iris icon indicating copy to clipboard operation
iris copied to clipboard
verified publisher icon kataras

[BUG] cors middleware will add multiple headers when used with Party

Open Dexus opened this issue 1 year ago • 4 comments

https://github.com/iris-contrib/middleware/blob/master/cors/cors_test.go

only difference is that I use a Party

...
app.UseRouter(crs)
...
v1 := app.Party("/v1").AllowMethods(iris.MethodOptions)
v1.UseRouter(crs) // same behavior for v1.Use(crs)
...

Dexus avatar Sep 10 '24 13:09 Dexus

Additional Info:

iris.Default includes already a cors, but it is breaking the resonse:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: *, Authorization, X-Authorization
Access-Control-Expose-Headers: *
Content-Type: application/problem+json; charset=utf-8
Referrer-Policy: no-referrer-when-downgrade
Vary: Origin
Vary: Origin
X-Request-Id: 7e7e2b70-5d70-46e3-8fe8-6a881c2b63ba
Date: Tue, 10 Sep 2024 13:35:50 GMT
Content-Length: 134

//cors

	crs := cors.New(cors.Options{
		AllowedOrigins:     []string{"*"},
		AllowedMethods:     []string{"PUT", "PATCH", "GET", "POST", "OPTIONS", "DELETE"},
		AllowedHeaders:     []string{"*"},
		ExposedHeaders:     []string{"*"},
		AllowCredentials:   true,
		MaxAge:             int((24 * time.Hour).Seconds()),
		Debug:              true,
	})

NO OPTIONS is allowed to the v1 routs:

app := iris.Default()
...
app.UseRouter(crs)
...
v1 := app.Party("/v1").AllowMethods(iris.MethodOptions)
v1.UseRouter(crs) // same behavior for v1.Use(crs)
...

same here:

app := iris.Default()
...
app.UseRouter(crs)
...
v1 := app.Party("/v1").AllowMethods(iris.MethodOptions)
...

This gives a 204 for options.

app := iris.Default()
...
v1 := app.Party("/v1").AllowMethods(iris.MethodOptions)
v1.UseRouter(crs) // same behavior for v1.Use(crs)
...

Dexus avatar Sep 10 '24 13:09 Dexus

@Dexus Have you considered using iris.New() instead of iris.Default()? I meet the same problem and found iris.Default() 's comment said it already includes an allow all cors middleware. And iris.New() seens not contain cors middleware.

below is the iris.Default()'s comment https://github.com/kataras/iris/blob/d5e0048d7d32cbfba52ea5be5f10d6f38d7c4311/iris.go#L139-L145

fnsne avatar Oct 22 '24 03:10 fnsne

@fnsne problem is that even if I use iris.New() I will have this Issue, when I have Children, that use a other Cors setting, which we need.

Dexus avatar Oct 22 '24 16:10 Dexus

@Dexus It seems strange, and I'm unsure why it happend.

fnsne avatar Oct 23 '24 05:10 fnsne