In Strapi 4.4.4 CORS strategy doesn't work anymore and throws 500 error

[kwiat1990]

Setup

• Node.js version: 16.14.2
• NPM version: 8.13.2
• Strapi version: 4.4.4
• Database: postgres
• Operating system: MacOS Monterey 12.6

Describe the bug

After recently update from 4.4.3 to 4.4.4 responses with the following error while visiting localhost:1337 or any other related URL:

{
  "data": null,
  "error": {
    "status": 500,
    "name": "InternalServerError",
    "message": "undefined is not a valid origin"
  }
}

I have a custom CORS policy in middleware.js (see "step to reproduce" for the code), which did worked with previous versions. After update to 4.4.4 it seems to be broken. Using standard CORS config as 'strapi::cors' fix the issue.

Steps to reproduce the behavior

1. Update Strapi to 4.4.4
2. Make sure to have custom CORS policy in middleware.js, e.g.:

{
      name: "strapi::cors",
      config: {
        enabled: true,
        headers: "*",
        origin: env.array("ALLOWED_ORIGINS_URL"), // for example: http://localhost:3000,http://localhost:1337
      },
    },

Expected behavior

Strapi works normally without any errors. Admin panel can be visited.

[Convly]

Hi, thanks for creating this issue.

It might be related to #14552

I'll take a look asap.

[Convly]

I was able to reproduce it.

[marcowuethrich]

Workaround, ad a '*' to your url list (But be careful, nothing for prod environment):
{ name: 'strapi::cors', config: { enabled: true, origin: [ '*' ] } },

[Convly]

Missed the message from koajs/cors#87 (comment) saying it was, in fact, a breaking change. We'll have to fix that for the next release in any case (either by downgrading or fixing the middleware implementation).

@CleberRossi is it something you would be interested in providing a fix for?

[CleberRossi]

Hello, I checked and the fixed I had added was moved from koajs/cors 3.x.x and created one other 4.x.x