fix(cors): missing credentials option

kukhariev · Oct 8, 2019 · 0080ad3 · 0080ad3
1 parent c798471
commit 0080ad3
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/src/core/Cors.ts b/src/core/Cors.ts
@@ -5,12 +5,14 @@ export class Cors {
   static allowedMethods = ['DELETE', 'GET', 'HEAD', 'OPTIONS', 'PATCH', 'POST', 'PUT'];
   static allowedHeaders = [];
   static maxAge = 600;
-  static origin = '*';
+  static origin = '';
+  static credentials = false;
 
   static preflight(req: http.IncomingMessage, res: http.ServerResponse): boolean {
     const origin = getHeader(req, 'origin');
     if (!origin) return false;
     res.setHeader('Access-Control-Allow-Origin', Cors.origin || origin);
+    Cors.credentials && res.setHeader('Access-Control-Allow-Credentials', 'true');
     const isPreflight = getHeader(req, 'access-control-request-method') && req.method === 'OPTIONS';
     if (!isPreflight) return false;
     res.setHeader('Access-Control-Allow-Methods', Cors.allowedMethods.toString());

diff --git a/test/Cors.spec.ts b/test/Cors.spec.ts
@@ -39,5 +39,15 @@ describe('CORS', function() {
       Cors.preflight(req, res);
       expect(res.header('Access-Control-Allow-Headers')).to.be.undefined;
     });
+    it('should set `Access-Control-Allow-Credentials` header', function() {
+      Cors.credentials = true;
+      Cors.preflight(req, res);
+      expect(res.header('Access-Control-Allow-Credentials')).to.be.equal('true');
+    });
+    it('should set custom origin', function() {
+      Cors.origin = '*';
+      Cors.preflight(req, res);
+      expect(res.header('Access-Control-Allow-Origin')).to.be.equal('*');
+    });
   });
 });