Update cors middleware

Author: zigazajc007

bun.lock

@@ -1,6 +1,6 @@
 {
 	"name": "@rabbit-company/web-monorepo",
-	"version": "0.16.0",
+	"version": "0.17.0",
 	"description": "High-performance web framework monorepo",
 	"private": true,
 	"type": "module",
@@ -9,7 +9,8 @@
 	"author": "Rabbit Company <info@rabbit-company.com>",
 	"license": "MIT",
 	"workspaces": [
-		"packages/*"
+		"packages/core",
+		"packages/middleware"
 	],
 	"scripts": {
 		"build": "bun run build.ts",
@@ -48,11 +49,12 @@
 	],
 	"devDependencies": {
 		"@types/bun": "latest",
+		"@types/node": "^25.0.9",
 		"typescript": "^5.9.3",
 		"@rabbit-company/logger": "^5.6.0",
 		"bun-plugin-dts": "^0.3.0",
-		"hono": "^4.10.4",
-		"elysia": "^1.4.13"
+		"hono": "^4.11.4",
+		"elysia": "^1.4.22"
 	},
 	"dependencies": {
 		"@rabbit-company/rate-limiter": "^3.0.0"

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@rabbit-company/web",
-	"version": "0.16.0",
+	"version": "0.17.0",
 	"license": "MIT",
 	"exports": "./src/index.ts",
 	"publish": {

packages/core/jsr.json

@@ -1,6 +1,6 @@
 {
 	"name": "@rabbit-company/web",
-	"version": "0.16.0",
+	"version": "0.17.0",
 	"description": "High-performance web framework",
 	"main": "./dist/index.js",
 	"types": "./dist/index.d.ts",

packages/core/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@rabbit-company/web-middleware",
-	"version": "0.16.0",
+	"version": "0.17.0",
 	"license": "MIT",
 	"exports": {
 		"./basic-auth": "./src/basic-auth.ts",

packages/middleware/jsr.json

@@ -1,6 +1,6 @@
 {
 	"name": "@rabbit-company/web-middleware",
-	"version": "0.16.0",
+	"version": "0.17.0",
 	"description": "Official middleware collection for Rabbit Company Web Framework",
 	"type": "module",
 	"homepage": "https://github.com/Rabbit-Company/Web-JS",
@@ -83,7 +83,7 @@
 		"rate-limit"
 	],
 	"peerDependencies": {
-		"@rabbit-company/web": "^0.16.0"
+		"@rabbit-company/web": "^0.17.0"
 	},
 	"dependencies": {
 		"@rabbit-company/rate-limiter": "^3.0.0",

packages/middleware/package.json

@@ -69,18 +69,29 @@ const defaults: CorsOptions = {
  * @returns {Middleware<T, B>} - A middleware function for handling CORS headers.
  */
 export function cors<T extends Record<string, unknown> = Record<string, unknown>, B extends Record<string, unknown> = Record<string, unknown>>(
-	options: CorsOptions = {}
+	options: CorsOptions = {},
 ): Middleware<T, B> {
 	const opts = { ...defaults, ...options };
 
 	return async (ctx: Context<T, B>, next) => {
-		const origin = ctx.req.headers.get("Origin") || "";
+		const requestOrigin = ctx.req.headers.get("Origin");
 
-		// Check if origin is allowed
-		const isAllowed = await checkOrigin(origin, opts.origin);
+		// Non-CORS request
+		if (!requestOrigin) {
+			return next();
+		}
+
+		const isAllowed = await checkOrigin(requestOrigin, opts.origin);
 
 		if (isAllowed) {
-			ctx.header("Access-Control-Allow-Origin", origin || "*");
+			const isWildcard = opts.origin === "*" && !opts.credentials;
+
+			if (isWildcard) {
+				ctx.header("Access-Control-Allow-Origin", "*");
+			} else {
+				ctx.header("Access-Control-Allow-Origin", requestOrigin);
+				appendVary(ctx, "Origin");
+			}
 
 			if (opts.credentials) {
 				ctx.header("Access-Control-Allow-Credentials", "true");
@@ -91,7 +102,7 @@ export function cors<T extends Record<string, unknown> = Record<string, unknown>
 			}
 		}
 
-		// Handle preflight
+		// Preflight request
 		if (ctx.req.method === "OPTIONS") {
 			if (opts.allowMethods?.length) {
 				ctx.header("Access-Control-Allow-Methods", opts.allowMethods.join(", "));
@@ -101,12 +112,12 @@ export function cors<T extends Record<string, unknown> = Record<string, unknown>
 				ctx.header("Access-Control-Allow-Headers", opts.allowHeaders.join(", "));
 			}
 
-			if (opts.maxAge) {
-				ctx.header("Access-Control-Max-Age", opts.maxAge.toString());
+			if (opts.maxAge !== undefined) {
+				ctx.header("Access-Control-Max-Age", String(opts.maxAge));
 			}
 
 			if (!opts.preflightContinue) {
-				return ctx.text("", opts.optionsSuccessStatus || 204);
+				return ctx.text("", opts.optionsSuccessStatus ?? 204);
 			}
 		}
 
@@ -125,6 +136,20 @@ async function checkOrigin(origin: string, allowed?: string | string[] | ((origi
 	if (!allowed || allowed === "*") return true;
 	if (typeof allowed === "string") return origin === allowed;
 	if (Array.isArray(allowed)) return allowed.includes(origin);
-	if (typeof allowed === "function") return allowed(origin);
+	if (typeof allowed === "function") return await allowed(origin);
 	return false;
 }
+
+function appendVary(ctx: Context<any, any>, value: string) {
+	const existing = ctx.res?.headers.get("Vary");
+	if (!existing) {
+		ctx.header("Vary", value);
+	} else if (
+		!existing
+			.split(",")
+			.map((v) => v.trim())
+			.includes(value)
+	) {
+		ctx.header("Vary", `${existing}, ${value}`);
+	}
+}