allow custom OPTIONS handling via middleware flagging

Greisby · Greisby · commit dcdf3692d12d · 2026-01-21T09:47:49.000+01:00
diff --git a/lib/inc/drogon/HttpMiddleware.h b/lib/inc/drogon/HttpMiddleware.h
@@ -148,4 +148,46 @@ class HttpCoroMiddleware : public DrObject<T>, public HttpMiddlewareBase
 
 #endif
 
+/**
+ * @brief Simple middleware that tags OPTIONS requests
+ * @details It adds the attribute "customCORShandling" to the request, so that
+ * HttpServer does not handle CORS for them internally.
+ *
+ * This allows custom CORS handling via the path handlers.
+ * For example to restrict the origins, headers allowed, specify a max age to
+ * avoid OPTIONS on every request, etc.
+ *
+ * Just register it:
+ * 1. globally via
+ *   app().registerMiddleware(std::make_shared<drogon::HttpOptionsMiddleware>())
+ * 2. on every path handlers that need non-default handling, with
+ *    ADD_METHOD_TO(... , "drogon::HttpOptionsMiddleware")
+ */
+template <class Derived, bool AutoCreation = true>
+class HttpOptionsMiddlewareImpl
+    : public drogon::HttpMiddleware<Derived, AutoCreation>
+{
+  public:
+    void invoke(const HttpRequestPtr &req,
+                MiddlewareNextCallback &&nextCb,
+                MiddlewareCallback &&mcb) override
+    {
+        // Tag OPTIONS
+        if (req && req->method() == drogon::HttpMethod::Options)
+            req->attributes()->insert("customCORShandling", true);
+        // continue with next middleware (no post-processing here)
+        nextCb(std::move(mcb));
+    }
+};
+
+class HttpOptionsMiddlewareAuto
+    : public HttpOptionsMiddlewareImpl<HttpOptionsMiddlewareAuto, true>
+{
+};
+
+class HttpOptionsMiddleware
+    : public HttpOptionsMiddlewareImpl<HttpOptionsMiddleware, false>
+{
+};
+
 }  // namespace drogon
diff --git a/lib/src/HttpServer.cc b/lib/src/HttpServer.cc
@@ -576,7 +576,10 @@ void HttpServer::requestPassMiddlewares(const HttpRequestImplPtr &req,
 template <typename Pack>
 void HttpServer::requestPreHandling(const HttpRequestImplPtr &req, Pack &&pack)
 {
-    if (req->method() == Options)
+    // Handle CORS preflight request, except when custom handling is desired
+    if ((req->method() == Options) &&
+        (!req->attributes()->find("customCORShandling") ||
+        !req->attributes()->get<bool>("customCORShandling")))
     {
         handleHttpOptions(req,
                           *pack.binderPtr->corsMethods_,

Original file line number	Diff line number	Diff line change
`@@ -576,7 +576,10 @@ void HttpServer::requestPassMiddlewares(const HttpRequestImplPtr &req,`
`576`	`576`	`template <typename Pack>`
`577`	`577`	`void HttpServer::requestPreHandling(const HttpRequestImplPtr &req, Pack &&pack)`
`578`	`578`	`{`
`579`		`- if (req->method() == Options)`
	`579`	`+ // Handle CORS preflight request, except when custom handling is desired`
	`580`	`+ if ((req->method() == Options) &&`
	`581`	`+ (!req->attributes()->find("customCORShandling") \|\|`
	`582`	`+ !req->attributes()->get<bool>("customCORShandling")))`
`580`	`583`	`{`
`581`	`584`	`handleHttpOptions(req,`
`582`	`585`	`*pack.binderPtr->corsMethods_,`