fix: allow header methods list for 405s (#9655)

see #8967 for explanation

regressed in #8731, probably because that PR started from an older branch

.changeset/shy-avocados-sip.md

@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: correct allow header methods list for 405s

packages/kit/src/runtime/server/utils.js

@@ -34,13 +34,11 @@ export function method_not_allowed(mod, method) {
 
 /** @param {Partial<Record<import('types').HttpMethod, any>>} mod */
 export function allowed_methods(mod) {
-	const allowed = [];
+	const allowed = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'].filter(
+		(method) => method in mod
+	);
 
-	for (const method in ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS']) {
-		if (method in mod) allowed.push(method);
-	}
-
-	if (mod.GET || mod.HEAD) allowed.push('HEAD');
+	if ('GET' in mod || 'HEAD' in mod) allowed.push('HEAD');
 
 	return allowed;
 }

packages/kit/test/apps/basics/test/server.test.js

@@ -125,7 +125,10 @@ test.describe('Endpoints', () => {
 		const response = await request.post('/endpoint-output/body');
 
 		expect(response.status()).toBe(405);
-		expect(response.headers()['allow'].includes('GET'));
+
+		const allow_header = response.headers()['allow'];
+		expect(allow_header).toMatch(/\bGET\b/);
+		expect(allow_header).toMatch(/\bHEAD\b/);
 	});
 
 	// TODO all the remaining tests in this section are really only testing