fix: must specify an origin value instead of "*" wildcard (#85)

See https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Co-authored-by: 胡文彬 <huwenbin.tyreal@bytedance.com>

.gitignore

@@ -5,6 +5,8 @@
 *.out
 *.pid
 *.gz
+.idea
+.DS_Store
 
 pids
 logs

index.js

@@ -75,6 +75,10 @@ module.exports = function(options) {
       credentials = !!options.credentials;
     }
 
+    if (credentials && origin === '*') {
+      origin = requestOrigin;
+    }
+
     const headersSet = {};
 
     function set(key, value) {

test/cors.test.js

@@ -889,4 +889,46 @@ describe('cors.test.js', function() {
     });
   });
 
+  describe('options.origin=*, and options.credentials=true', function() {
+    const app = new Koa();
+    app.use(cors({
+      origin: '*',
+      credentials: true,
+    }));
+
+    app.use(function(ctx) {
+      ctx.body = { foo: 'bar' };
+    });
+
+    it('Access-Control-Allow-Origin should be request.origin, and Access-Control-Allow-Credentials should be true', function(done) {
+      request(app.listen())
+        .get('/')
+        .set('Origin', 'http://koajs.com')
+        .expect('Access-Control-Allow-Credentials', 'true')
+        .expect('Access-Control-Allow-Origin', 'http://koajs.com')
+        .expect({ foo: 'bar' })
+        .expect(200, done);
+    });
+  });
+
+  describe('options.origin=*, and options.credentials=false', function() {
+    const app = new Koa();
+    app.use(cors({
+      origin: '*',
+      credentials: false,
+    }));
+
+    app.use(function(ctx) {
+      ctx.body = { foo: 'bar' };
+    });
+
+    it('Access-Control-Allow-Origin should be *', function(done) {
+      request(app.listen())
+        .get('/')
+        .set('Origin', 'http://koajs.com')
+        .expect('Access-Control-Allow-Origin', '*')
+        .expect({ foo: 'bar' })
+        .expect(200, done);
+    });
+  });
 });