Middleware seems to work differently on Dart vs. Node

[chimon2000]

Bug Report

Issue

It seems like middleware works differently depending on the SDK used. When using the Node version, I can add a middleware to enable cors for the entire API like so:

import { HttpMiddleware } from '@nitric/sdk'

export const corsMiddleware: HttpMiddleware = (ctx, next) => {
  ctx.res.headers['Access-Control-Allow-Origin'] = ['*']
  ctx.res.headers['Access-Control-Allow-Headers'] = [
    'Origin, Content-Type, Accept, Authorization',
  ]
  ctx.res.headers['Access-Control-Allow-Methods'] = ['GET,POST,DELETE,OPTIONS']

  return next(ctx)
}

If I apply that same version in Dart, the middleware fails to work as expected.

import 'package:nitric_sdk/nitric.dart';

final HttpHandler corsMiddleware = (ctx) {
  ctx.res.headers['Access-Control-Allow-Origin'] = ['*'];
  ctx.res.headers['Access-Control-Allow-Headers'] = [
    'Origin, Content-Type, Accept, Authorization',
  ];
  ctx.res.headers['Access-Control-Allow-Methods'] = ['GET,POST,DELETE,OPTIONS'];

  return ctx.next();
};

Steps

Steps to reproduce the behavior:

1. Use the above middleware in a Dart project
2. Observe requests being blocked
3. Use middleware in Node project
4. Observe requests succeeding

Expected

The middleware should function the same regardless of the environment.

Environment and setup information

N/A

Other info

N/A

[davemooreuws]

Hi @chimon2000 ,

I cannot reproduce this with the code below on nitric start or deployed to AWS, nothing is blocked for me. Can you try with the example code below?

I am using:
Dart SDK version: 1.4.0
Nitric CLI: v1.50.6

import 'package:nitric_sdk/nitric.dart';

Future<HttpContext> corsMiddleware(HttpContext ctx) {
  ctx.res.headers['Access-Control-Allow-Origin'] = ['*'];
  ctx.res.headers['Access-Control-Allow-Headers'] = [
    'Origin, Content-Type, Accept, Authorization',
  ];
  ctx.res.headers['Access-Control-Allow-Methods'] = ['GET,POST,DELETE,OPTIONS'];

  return ctx.next();
}

void main() {
  final helloApi = Nitric.api("main",
      opts: ApiOptions(middlewares: List.from([corsMiddleware])));

  helloApi.get("/hello/:name", (ctx) async {
    final name = ctx.req.pathParams["name"]!;

    ctx.res.body = "Hello $name";

    return ctx.next();
  });
}

[chimon2000]

@davemooreuws I was able to narrow down the error. It occurs when I add the authorization header. Here's a very small example:

https://github.com/chimon2000/nitric_middleware

[davemooreuws]

@davemooreuws I was able to narrow down the error. It occurs when I add the authorization header. Here's a very small example:

https://github.com/chimon2000/nitric_middleware

Thanks for the example @chimon2000 , I'll take a look.

[davemooreuws]

Hi @chimon2000,

This is simply the way CORs works with an Authorization header. It requires a successful "preflight request". Like so:

api.options("/hello/:name", (ctx) async {
    return ctx.next();
});

My forked repo with the changes: https://github.com/davemooreuws/nitric_middleware

More information on CORs: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests

We do have an open feature request for CORs helpers: nitrictech/nitric#520 (comment)
This would avoid you needing to handle the preflight requests manually.

[davemooreuws]

Closing, middleware checked for both node and dart. No issues.