released v5.0.5 - corsify should ignore websockets

kwhitley · Apr 2, 2024 · a3d9181 · a3d9181
1 parent 8d31172
commit a3d9181
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,7 @@
 ## Changelog
 
+- **v5.0.5**
+  - fixed: corsify now properly ignores WebSocket responses
 - **v5.0.4**
   - fixed: (TypeScript) middleware corrupting downstream request types and args
 - **v5.0.2**

diff --git a/bun.lockb b/bun.lockb
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "itty-router",
-  "version": "5.0.4",
+  "version": "5.0.5",
   "description": "A tiny, zero-dependency router, designed to make beautiful APIs in any environment.",
   "main": "./index.js",
   "module": "./index.mjs",

diff --git a/src/cors.spec.ts b/src/cors.spec.ts
@@ -14,6 +14,15 @@ const corsRouter = (options?: CorsOptions) => {
   }).get('/', () => TEST_STRING)
 }
 
+class WebSocketResponse {
+  constructor(body, options = {}) {
+    this.body = body
+    this.status = options.status || 101
+    this.statusText = options.statusText || 'Switching Protocols'
+    this.headers = options.headers || new Headers()
+  }
+}
+
 const DEFAULT_ROUTER = corsRouter()
 const HEADERS_AS_ARRAY = [ 'x-foo', 'x-bar' ]
 const HEADERS_AS_STRING = HEADERS_AS_ARRAY.join(',')
@@ -226,6 +235,14 @@ describe('cors(options?: CorsOptions)', () => {
         expect(response.headers.getSetCookie().length).toBe(2)
         expect(corsified.headers.getSetCookie().length).toBe(2)
       })
+
+      it('will not modify a websocket request', async () => {
+        const { corsify } = cors()
+        const response = new WebSocketResponse(null, { status: 101 }) as Response
+        const afterCorsify = corsify(response)
+        expect(afterCorsify.headers.get('access-control-allow-origin')).toBeNull()
+        expect(afterCorsify.status).toBe(101)
+      })
     })
   })
 })
diff --git a/src/cors.ts b/src/cors.ts
@@ -72,7 +72,10 @@ export const cors = (options: CorsOptions = {}) => {
 
   const corsify = (response: Response, request?: Request) => {
     // ignore if already has CORS headers
-    if (response?.headers?.get('access-control-allow-origin')) return response
+    if (
+      response?.headers?.get('access-control-allow-origin')
+      || response.status == 101
+    ) return response
 
     return new Response(response.body, {
       ...response,