fix(rest): enable cors preflight

raymondfeng · raymondfeng · commit d05bdae9aba2 · 2018-03-06T10:00:22.000-08:00
Fixes #1055
diff --git a/packages/rest/package.json b/packages/rest/package.json
@@ -28,6 +28,7 @@
     "@types/http-errors": "^1.6.1",
     "@types/node": "^8.5.9",
     "body": "^5.1.0",
+    "cors": "^2.8.4",
     "debug": "^3.1.0",
     "http-errors": "^1.6.1",
     "js-yaml": "^3.9.1",
@@ -39,6 +40,7 @@
     "@loopback/openapi-spec-builder": "^0.3.0",
     "@loopback/repository": "^0.2.1",
     "@loopback/testlab": "^0.3.0",
+    "@types/cors": "^2.8.3",
     "@types/debug": "0.0.30",
     "@types/js-yaml": "^3.9.1",
     "@types/lodash": "^4.14.96"
diff --git a/packages/rest/src/rest-server.ts b/packages/rest/src/rest-server.ts
@@ -11,6 +11,7 @@ import {ParsedRequest} from './internal-types';
 import {OpenApiSpec, OperationObject} from '@loopback/openapi-v3-types';
 import {ServerRequest, ServerResponse, createServer} from 'http';
 import * as Http from 'http';
+import * as cors from 'cors';
 import {Application, CoreBindings, Server} from '@loopback/core';
 import {getControllerSpec} from '@loopback/openapi-v3';
 import {HttpHandler} from './http-handler';
@@ -159,9 +160,24 @@ export class RestServer extends Context implements Server {
   ) {
     // allow CORS support for all endpoints so that users
     // can test with online SwaggerUI instance
-    response.setHeader('Access-Control-Allow-Origin', '*');
-    response.setHeader('Access-Control-Allow-Credentials', 'true');
-    response.setHeader('Access-Control-Allow-Max-Age', '86400');
+
+    const corsOptions = options.cors || {
+      origin: '*',
+      methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
+      preflightContinue: false,
+      optionsSuccessStatus: 204,
+      maxAge: 86400,
+      credentials: true,
+    };
+
+    // FIXME: `cors` expects Express Request/Response but the implementation
+    // at https://github.com/expressjs/cors/blob/master/lib/index.js only uses
+    // http.ServerRequest/ServerResponse
+    // tslint:disable-next-line:no-any
+    cors(corsOptions)(request as any, response as any, () => {});
+    if (request.method === 'OPTIONS') {
+      return Promise.resolve();
+    }
 
     if (
       request.method === 'GET' &&
@@ -588,6 +604,7 @@ export class RestServer extends Context implements Server {
 export interface RestServerConfig {
   host?: string;
   port?: number;
+  cors?: cors.CorsOptions;
   apiExplorerUrl?: string;
   sequence?: Constructor<SequenceHandler>;
 }
diff --git a/packages/rest/test/integration/rest-server.integration.ts b/packages/rest/test/integration/rest-server.integration.ts
@@ -37,6 +37,35 @@ describe('RestServer (integration)', () => {
       .expect(500);
   });
 
+  it('allows cors', async () => {
+    const server = await givenAServer({rest: {port: 0}});
+    server.handler((sequence, request, response) => {
+      response.write('Hello');
+      response.end();
+    });
+
+    await createClientForHandler(server.handleHttp)
+      .get('/')
+      .expect(200, 'Hello')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect('Access-Control-Allow-Credentials', 'true');
+  });
+
+  it('allows cors preflight', async () => {
+    const server = await givenAServer({rest: {port: 0}});
+    server.handler((sequence, request, response) => {
+      response.write('Hello');
+      response.end();
+    });
+
+    await createClientForHandler(server.handleHttp)
+      .options('/')
+      .expect(204)
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect('Access-Control-Allow-Credentials', 'true')
+      .expect('Access-Control-Max-Age', '86400');
+  });
+
   it('exposes "GET /openapi.json" endpoint', async () => {
     const server = await givenAServer({rest: {port: 0}});
     const greetSpec = {
@@ -75,7 +104,6 @@ describe('RestServer (integration)', () => {
     });
     expect(response.get('Access-Control-Allow-Origin')).to.equal('*');
     expect(response.get('Access-Control-Allow-Credentials')).to.equal('true');
-    expect(response.get('Access-Control-Allow-Max-Age')).to.equal('86400');
   });
 
   it('exposes "GET /openapi.yaml" endpoint', async () => {
@@ -115,7 +143,6 @@ servers:
     expect(yaml.safeLoad(response.text)).to.eql(expected);
     expect(response.get('Access-Control-Allow-Origin')).to.equal('*');
     expect(response.get('Access-Control-Allow-Credentials')).to.equal('true');
-    expect(response.get('Access-Control-Allow-Max-Age')).to.equal('86400');
   });
 
   it('exposes "GET /swagger-ui" endpoint', async () => {
@@ -145,7 +172,6 @@ servers:
     expect(response.get('Location')).match(url);
     expect(response.get('Access-Control-Allow-Origin')).to.equal('*');
     expect(response.get('Access-Control-Allow-Credentials')).to.equal('true');
-    expect(response.get('Access-Control-Allow-Max-Age')).to.equal('86400');
   });
 
   it('exposes "GET /swagger-ui" endpoint with apiExplorerUrl', async () => {
@@ -177,7 +203,6 @@ servers:
     expect(response.get('Location')).match(url);
     expect(response.get('Access-Control-Allow-Origin')).to.equal('*');
     expect(response.get('Access-Control-Allow-Credentials')).to.equal('true');
-    expect(response.get('Access-Control-Allow-Max-Age')).to.equal('86400');
   });
 
   async function givenAServer(options?: ApplicationConfig) {
