no CORS for API CatchAll handler

coupergateway · Feb 22, 2022 · 9981b8f · 9981b8f
1 parent 4cf771e
commit 9981b8f
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 5 deletions.
diff --git a/config/runtime/server.go b/config/runtime/server.go
@@ -282,9 +282,11 @@ func NewServerConfiguration(conf *config.Couper, log *logrus.Entry, memStore *ca
 			}
 			epOpts.LogHandlerKind = kind.String()
 
+			apiCatchAll := false
 			var epHandler, protectedHandler http.Handler
 			if parentAPI != nil && parentAPI.CatchAllEndpoint == endpointConf {
 				protectedHandler = epOpts.ErrorTemplate.WithError(errors.RouteNotFound)
+				apiCatchAll = true
 			} else {
 				epErrorHandler, err := newErrorHandler(confCtx, &protectedOptions{
 					epOpts:       epOpts,
@@ -333,12 +335,14 @@ func NewServerConfiguration(conf *config.Couper, log *logrus.Entry, memStore *ca
 				return nil, err
 			}
 
-			corsOptions, err := middleware.NewCORSOptions(whichCORS(srvConf, parentAPI))
-			if err != nil {
-				return nil, err
-			}
+			if !apiCatchAll {
+				corsOptions, err := middleware.NewCORSOptions(whichCORS(srvConf, parentAPI))
+				if err != nil {
+					return nil, err
+				}
 
-			epHandler = middleware.NewCORSHandler(corsOptions, epHandler)
+				epHandler = middleware.NewCORSHandler(corsOptions, epHandler)
+			}
 
 			bodies := serverBodies
 			if parentAPI != nil {

diff --git a/server/http_integration_test.go b/server/http_integration_test.go
@@ -3127,6 +3127,8 @@ func TestAPICatchAll(t *testing.T) {
 	for _, tc := range []testCase{
 		{"/v5/not-exist", http.MethodGet, http.Header{}, http.StatusUnauthorized, "access control error: ba1: credentials required"},
 		{"/v5/not-exist", "BREW", http.Header{}, http.StatusUnauthorized, "access control error: ba1: credentials required"},
+		{"/v5/exists", http.MethodOptions, http.Header{"Origin": []string{"https://www.example.com"}, "Access-Control-Request-Method": []string{"POST"}}, http.StatusNoContent, ""},
+		{"/v5/not-exist", http.MethodOptions, http.Header{"Origin": []string{"https://www.example.com"}, "Access-Control-Request-Method": []string{"POST"}}, http.StatusUnauthorized, "access control error: ba1: credentials required"},
 	} {
 		t.Run(tc.path[1:], func(subT *testing.T) {
 			helper := test.New(subT)

diff --git a/server/testdata/integration/config/03_couper.hcl b/server/testdata/integration/config/03_couper.hcl
@@ -57,6 +57,9 @@ server "acs" {
   api {
     base_path = "/v5"
     access_control = ["ba2"]
+    cors {
+      allowed_origins = ["*"]
+    }
     endpoint "/exists" {
       response {
         body = "exists"