+  [[deprecated("Use instead: addCORSHeaders(AsyncWebServerRequest *request, AsyncWebServerResponse *response)")]]
+#endif
+  void addCORSHeaders(AsyncWebServerResponse *response) {
+    addCORSHeaders(nullptr, response);
+  }
+  void addCORSHeaders(AsyncWebServerRequest *request, AsyncWebServerResponse *response);
 
   void run(AsyncWebServerRequest *request, ArMiddlewareNext next);
 
diff --git a/src/Middleware.cpp b/src/Middleware.cpp
index 5e9c3c274..769e29e2b 100644
--- a/src/Middleware.cpp
+++ b/src/Middleware.cpp
@@ -228,8 +228,13 @@ void AsyncLoggingMiddleware::run(AsyncWebServerRequest *request, ArMiddlewareNex
   }
 }
 
-void AsyncCorsMiddleware::addCORSHeaders(AsyncWebServerResponse *response) {
-  response->addHeader(asyncsrv::T_CORS_ACAO, _origin.c_str());
+void AsyncCorsMiddleware::addCORSHeaders(AsyncWebServerRequest *request, AsyncWebServerResponse *response) {
+  if (request != nullptr && _credentials && _origin == "*") {
+    // cannot use wildcard when allowing credentials
+    response->addHeader(asyncsrv::T_CORS_ACAO, request->header(asyncsrv::T_CORS_O).c_str());
+  } else {
+    response->addHeader(asyncsrv::T_CORS_ACAO, _origin.c_str());
+  }
   response->addHeader(asyncsrv::T_CORS_ACAM, _methods.c_str());
   response->addHeader(asyncsrv::T_CORS_ACAH, _headers.c_str());
   response->addHeader(asyncsrv::T_CORS_ACAC, _credentials ? asyncsrv::T_TRUE : asyncsrv::T_FALSE);
@@ -242,7 +247,7 @@ void AsyncCorsMiddleware::run(AsyncWebServerRequest *request, ArMiddlewareNext n
     // check if this is a preflight request => handle it and return
     if (request->method() == HTTP_OPTIONS) {
       AsyncWebServerResponse *response = request->beginResponse(200);
-      addCORSHeaders(response);
+      addCORSHeaders(request, response);
       request->send(response);
       return;
     }
@@ -251,7 +256,7 @@ void AsyncCorsMiddleware::run(AsyncWebServerRequest *request, ArMiddlewareNext n
     next();
     AsyncWebServerResponse *response = request->getResponse();
     if (response) {
-      addCORSHeaders(response);
+      addCORSHeaders(request, response);
     }
 
   } else {