Fix allowing regular requests with "openapi_cors_allowed_origins", cl…

…oses jhthorsen#103
reneeb · Jan 26, 2019 · 586d11c · 586d11c
1 parent 31eb14d
commit 586d11c
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/Changes b/Changes
@@ -1,5 +1,8 @@
 Revision history for perl distribution Mojolicious-Plugin-OpenAPI
 
+2.11 Not Released
+ - Fix allowing regular requests with "openapi_cors_allowed_origins" #103
+
 2.10 2019-01-25T12:49:55+0900
  - Add "plugins" as a documented feature for register()
  - Add Mojolicious::Plugin::OpenAPI::SpecRenderer

diff --git a/lib/Mojolicious/Plugin/OpenAPI/Cors.pm b/lib/Mojolicious/Plugin/OpenAPI/Cors.pm
@@ -69,8 +69,9 @@ sub _exchange {
 
   # Not a CORS request
   unless (defined $c->req->headers->origin) {
+    my $method = $c->req->method;
     _render_bad_request($c, 'OPTIONS is only for preflighted CORS requests.')
-      if $c->match->endpoint->to->{'openapi.cors_preflighted'};
+      if $method eq 'OPTIONS' and $c->match->endpoint->to->{'openapi.cors_preflighted'};
     return $c;
   }
 

diff --git a/t/cors.t b/t/cors.t
@@ -85,6 +85,15 @@ $t->options_ok('/api/user')->status_is(400)
 $t->put_ok('/api/user', {'Origin' => 'http://bar.example'})->status_is(200)
   ->header_is('Access-Control-Allow-Origin' => 'http://bar.example')->json_has('/created');
 
+$t->get_ok('/api/user')->status_is(200)->header_is('Access-Control-Allow-Origin' => undef)
+  ->json_is('/origin', undef);
+
+$t->put_ok('/api/user')->status_is(200)->header_is('Access-Control-Allow-Origin' => undef)
+  ->json_has('/created');
+
+$t->put_ok('/api/headers')->status_is(200)->header_is('Access-Control-Allow-Origin' => undef)
+  ->json_is('/h' => 42);
+
 note 'Using the spec';
 $t->options_ok('/api/headers')->status_is(400)->json_is('/errors/0/path' => '/Origin');
 $t->put_ok('/api/headers', {'Origin' => 'https://foo.example'})->status_is(400)