Actually expose headers (like content-type) in responses!

Author: billiegoose

index.js

@@ -20,7 +20,24 @@ const allowHeaders = [
   'x-http-method-override',
   'x-requested-with',
 ]
-const cors = require('micro-cors')({allowHeaders})
+const exposeHeaders = [
+  'accept-ranges',
+  'age',
+  'cache-control',
+  'content-length',
+  'content-language',
+  'content-type',
+  'date',
+  'etag',
+  'expires',
+  'last-modified',
+  'pragma',
+  'server',
+  'transfer-encoding',
+  'vary',
+  'x-github-request-id',
+]
+const cors = require('./micro-cors.js')({allowHeaders, exposeHeaders})
 const fetch = require('node-fetch')
 
 async function service (req, res) {
@@ -42,13 +59,13 @@ async function service (req, res) {
       It records the URL, origin IP, referer, and user-agent. None of the sensitive HTTP headers (including those used for
       HTTP Basic Auth and HTTP Token auth) are ever logged.
       <h2>Request API</h2>
-      https://${process.env.NOW_URL}/domain/path?query
+      ${process.env.NOW_URL}/domain/path?query
       <ul>
         <li>domain - the destination host</li>
         <li>path - the rest of the URL</li>
         <li>query - optional query parameters</li>
       </ul>
-      Example: https://${process.env.NOW_URL}/github.com/wmhilton/cors-buster?service=git-upload-pack
+      Example: ${process.env.NOW_URL}/github.com/wmhilton/cors-buster?service=git-upload-pack
       <h2>Supported Protocols</h2>
       In order to protect users who might send their usernames and passwords through the proxy,
       all requests must be made using HTTPS. Plain old HTTP is insecure and therefore not allowed.
@@ -85,9 +102,14 @@ async function service (req, res) {
     {
       method: req.method,
       headers,
-      body: req
+      body: (req.method !== 'GET' && req.method !== 'HEAD') ? req : undefined
     }
   )
+  for (let h of exposeHeaders) {
+    if (f.headers.has(h)) {
+      res.setHeader(h, f.headers.get(h))
+    }
+  }
   f.body.pipe(res)
 }
 

micro-cors.js

@@ -0,0 +1,64 @@
+// MIT License
+// https://github.com/possibilities/micro-cors
+const DEFAULT_ALLOW_METHODS = [
+  'POST',
+  'GET',
+  'PUT',
+  'PATCH',
+  'DELETE',
+  'OPTIONS'
+]
+
+const DEFAULT_ALLOW_HEADERS = [
+  'X-Requested-With',
+  'Access-Control-Allow-Origin',
+  'X-HTTP-Method-Override',
+  'Content-Type',
+  'Authorization',
+  'Accept'
+]
+
+const DEFAULT_MAX_AGE_SECONDS = 60 * 60 * 24 // 24 hours
+
+const cors = options => handler => (req, res, ...restArgs) => {
+  const {
+    maxAge,
+    origin,
+    allowHeaders,
+    exposeHeaders,
+    allowMethods
+  } = (options || {})
+
+  res.setHeader(
+    'Access-Control-Max-Age',
+    '' + (maxAge || DEFAULT_MAX_AGE_SECONDS)
+  )
+
+  res.setHeader(
+    'Access-Control-Allow-Origin',
+    (origin || '*')
+  )
+
+  res.setHeader(
+    'Access-Control-Allow-Methods',
+    (allowMethods || DEFAULT_ALLOW_METHODS).join(',')
+  )
+
+  res.setHeader(
+    'Access-Control-Allow-Headers',
+    (allowHeaders || DEFAULT_ALLOW_HEADERS).join(',')
+  )
+
+  if (exposeHeaders && exposeHeaders.length) {
+    res.setHeader(
+      'Access-Control-Expose-Headers',
+      exposeHeaders.join(',')
+    )
+  }
+
+  res.setHeader('Access-Control-Allow-Credentials', 'true')
+
+  return handler(req, res, ...restArgs)
+}
+
+module.exports = cors

package.json

@@ -4,7 +4,8 @@
   "description": "When you need a file, but the headers ain't good, who you gonna call? CORS Buster!",
   "main": "index.js",
   "scripts": {
-    "start": "micro"
+    "start": "micro",
+    "dev": "micro-dev"
   },
   "keywords": [],
   "author": "William Hilton <[email protected]>",
@@ -14,11 +15,13 @@
     "url": "git://github.com/wmhilton/cors-buster.git"
   },
   "dependencies": {
-    "micro": "^8.0.1",
-    "micro-cors": "0.0.4",
-    "node-fetch": "^1.7.1"
+    "micro": "^9.1.4",
+    "node-fetch": "^2.1.2"
   },
   "now": {
     "public": true
+  },
+  "devDependencies": {
+    "micro-dev": "^2.2.2"
   }
 }