fix(api): allow PATCH in CORS so browsers can call the status endpoints#1436
Open
JosephDoUrden wants to merge 1 commit into
Open
fix(api): allow PATCH in CORS so browsers can call the status endpoints#1436JosephDoUrden wants to merge 1 commit into
JosephDoUrden wants to merge 1 commit into
Conversation
The status endpoints (PATCH /v0/servers/{name}/status and the per-version
variant) are served with PATCH, but the CORS middleware's AllowedMethods never
listed PATCH, so a cross-origin browser preflight for them returns without the
allow headers and the browser blocks the request. Added PATCH to the allowed
methods.
The existing CORS test is a black-box placeholder that can't reach the wrapped
handler (its own comments say as much), which is why this slipped through. Added
a small Handler() accessor and a real preflight test asserting every routed
method including PATCH is allowed.
ac0e3c0 to
191aec6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The status endpoints (PATCH /v0/servers/{name}/status and the per-version one) are served with PATCH, but the CORS middleware's AllowedMethods lists GET/POST/PUT/DELETE/OPTIONS and never PATCH. So a cross-origin browser preflight for those endpoints comes back without the allow headers and the browser blocks the actual request. One-line fix: add PATCH to the allowed methods.
While here, the existing CORS test turned out to be a placeholder that never reaches the real wrapped handler (its own comments say so), which is why this went unnoticed. Added a small Handler() accessor and a proper preflight test that asserts each routed method including PATCH is allowed.