fix(middleware/cors): Categorize requests correctly

[sixcolors]

PR Comment:

Summary:

This PR refines the CORS middleware handling, particularly addressing scenarios where the request lacks specific headers necessary for CORS processing. It also enhances testing coverage for various request types and configurations.

Changes Made:

• Middleware Logic Adjustment:
  • Improved handling for requests lacking the Origin and Access-Control-Request-Method headers, clearly defining them as outside the CORS scope.
  • Simplified response header setting for simple requests, optimizing performance.
  • Enhanced handling for requests with AllowCredentials set to true, ensuring proper behavior regarding the Access-Control-Allow-Origin header.
• Test Coverage Expansion:
  • Added tests covering scenarios of requests without necessary CORS headers, ensuring correct handling.
  • Extended test scenarios for various request types and configurations, bolstering overall testing coverage.

Notes for Review:

• Logic Clarity: The logic around determining the CORS scope has been refined for better clarity and performance. Please review to ensure it aligns with our CORS handling requirements.
• Testing: Additional tests have been added to cover a wide range of request scenarios. Kindly review to ensure comprehensive coverage and correctness.
• Performance Impact: The adjustments made aim to optimize performance, particularly in simplifying response header setting. However, please assess if there are any unintended performance impacts.
• Error Handling: As we're refining middleware handling, it's crucial to ensure error handling remains robust. Please verify error paths and edge cases are adequately addressed.

Fixes #2920

Summary by CodeRabbit

• Documentation
  • Improved grammar in contribution guidelines.
  • Updated pull request template and URLs.
  • Enhanced middleware documentation for better clarity and usage instructions.
  • Updated API documentation with corrections and new logging tags.
  • Added a new healthcheck middleware guide.
  • Corrected typo related to route constraints in the routing guide.
• New Features
  • Introduced configurations for version tagging and commit filtering in release drafter.
  • Added handling for release events in documentation synchronization.
  • Implemented enhanced CORS functionality, including dynamic origin evaluation and improved security checks.
  • Introduced health check middleware for monitoring application liveness and readiness.
• Bug Fixes
  • Corrected default behavior of QueryBool function to return false for invalid inputs.
  • Fixed redirection logic to include query strings in the redirected URL.
• Refactor
  • Updated GitHub Actions workflows to trigger on v2 branch and upgraded actions versions.
  • Changed ContextKey types from string to interface{} across various middleware configurations for increased flexibility.
  • Updated logging middleware to include new tags and conditional color formatting.
• Tests
  • Enhanced test coverage for parsing functionalities and middleware behavior, including CORS normalization and redirection with query parameters.

[coderabbitai]

Warning

Rate Limit Exceeded

@sixcolors has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 25 minutes and 37 seconds before requesting another review.

How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.
Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.
Please see our FAQ for further information.

Commits

Files that changed from the base of the PR and between b5b6c9f and 38ab39b.

Walkthrough

The recent changes encompass a range of enhancements across middleware, workflows, and documentation in the project. Noteworthy updates include refining CORS middleware functionality, adjusting workflow triggers to target the v2 branch specifically, and enhancing middleware configuration flexibility. Additionally, improvements in unit testing and documentation aim to align with the latest features and coding standards, enhancing project efficiency, security, and usability.

Changes

Files	Change Summary
.github/...	Updated workflow triggers to v2; upgraded actions; introduced new configurations for release drafting.
app.go, ctx.go, ctx_test.go	Updated version constant; modified default behavior of QueryBool; added new test functions.
docs/api/..., docs/guide/...	Corrected documentation; updated types and logging; introduced new middleware functionalities.
middleware/..., middleware/.../config.go, middleware/.../cors.go	Enhanced CORS handling; updated middleware configurations for flexibility; improved redirection and logging.

