Cors options preflight (#200)

* fix: also register OPTIONS for CORS preflight

Signed-off-by: Dorin Geman <[email protected]>

* feat: enhance CORS middleware to intercept OPTIONS requests and validate origins

* feat: update CORS test cases to include DELETE method and adjust allowed methods

* Update pkg/middleware/cors.go

Co-authored-by: Copilot <[email protected]>

---------

Signed-off-by: Dorin Geman <[email protected]>
Co-authored-by: Dorin Geman <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: 3 people

main.go

@@ -122,12 +122,13 @@ func main() {
 	)
 
 	router := routing.NewNormalizedServeMux()
-	for _, route := range modelManager.GetRoutes() {
-		router.Handle(route, modelManager)
-	}
-	for _, route := range scheduler.GetRoutes() {
-		router.Handle(route, scheduler)
-	}
+
+	// Register path prefixes to forward all HTTP methods (including OPTIONS) to components
+	// Components handle method routing internally
+	// Register both with and without trailing slash to avoid redirects
+	router.Handle(inference.ModelsPrefix, modelManager)
+	router.Handle(inference.ModelsPrefix+"/", modelManager)
+	router.Handle(inference.InferencePrefix+"/", scheduler)
 
 	// Add metrics endpoint if enabled
 	if os.Getenv("DISABLE_METRICS") != "1" {

pkg/inference/models/manager.go

@@ -136,15 +136,6 @@ func (m *Manager) routeHandlers() map[string]http.HandlerFunc {
 	}
 }
 
-func (m *Manager) GetRoutes() []string {
-	routeHandlers := m.routeHandlers()
-	routes := make([]string, 0, len(routeHandlers))
-	for route := range routeHandlers {
-		routes = append(routes, route)
-	}
-	return routes
-}
-
 // handleCreateModel handles POST <inference-prefix>/models/create requests.
 func (m *Manager) handleCreateModel(w http.ResponseWriter, r *http.Request) {
 	if m.distributionClient == nil {

pkg/inference/scheduling/scheduler.go

@@ -122,15 +122,6 @@ func (s *Scheduler) routeHandlers() map[string]http.HandlerFunc {
 	return m
 }
 
-func (s *Scheduler) GetRoutes() []string {
-	routeHandlers := s.routeHandlers()
-	routes := make([]string, 0, len(routeHandlers))
-	for route := range routeHandlers {
-		routes = append(routes, route)
-	}
-	return routes
-}
-
 // Run is the scheduler's main run loop. By the time it returns, all inference
 // backends will have been unloaded from memory.
 func (s *Scheduler) Run(ctx context.Context) error {

pkg/middleware/cors.go

@@ -8,6 +8,8 @@ import (
 
 // CorsMiddleware handles CORS and OPTIONS preflight requests with optional allowedOrigins.
 // If allowedOrigins is nil or empty, it falls back to getAllowedOrigins().
+// This middleware intercepts OPTIONS requests only if the Origin header is present and valid,
+// otherwise passing the request to the router (allowing 405/404 responses as appropriate).
 func CorsMiddleware(allowedOrigins []string, next http.Handler) http.Handler {
 	if len(allowedOrigins) == 0 {
 		allowedOrigins = getAllowedOrigins()
@@ -25,14 +27,26 @@ func CorsMiddleware(allowedOrigins []string, next http.Handler) http.Handler {
 	}
 
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if origin := r.Header.Get("Origin"); origin != "" && (allowAll || originAllowed(origin, allowedSet)) {
+		origin := r.Header.Get("Origin")
+
+		// Set CORS headers if origin is allowed
+		if origin != "" && (allowAll || originAllowed(origin, allowedSet)) {
 			w.Header().Set("Access-Control-Allow-Origin", origin)
 		}
 
-		// Handle OPTIONS requests.
+		// Handle OPTIONS requests with origin validation.
+		// Only intercept OPTIONS if the origin is valid to prevent unauthorized preflight requests.
 		if r.Method == http.MethodOptions {
+			// Require valid Origin header for OPTIONS requests
+			if origin == "" || !(allowAll || originAllowed(origin, allowedSet)) {
+				// No origin or invalid origin - pass to router for proper 405/404 response
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Valid origin - handle OPTIONS with CORS headers
 			w.Header().Set("Access-Control-Allow-Credentials", "true")
-			w.Header().Set("Access-Control-Allow-Methods", "GET, POST")
+			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE")
 			w.Header().Set("Access-Control-Allow-Headers", "*")
 			w.WriteHeader(http.StatusNoContent)
 			return

pkg/middleware/cors_test.go

@@ -49,10 +49,18 @@ func TestCorsMiddleware(t *testing.T) {
 			wantStatus:     http.StatusNoContent,
 			wantHeaders: map[string]string{
 				"Access-Control-Allow-Credentials": "true",
-				"Access-Control-Allow-Methods":     "GET, POST",
+				"Access-Control-Allow-Methods":     "GET, POST, DELETE",
 				"Access-Control-Allow-Headers":     "*",
 			},
 		},
+		{
+			name:           "DeleteRequest",
+			allowedOrigins: []string{"http://foo.com"},
+			method:         "DELETE",
+			origin:         "http://foo.com",
+			wantStatus:     http.StatusOK,
+			wantHeaders:    map[string]string{"Access-Control-Allow-Origin": "http://foo.com"},
+		},
 		{
 			name:           "NoOriginHeader",
 			allowedOrigins: []string{"http://foo.com"},