Confusing description of origin function about fastify-cors HOT 10 CLOSED

I don't understand. Can you make some code examples?

from fastify-cors.

Ok. So let we have two origin functions which callback follows signature "err [object], allow [bool]", one of them "originAllow" will set allow parameter to true, and other "originDeny" will do the opposite and set it to false:

function originAllow(origin, callback) {
  callback(null, true); // allow set to true
}
function originDeny(origin, callback) {
  callback(null, false); // allow set to false
}

Later we'll have two situations:

const fastify = require('fastify')()
fastify.register(require('fastify-cors'), { origin: originAllow}) // case 1
fastify.register(require('fastify-cors'), { origin: originDeny}) // case 2

fastify.get('/', (req, reply) => {
  reply.send({ hello: 'world' })
})

fastify.listen(3000)

So in the first case it will work as expected and will add access-control-allow-origin header with value that came in origin header.

In the second case it will not add any cors headers and it will act just like code:

fastify.register(require('fastify-cors'), { origin: false})

which means cors is disabled and no headers will be added. So as a result both cross origin requests will pass without any restrictions.

Another example:

const fastify = require('fastify')()
fastify.register(require('fastify-cors'), { origin: (origin, callback) => {
  if (origin === 'example.com') {
    callback(null, true);
  } else {
    callback(null, false);
  }
}})

fastify.get('/', (req, reply) => {
  reply.send({ hello: 'world' })
})

fastify.listen(3000)

In this case also all requests will pass without any errors. The only way to restrict this is to throw an error that will result in 500 error code which is not correct.

from fastify-cors.

I find the function description accurate. Why is it confusing?

If you want to return a different status code, you'll have to use http://npm.im/http-errors or set a err.statusCode = code property.

from fastify-cors.

@mcollina because of parameter named allow: it doesn't matter will it be true or false it always allow requests.

Also invalid CORS usually fail request with "Network error" that browser generates, but not "HTTP error" which is generated by server.

So as a result origin function doesn't control origin and decide to allow it or not. It controls cors plugin and says whether to enable it or disable for specified origin.

from fastify-cors.

because of parameter named allow because it doesn't matter will it be true or false it always allow requests.

The documentation clearly states that setting it to false disable cors (this is 100% modelled after https://www.npmjs.com/package/cors#configuration-options). It does not stop the requests.

Also invalid CORS usually fail request with "Network error" that browser generates, but not "HTTP error" which is generated by server.

I do not understand. What status code/header combination should be produced by the server to have the browser fail with "network error"?

from fastify-cors.

Ok, but even in original cors module there's a mistake in docs as well. See expressjs/cors#103 (comment).

from fastify-cors.

I still do not understand what is the mistake is in the docs. Can you send a PR?

from fastify-cors.

I'm trying to understand the following thing in the description:

Function - set origin to a function implementing some custom logic. The function takes the request origin as the first parameter and a callback (which expects the signature err [object], allow [bool]) as the second, async-await and promises are supported as well.

What does parameter allow exactly does?

So I can't send proper PR until I understand it's purpose.

from fastify-cors.

The origin function enables you to provide the same value of the ‘origin’ config option for every request. The semantics is identical.

from fastify-cors.

Closing due to inactivity. Feel free to reopen if needed.

from fastify-cors.