Use cors module instead of custom cors logic

[mifi]

fixes #2762

• adds support for regex new regex env variable COMPANION_CLIENT_ORIGINS_REGEX
• corresponding option for the companion object corsOrigins which equals to cors origin config
• encapsulate custom cors headers merge logic in own middleware
• pull out non cors logic from middleware
• unit test the cors middleware

NOTE: that returned headers are probably not exactly the same as before (there were no unit tests for cors), but it will be according to the cors module, so it should be a more "standard" behaviour.

[juliangruber]

Very nice, and great that you were explicit where we needed to diverge from default cors behavior

[goto-bus-stop]

looks great, hard to predict if it will have any breaking consequences so I guess there's one way to find out 😇

[arturi]

that returned headers are probably not exactly the same as before

Can this break if someone is running Uppy 1.3 from 1 year ago and Companion upgrades on Transloadit servers?

[mifi]

Is there anything special about uppy 1.3? I can't really guarantee that nothing will break, but I'm using the cors module in a pretty standard way, and that module is used by thousands of devs with I imagine millions of users, so it should work according to normal CORS behavior. Whether there have been some historic quirks/hacks throughout the history of uppy, that could be affected by this, is beyond me.

Differences in behaviour that I can think of are:

• Order of headers is probably different
• We never send Access-Control-Allow-Origin: * anymore, we always send the request origin if matched (no header sent if no request origin header)
• Allowed headers and Allowed methods is now only sent with the preflight (OPTIONS) request and not in the subsequent request (POST/GET/...) according to this logic: https://github.com/expressjs/cors/blob/5c0b6c7a0cbf126c949b9a76c7c67e26eba6b3e1/lib/index.js#L163
• for the preflight OPTIONS request, content-length: 0 will be sent. see: https://github.com/expressjs/cors/blob/5c0b6c7a0cbf126c949b9a76c7c67e26eba6b3e1/lib/index.js#L178
• Access-Control-Allow-Credentials: true is now always sent (previously only sent if allowed origins whitelist matched)
• Vary header will be sent now, which I believe can avoid caching bugs

[goto-bus-stop]

I think uppy 1.3 was just a random example of an old version. People might still have them if they started using the CDN packages for example and never updated the URLs.
Those differences do all sound like they should be compatible.

[arturi]

Whether there have been some historic quirks/hacks throughout the history of uppy, that could be affected by this, is beyond me.

Yeah, I understand. I did mean 1.3 or 1.5 as an arbitrary example of old versions.

What I can remember was backwards-compat breaking is this: #1564

[arturi]

Here goes! Let's keep an eye out for potential issues. Thanks, Mikael!