fix: Vary: Origin header overwritten (#1407)

ardatan · Jun 24, 2024 · ebbc85b · ebbc85b
1 parent dc0fd2e
commit ebbc85b
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/.changeset/real-bananas-visit.md b/.changeset/real-bananas-visit.md
@@ -0,0 +1,5 @@
+---
+'@whatwg-node/server': patch
+---
+
+Vary: Access-Control-Request-Headers would overwrite Vary: Origin
diff --git a/packages/server/src/plugins/useCors.ts b/packages/server/src/plugins/useCors.ts
@@ -77,8 +77,9 @@ export function getCORSHeadersByRequestAndOptions(
       headers['Access-Control-Allow-Headers'] = requestHeaders;
       if (headers['Vary']) {
         headers['Vary'] += ', Access-Control-Request-Headers';
+      } else {
+        headers['Vary'] = 'Access-Control-Request-Headers';
       }
-      headers['Vary'] = 'Access-Control-Request-Headers';
     }
   }
 

diff --git a/packages/server/test/useCors.spec.ts b/packages/server/test/useCors.spec.ts
@@ -100,5 +100,22 @@ describe('CORS', () => {
         expect(headers?.['Access-Control-Allow-Origin']).toBeUndefined();
       });
     });
+    describe('Vary header', () => {
+      const corsOptionsWithMultipleOrigins: CORSOptions = {
+        origin: ['http://localhost:4000', 'http://localhost:4001'],
+      };
+      it('should return vary with multiple values', () => {
+        const request = new Request('http://localhost:4002/graphql', {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            origin: 'http://localhost:4001',
+            'access-control-request-headers': 'x-foobar',
+          },
+        });
+        const headers = getCORSHeadersByRequestAndOptions(request, corsOptionsWithMultipleOrigins);
+        expect(headers?.Vary).toBe('Origin, Access-Control-Request-Headers');
+      });
+    });
   });
 });