fixed issue with upper/lower case request methods/headers

sdangol · sdangol · commit 29bf28f059c7 · 2025-09-22T11:41:09.000+01:00
diff --git a/packages/event-handler/src/rest/middleware/cors.ts b/packages/event-handler/src/rest/middleware/cors.ts
@@ -64,19 +64,26 @@ export const cors = (options?: CorsOptions): Middleware => {
     const isOptions = reqCtx.request.method === HttpVerbs.OPTIONS;
     // Handle preflight OPTIONS request
     if (isOptions) {
-      const requestMethod = reqCtx.request.headers.get(
-        'Access-Control-Request-Method'
-      );
-      const requestHeaders = reqCtx.request.headers.get(
-        'Access-Control-Request-Headers'
-      );
+      const requestMethod = reqCtx.request.headers
+        .get('Access-Control-Request-Method')
+        ?.toUpperCase();
+      const requestHeaders = reqCtx.request.headers
+        .get('Access-Control-Request-Headers')
+        ?.toLowerCase();
       if (
         !requestMethod ||
-        !config.allowMethods.includes(requestMethod) ||
+        !config.allowMethods
+          .map((m) => m.toUpperCase())
+          .includes(requestMethod) ||
         !requestHeaders ||
         requestHeaders
           .split(',')
-          .some((header) => !config.allowHeaders.includes(header.trim()))
+          .some(
+            (header) =>
+              !config.allowHeaders
+                .map((h) => h.toLowerCase())
+                .includes(header.trim())
+          )
       ) {
         await next();
         return;
diff --git a/packages/event-handler/tests/unit/rest/middleware/cors.test.ts b/packages/event-handler/tests/unit/rest/middleware/cors.test.ts
@@ -126,15 +126,6 @@ describe('CORS Middleware', () => {
   it('does not set CORS headers when preflight request method does not match allowed method', async () => {
     // Prepare
     const app = new Router();
-    app.options(
-      '/test',
-      [
-        cors({
-          allowMethods: ['POST'],
-        }),
-      ],
-      async () => ({ foo: 'bar' })
-    );
 
     // Act
     const result = await app.resolve(
@@ -152,15 +143,6 @@ describe('CORS Middleware', () => {
   it('does not set CORS headers when preflight request header does not match allowed header', async () => {
     // Prepare
     const app = new Router();
-    app.options(
-      '/test',
-      [
-        cors({
-          allowHeaders: ['Authorization'],
-        }),
-      ],
-      async () => ({ foo: 'bar' })
-    );
 
     // Act
     const result = await app.resolve(
@@ -184,7 +166,7 @@ describe('CORS Middleware', () => {
       allowHeaders: ['Authorization', 'Content-Type'],
       maxAge: 3600,
     };
-    app.options('/test', [cors(corsConfig)], async () => ({ foo: 'bar' }));
+    app.use(cors(corsConfig));
 
     // Act
     const result = await app.resolve(
