Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't respond to OPTIONS requests for non-oauth requests #539

Merged
merged 4 commits into from
Jun 18, 2024
Merged

Don't respond to OPTIONS requests for non-oauth requests #539

merged 4 commits into from
Jun 18, 2024

Conversation

APTy
Copy link
Contributor

@APTy APTy commented Jun 18, 2024

This middleware is a little overzealous with its responses to OPTIONS requests. It really shouldn't respond to every request with these default highly permissive CORS headers.

Instead, it should only respond in this way if the path matches the prefix, otherwise defer to the application to respond to the OPTIONS request with its own CORS headers.

Before the change?

OPTIONS calls to any API result in the headers defined by the oauth-app.js library.

$ curl localhost:3000/api/me -v -X OPTIONS
...
< HTTP/1.1 200 OK
< access-control-allow-origin: *
< access-control-allow-methods: *
< access-control-allow-headers: Content-Type, User-Agent, Authorization

After the change?

OPTIONS calls to any API result in headers defined by the application.

$ curl localhost:3000/api/me -v -X OPTIONS
...
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: http://localhost:5173
< Access-Control-Allow-Methods: GET, POST, OPTIONS
< Access-Control-Allow-Headers: content-type

And OPTIONS calls to this middleware's routes still return correct headers:

$ curl localhost:3000/github/oauth/login -X OPTIONS -v
...
< access-control-allow-origin: *
< access-control-allow-methods: *
< access-control-allow-headers: content-type

Pull request checklist

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Low probability

  • Yes
  • No

@APTy
Don't respond to OPTIONS requests for non-oauth requests
896af50 
This middleware is a little overzealous with its responses to `OPTIONS` requests. It really shouldn't respond to *every* request with these default highly permissive CORS headers.

Instead, it should only respond in this way if the path matches the prefix, otherwise defer to the application to respond to the `OPTIONS` request with its own CORS headers.
@github-actions GitHub Actions
Copy link

👋 Hi! Thank you for this contribution! Just to let you know, our GitHub SDK team does a round of issue and PR reviews twice a week, every Monday and Friday! We have a process in place for prioritizing and responding to your input. Because you are a part of this community please feel free to comment, add to, or pick up any issues/PRs that are labeled with Status: Up for grabs. You & others like you are the reason all of this works! So thank you & happy coding! 🚀

@wolfy1339
Copy link
Member

wolfy1339 commented Jun 18, 2024
edited
Loading

I think line 34 needs to be moved as well NVM that. it is good as it is

@wolfy1339 wolfy1339 added the Type: Feature New feature or request label Jun 18, 2024
@gr2m
Copy link
Contributor

gr2m commented Jun 18, 2024

I think we need to add a test to avoid future regression. Could you look into that?

@APTy
Copy link
Contributor Author

APTy commented Jun 18, 2024

I think we need to add a test to avoid future regression. Could you look into that?

Great idea! Added

gr2m
gr2m approved these changes Jun 18, 2024
View reviewed changes
Copy link
Contributor

@gr2m gr2m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great PR, thank you Tyler 💐

@gr2m gr2m merged commit d4829f7 into octokit:main Jun 18, 2024
6 checks passed
@github-actions GitHub Actions
Copy link

🎉 This PR is included in version 7.1.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

@APTy APTy deleted the patch-1 branch June 19, 2024 13:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wolfy1339 wolfy1339 wolfy1339 approved these changes

@gr2m gr2m gr2m approved these changes

Assignees
No one assigned
Labels
released Type: Feature New feature or request
Projects
🧰 Octokit Active
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@APTy @wolfy1339 @gr2m