cors icon indicating copy to clipboard operation
cors copied to clipboard
verified publisher icon expressjs

Multiple cors middlewares on same request?

Open olalonde opened this issue 9 years ago • 5 comments

I have an API where I want every path to be CORS-enabled for all origins except for /auth/connect/twitter because it uses a cookie based session.

I was wondering if it would be possible to make it so that the last cors() middleware always overrides precedent ones. E.g.

router.use(cors())
router.use(cors({ origin: 'http://mydomain.com' }))

should set the Access-Control-Allow-Origin to http://mydomain.com. Is that possible?

olalonde avatar May 27 '16 02:05 olalonde

Running into the same issue. From what we can tell multiple calls to cors strictly append to the existing headers. While there may be a use case for this, not being able to override this behavior is a non-starter.

We don't want Access-Control-Allow-Origin to be *,http://example.com.

Probably just going to gut cors for now since this is time sensitive.

EDIT: You can specify preflightContinue to add specific header overrides using express' native .setHeader() on OPTIONS requests. This resolves our problem, but @olalonde's use case is still not possible so far as I can tell (it's obvious in the source code as to why this is the case and it's probably working as intended).

sjberry avatar Jun 03 '16 22:06 sjberry

Yes, I ended up doing something like this:

    const corsMiddleware = cors()
    router.use((req, res, next) => {
      if (req.path.match(/^\/auth\/connect\//)) {
        // let later cors middleware handle it!
        return next()
      }
      return corsMiddleware(req, res, next)
    })

olalonde avatar Jun 04 '16 04:06 olalonde

I like your solution @olalonde

troygoode avatar Sep 20 '16 23:09 troygoode

I was looking into the code for cors today and I think it might be supported out of the box. It appears that there are undocumented code that supports regular expressions and arrays. When you pass an object to cors() it calls the private function isOriginAllowed with what is inside the origin property if that is not a function. That supports Array and RegExp, so you could actually have a regular expression for your domain. And it will only add the Access-Control-Allow-Origin Header if req.headers.origin matches

function isOriginAllowed(origin, allowedOrigin) {
    if (Array.isArray(allowedOrigin)) {
      for (var i = 0; i < allowedOrigin.length; ++i) {
        if (isOriginAllowed(origin, allowedOrigin[i])) {
          return true;
        }
      }
      return false;
    } else if (isString(allowedOrigin)) {
      return origin === allowedOrigin;
    } else if (allowedOrigin instanceof RegExp) {
      return allowedOrigin.test(origin);
    } else {
      return !!allowedOrigin;
    }
  }

ghost avatar Dec 07 '17 12:12 ghost

hey Hii every one i am new to opensource world can any one help me in making my first contribution in this library.by explaining it more to me and guiding me.

aman-ka avatar Apr 25 '21 05:04 aman-ka