Fix small bug with :passthrough_non_cors_requests

whatyouhide · Jul 24, 2023 · c3e17ef · c3e17ef
1 parent 2bce890
commit c3e17ef
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/lib/corsica.ex b/lib/corsica.ex
@@ -319,10 +319,20 @@ defmodule Corsica do
   @impl Plug
   def call(%Conn{} = conn, %Options{} = opts) do
     cond do
-      opts.passthrough_non_cors_requests -> put_cors_preflight_resp_headers_no_check(conn, opts)
-      not cors_req?(conn) -> conn
-      not preflight_req?(conn) -> put_cors_simple_resp_headers(conn, opts)
-      true -> send_preflight_resp(conn, opts)
+      opts.passthrough_non_cors_requests and conn.method == "OPTIONS" ->
+        send_preflight_resp(conn, opts)
+
+      opts.passthrough_non_cors_requests ->
+        put_cors_simple_resp_headers(conn, opts)
+
+      not cors_req?(conn) ->
+        conn
+
+      not preflight_req?(conn) ->
+        put_cors_simple_resp_headers(conn, opts)
+
+      true ->
+        send_preflight_resp(conn, opts)
     end
   end
 

diff --git a/test/corsica_test.exs b/test/corsica_test.exs
@@ -542,7 +542,7 @@ defmodule CorsicaTest do
       assert get_resp_header(conn, "access-control-allow-methods") == []
     end
 
-    test "with :passthrough_non_cors_requests set to true" do
+    test "with :passthrough_non_cors_requests set to true and a simple request" do
       conn =
         conn(:get, "/")
         |> Plug.run([
@@ -557,6 +557,23 @@ defmodule CorsicaTest do
       assert conn.status == 200
       assert conn.resp_body == "matched"
       assert get_resp_header(conn, "access-control-allow-origin") == ["*"]
+    end
+
+    test "with :passthrough_non_cors_requests set to true and a preflight request" do
+      conn =
+        conn(:options, "/")
+        |> Plug.run([
+          {Corsica, origins: "*", passthrough_non_cors_requests: true, allow_headers: ~w(X-Foo)},
+          &send_resp(&1, 200, "matched")
+        ])
+
+      # The whole point is that this is not even a valid CORS request.
+      assert get_req_header(conn, "origin") == []
+
+      assert conn.state == :sent
+      assert conn.status == 200
+      assert conn.resp_body == ""
+      assert get_resp_header(conn, "access-control-allow-origin") == ["*"]
       assert get_resp_header(conn, "access-control-allow-methods") == ["PUT,PATCH,DELETE"]
       assert get_resp_header(conn, "access-control-allow-headers") == ["x-foo"]
     end