CORS: allow all API methods + expose response headers for browsers#85
Merged
Conversation
The cross-origin config only set `origin` and relied on @fastify/cors defaults, which don't expose ETag / X-Request-Id — so the If-Match optimistic-concurrency flow and request-id correlation broke for browser clients on another origin. Configure CORS explicitly: - methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS (every method the API uses) - allowedHeaders: Authorization, Content-Type, If-Match, X-Project-Id, X-User-Token, X-Request-Id (the custom request headers the API reads) - exposedHeaders: ETag, X-Request-Id, X-RateLimit-*, Retry-After, Content-Disposition - maxAge: cache preflight for a day CORS_ORIGIN still governs which origins are allowed (open by default). Verification: 74/74 SQLite (+ the cors test now asserts the preflight allows all methods + custom headers and that ETag/X-Request-Id are exposed), 53/53 Postgres 16. Docs updated (README).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Make CORS browser-ready for every method the API allows (and the headers it uses). Previously the cross-origin config only set
originand leaned on @fastify/cors defaults — which don't exposeETag/X-Request-Id, so theIf-Matchoptimistic-concurrency flow and request-id correlation silently broke for browser clients on another origin.How
@fastify/corsis now configured explicitly:GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS— every method the REST API uses, so preflight passes for writes/deletes.Authorization,Content-Type,If-Match,X-Project-Id,X-User-Token,X-Request-Id— the custom request headers the API reads (project keys, identity tokens, optimistic concurrency).ETag,X-Request-Id,X-RateLimit-*,Retry-After,Content-Disposition— so the SDK/browser can actually read them cross-origin.CORS_ORIGINstill governs which origins are allowed (open by default) — unchanged.Verification
OPTIONSpreflight advertises all methods + the custom headers, and thatETag/X-Request-Idappear inAccess-Control-Expose-Headers.(Interpreted "register corps … for all methods that the API allows" as CORS — let me know if you meant something else.)
https://claude.ai/code/session_018efxvWw3MRjdtvE5xgBqya
Generated by Claude Code