From 0179ef364a5bc6aac5eafafee7136bf61405ee43 Mon Sep 17 00:00:00 2001
From: fengmk2 <fengmk2@gmail.com>
Date: Fri, 3 Nov 2023 19:12:25 +0800
Subject: [PATCH] fix: should set OPTIONS on access-control-allow-methods
 (#608)

Access to fetch at
'https://registry.npmmirror.com/isstream/-/isstream-0.1.0.tgz' from
origin 'https://foo.com' has been blocked by CORS policy: Method OPTIONS
is not allowed by Access-Control-Allow-Methods in preflight response.
---
 config/config.default.ts                      |  2 ++
 .../controller/HomeController/cors.test.ts    | 22 ++++++++++---------
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/config/config.default.ts b/config/config.default.ts
index 85919910..024e117c 100644
--- a/config/config.default.ts
+++ b/config/config.default.ts
@@ -100,6 +100,8 @@ export default (appInfo: EggAppConfig) => {
       return ctx.get('Origin');
     },
     credentials: true,
+    // https://github.com/koajs/cors/blob/master/index.js#L10C57-L10C64
+    allowMethods: 'GET,HEAD,PUT,POST,DELETE,PATCH,OPTIONS',
   };
 
   config.nfs = {
diff --git a/test/port/controller/HomeController/cors.test.ts b/test/port/controller/HomeController/cors.test.ts
index 21291d35..d79c4ce2 100644
--- a/test/port/controller/HomeController/cors.test.ts
+++ b/test/port/controller/HomeController/cors.test.ts
@@ -7,11 +7,12 @@ describe('test/port/controller/HomeController/cors.test.ts', () => {
       const res = await app.httpRequest()
         .get('/-/ping')
         .set('origin', 'https://www.test-cors.org');
-      assert(res.status === 200);
-      assert(res.body.pong === true);
-      assert(res.headers.vary === 'Origin');
-      assert(res.headers['access-control-allow-origin'] === 'https://www.test-cors.org');
-      assert(res.headers['access-control-allow-credentials'] === 'true');
+      assert.equal(res.status, 200);
+      assert.equal(res.body.pong, true);
+      assert.equal(res.headers.vary, 'Origin');
+      assert.equal(res.headers['access-control-allow-origin'], 'https://www.test-cors.org');
+      assert.equal(res.headers['access-control-allow-credentials'], 'true');
+      assert(!res.headers['access-control-allow-methods']);
     });
 
     it('should OPTIONS work', async () => {
@@ -20,11 +21,12 @@ describe('test/port/controller/HomeController/cors.test.ts', () => {
         .set('origin', 'https://www.test-cors.org/foo')
         .set('Access-Control-Request-Method', 'OPTIONS')
         .set('Access-Control-Request-Headers', 'authorization');
-      assert(res.status === 204);
-      assert(res.headers.vary === 'Origin');
-      assert(res.headers['access-control-allow-origin'] === 'https://www.test-cors.org/foo');
-      assert(res.headers['access-control-allow-credentials'] === 'true');
-      assert(res.headers['access-control-allow-headers'] === 'authorization');
+      assert.equal(res.status, 204);
+      assert.equal(res.headers.vary, 'Origin');
+      assert.equal(res.headers['access-control-allow-origin'], 'https://www.test-cors.org/foo');
+      assert.equal(res.headers['access-control-allow-credentials'], 'true');
+      assert.equal(res.headers['access-control-allow-headers'], 'authorization');
+      assert.equal(res.headers['access-control-allow-methods'], 'GET,HEAD,PUT,POST,DELETE,PATCH,OPTIONS');
     });
   });
 });