Assessment against linked issues

Objective	Addressed	Explanation
Identify and rectify misclassification of OPTIONS requests by CORS middleware. [#2920]	✅
Ensure OPTIONS requests without specific headers are not treated as preflight requests. [#2920]	✅
Allow OPTIONS requests to hit user-registered endpoints like /hello. [#2920]	✅
Update behavior for /hello to respond correctly to OPTIONS requests with 204 No Content. [#2920]	❓	Specific response details not explicitly outlined.
Verify compliance with Fetch standard for categorizing OPTIONS requests. [#2920]	❓	Alignment with standard not explicitly mentioned.

Related issues

• 📝 [Proposal]: Add Support for the Private Network Access CORS Header Access-Control-Request-Private-Network #2804: The changes in middleware related to CORS enhancements might indirectly address the need to support the Private Network Access CORS header as it involves CORS middleware improvements aligning with standards and compatibility with Express.js.

Poem

In the realm of code where changes play,
A dance of updates in the light of day.
Middleware whispers, workflows gleam,
v2 branch shines in the codebase stream. 🌟
Documents align, tests embrace,
Project evolution sets the pace.
🐰 "Hoppity hop," the CodeRabbit cheers,
Through the codebase maze, progress nears!

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[sixcolors]

@jub0bs please reply and I'll add you for review.

[sixcolors]

@coderabbitai I changed the target branch to v2, re-do your review and summary.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@sixcolors, based on the changes made in the PR against the v2 branch, here's a summary of the modifications:

Summary of Changes

• CORS Middleware (cors.go): Adjustments have been made to ensure that not all OPTIONS requests are treated as preflight requests. Now, a request must have both Origin and Access-Control-Request-Method headers to be considered a preflight request. This aligns with the Fetch standard and the PR objectives. Additionally, for simple requests (non-preflight), the Allow-Methods and Allow-Headers are omitted, as they are only relevant for preflight requests.
• CORS Middleware Tests (cors_test.go): New tests have been added to validate the behavior of CORS middleware under various conditions, including with and without the Origin and Access-Control-Request-Method headers. These tests ensure that the middleware behaves correctly for both preflight and simple requests, adhering to the updated logic.

Key Observations

• The changes specifically address the incorrect classification of OPTIONS requests as preflight requests by requiring both Origin and Access-Control-Request-Method headers for such classification.
• The CORS middleware now correctly allows OPTIONS requests without the Access-Control-Request-Method header to pass through, enabling them to reach user-registered endpoints.
• The addition of tests ensures that the new behavior is thoroughly verified against various request scenarios.

These changes align with the PR objectives to correct the misclassification of OPTIONS requests and enhance the project's adherence to standards and overall functionality.

Analysis chain

---

Scripts executed

The following scripts were executed for the analysis:

---

Script:

#!/bin/bash
# Switch to the v2 branch to analyze the changes made in the PR.
git checkout v2
# List the files changed in the PR to focus the review on those files.
git diff --name-only HEAD..origin/PR-2921
# Specifically, review changes related to CORS middleware, documentation, and tests.
git diff HEAD..origin/PR-2921 -- middleware/cors/*
git diff HEAD..origin/PR-2921 -- README.md
git diff HEAD..origin/PR-2921 -- **/*_test.go

Length of output: 929

---

---

Script:

#!/bin/bash
# Fetch the changes from PR 2921 into a local branch for comparison.
git fetch origin pull/2921/head:pr-2921-changes
# Checkout the v2 branch.
git checkout v2
# Compare the v2 branch with the changes from PR 2921.
git diff --name-only v2 pr-2921-changes
# Assuming middleware/cors and tests are relevant, attempt to review changes in those areas.
git diff v2 pr-2921-changes -- middleware/cors/
git diff v2 pr-2921-changes -- README.md
git diff v2 pr-2921-changes -- **/*_test.go

Length of output: 13558

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between b9430ec and de3f4ab.

Files selected for processing (1)

• middleware/cors/cors_test.go (18 hunks)

Files skipped from review as they are similar to previous changes (1)

• middleware/cors/cors_test.go

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between de3f4ab and b5b6c9f.

Files selected for processing (1)

• middleware/cors/utils_test.go (3 hunks)

Files skipped from review as they are similar to previous changes (1)

• middleware/cors/utils_test.go

[gaby]

Will review today

[gaby]

LGTM