fix(middleware/cors): CORS handling

[sixcolors]

Merge changes from v2 PR #2937

This pull request addresses issue #2936, fixing a bug introduced in the Fiber v2.52.3 release. The bug caused incorrect checking of non-preflight requests using preflight conditions.

Fiber CORS middleware validation sample: https://github.com/sixcolors/fiber-cors-middleware-validation-sample

Fixes #2936

Summary by CodeRabbit

• Refactor
  • Refined logic for handling CORS requests in the cors.go middleware.
  • Added a new condition to handle preflight requests without the Access-Control-Request-Method header.
  • Removed setting fiber.HeaderAccessControlRequestMethod in cors_test.go.
  • Adjusted test case descriptions and refactored test cases for different request scenarios.
  • Updated benchmark functions in cors_test.go.

[coderabbitai]

Walkthrough

The update focuses on refining the CORS middleware and its test cases by adjusting the logic for handling CORS requests in cors.go and updating related test cases in cors_test.go. These changes aim to enhance the CORS functionality and improve testing accuracy within the middleware.

Changes

Files	Changes
middleware/cors/cors.go	In the cors.go middleware, the logic for handling CORS requests has been refined, adjusting the Origin header check and adding a condition for preflight requests without the Access-Control-Request-Method header.
middleware/cors/cors_test.go	- Removed setting fiber.HeaderAccessControlRequestMethod in various test cases. - Adjusted test case descriptions related to headers and methods. - Refactored test cases for different request scenarios. - Updated benchmark functions.

Assessment against linked issues

Objective	Addressed	Explanation
Confirm and resolve the CORS panic issue related to AllowOrigins with whitespace (#2882)	❓	It's unclear if the changes directly address the issue with whitespace in AllowOrigins configuration that caused panics.
Add support for Private Network Access CORS Header (#2804)	❌	The specific support for Access-Control-Request-Private-Network header or related functionality is not mentioned in the changes.
Ensure CORS configuration accepts origins correctly to prevent panics (#2882)	❓	Without detailed insights into how CORS configuration now handles origins, it's uncertain if this objective is fully met by the changes.

Related issues

• Issue 🐛 [BUG]: CORS panic with AcceptOrigins with whitespace #2882 could be linked to this PR if the changes in cors.go directly address the handling of origins with whitespace, as the removal of specific header settings might indirectly influence this behavior.
• Issue 📝 [Proposal]: Add Support for the Private Network Access CORS Header Access-Control-Request-Private-Network #2804 seems unrelated to the current PR changes, as there's no specific mention of adding support for the Access-Control-Request-Private-Network header.

Poem

Among the code's expanse, a rabbit's dance,
Refining CORS with a hopeful glance.
Bugs squashed, tests refined, in the moon's soft glow,
Bringing order to chaos, line by line, row by row.
🐇🌌 As the code evolves, with each commit's cheer,
The rabbit whispers, "Progress is near."

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.84%. Comparing base (7ba02c1) to head (83da096).

❗ Current head 83da096 differs from pull request most recent head b2014fd. Consider uploading reports for the commit b2014fd to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2938      +/-   ##
==========================================
+ Coverage   82.74%   82.84%   +0.09%     
==========================================
  Files         116      116              
  Lines        8415     8417       +2     
==========================================
+ Hits         6963     6973      +10     
+ Misses       1111     1106       -5     
+ Partials      341      338       -3     

Flag	Coverage Δ
unittests	82.84% <100.00%> (+0.09%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Review Status

Actionable comments generated: 1

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 7ba02c1 and 83da096.

Files selected for processing (2)

• middleware/cors/cors.go (1 hunks)
• middleware/cors/cors_test.go (13 hunks)

Additional comments: 1

middleware/cors/cors_test.go (1)

• 475-480: > 📝 NOTE

This review was outside the diff hunks and was mapped to the diff hunk with the greatest overlap. Original lines [465-495]

The test cases have been adjusted to reflect the changes made to the CORS middleware, specifically the handling of requests without the Origin header and the processing of preflight requests with the Access-Control-Request-Method header. These adjustments are important for ensuring that the middleware behaves as expected in these scenarios.

However, it's crucial to ensure that the test coverage is comprehensive and includes scenarios that might not be immediately obvious, such as requests with malformed Origin headers or preflight requests with unusual combinations of headers.

Consider adding more test cases to cover edge cases and potential error conditions related to the changes in CORS request handling. This could include tests for malformed Origin headers, preflight requests with missing or unexpected headers, and scenarios where the request method is changed after the preflight check.

[gaby]

@coderabbitai review

[coderabbitai]

Review Status

Actionable comments generated: 0

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 83da096 and b2014fd.

Files selected for processing (2)

• middleware/cors/cors.go (3 hunks)
• middleware/cors/cors_test.go (15 hunks)

Files skipped from review as they are similar to previous changes (2)

• middleware/cors/cors.go
• middleware/cors/cors_test.go

[gaby]

Lgtm