Skip to content
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/fuzzy-bottles-unite.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@rocket.chat/meteor': patch
---

Fixes CORS headers not being sent for for GET requests
Comment thread
ggazzo marked this conversation as resolved.
Outdated
17 changes: 7 additions & 10 deletions apps/meteor/app/api/server/middlewares/cors.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import { CachedSettings } from '../../../settings/server/CachedSettings';
import { Router } from '../router';

describe('Cors middleware', () => {
it('should not enforce CORS headers for GET', async () => {
it('should return allow-origin header for GET if CORS enabled', async () => {
const ajv = new Ajv();
const app = express();
const api = new Router('/api');
Expand Down Expand Up @@ -50,15 +50,12 @@ describe('Cors middleware', () => {

expect(response.statusCode).toBe(200);
expect(response.body).toHaveProperty('message', 'CORS test successful');
expect(response.headers).not.toHaveProperty('access-control-allow-origin', '*');
expect(response.headers).toHaveProperty('access-control-allow-methods', 'GET, POST, PUT, DELETE, HEAD, PATCH');
expect(response.headers).toHaveProperty(
'access-control-allow-headers',
'Origin, X-Requested-With, Content-Type, Accept, X-User-Id, X-Auth-Token, x-visitor-token, Authorization',
);
expect(response.headers).toHaveProperty('access-control-allow-origin', '*');
expect(response.headers).not.toHaveProperty('access-control-allow-methods');
expect(response.headers).toHaveProperty('access-control-allow-headers');
});

it('should not return CORS headers for GET if CORS disabled', async () => {
it('should return allow-origin header for GET if CORS disabled', async () => {
const ajv = new Ajv();
const app = express();
const api = new Router('/api');
Expand Down Expand Up @@ -97,9 +94,9 @@ describe('Cors middleware', () => {

expect(response.statusCode).toBe(200);
expect(response.body).toHaveProperty('message', 'CORS test successful');
expect(response.headers).not.toHaveProperty('access-control-allow-origin');
expect(response.headers).toHaveProperty('access-control-allow-origin', '*');
expect(response.headers).not.toHaveProperty('access-control-allow-methods');
expect(response.headers).not.toHaveProperty('access-control-allow-headers');
expect(response.headers).toHaveProperty('access-control-allow-headers');
});

it('should handle CORS if enabled to *', async () => {
Expand Down
7 changes: 2 additions & 5 deletions apps/meteor/app/api/server/middlewares/cors.ts
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,8 @@ export const cors =
async (c, next) => {
const { req, res } = c;
if (req.method !== 'OPTIONS') {
if (settings.get('API_Enable_CORS')) {
res.headers.set('Vary', 'Origin');
res.headers.set('Access-Control-Allow-Methods', defaultHeaders['Access-Control-Allow-Methods']);
res.headers.set('Access-Control-Allow-Headers', defaultHeaders['Access-Control-Allow-Headers']);
}
res.headers.set('Access-Control-Allow-Origin', '*');

Copilot AI May 27, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding an inline comment explaining that the Access-Control-Allow-Origin header is always set for GET requests, clarifying that this behavior is intentional as part of the fix.

Copilot uses AI. Check for mistakes.
res.headers.set('Access-Control-Allow-Headers', defaultHeaders['Access-Control-Allow-Headers']);

await next();
return;
Expand Down
Loading