Fixed CORS preflight handling in Play servers (#4991)

This PR continues the work from #4239 (by @sergiuszkierat) which fixed
the `ServerCORSTests` to test CORS preflight requests with POST
endpoints instead of OPTIONS endpoints.

 ## Changes

- Added CORS-aware OPTIONS request handling to `PlayServerInterpreter`
(Play server)
- Added CORS-aware OPTIONS request handling to `PlayServerInterpreter`
(Play29 server)

---------

Co-authored-by: Sergiusz Kierat <sergiusz.kierat@gmail.com>

Author: pielas

server/play-server/src/main/scala/sttp/tapir/server/play/PlayServerInterpreter.scala

@@ -14,6 +14,7 @@ import sttp.model.Method
 import sttp.monad.FutureMonad
 import sttp.tapir.server.ServerEndpoint
 import sttp.tapir.server.interceptor.RequestResult
+import sttp.tapir.server.interceptor.cors.CORSInterceptor
 import sttp.tapir.server.interpreter.{BodyListener, FilterServerEndpoints, ServerInterpreter}
 import sttp.tapir.server.model.ServerResponse
 
@@ -53,6 +54,8 @@ trait PlayServerInterpreter {
       playServerOptions.deleteFile
     )
 
+    val isCORSInterceptorDefined = playServerOptions.interceptors.exists(_.isInstanceOf[CORSInterceptor[Future]])
+
     new PartialFunction[RequestHeader, Handler] {
       override def isDefinedAt(request: RequestHeader): Boolean = {
         val filtered = filterServerEndpoints(PlayServerRequest(request, request))
@@ -62,7 +65,16 @@ trait PlayServerInterpreter {
           // doesn't match, this will be handled by the RejectInterceptor
           filtered.exists { e =>
             val m = e.endpoint.method
-            m.isEmpty || m.contains(Method(request.method))
+            val requestMethod = Method(request.method)
+            val methodMatches = m.isEmpty || m.contains(requestMethod)
+
+            // When CORS interceptor is defined, also accept OPTIONS requests for non-OPTIONS endpoints
+            // to handle CORS preflight requests
+            val acceptOptionsForCORS = isCORSInterceptorDefined &&
+              requestMethod == Method.OPTIONS &&
+              m.exists(em => em != Method.OPTIONS)
+
+            methodMatches || acceptOptionsForCORS
           }
         } else {
           filtered.nonEmpty

server/play29-server/src/main/scala/sttp/tapir/server/play/PlayServerInterpreter.scala

@@ -14,6 +14,7 @@ import sttp.model.Method
 import sttp.monad.FutureMonad
 import sttp.tapir.server.ServerEndpoint
 import sttp.tapir.server.interceptor.RequestResult
+import sttp.tapir.server.interceptor.cors.CORSInterceptor
 import sttp.tapir.server.interpreter.{BodyListener, FilterServerEndpoints, ServerInterpreter}
 import sttp.tapir.server.model.ServerResponse
 
@@ -53,6 +54,8 @@ trait PlayServerInterpreter {
       playServerOptions.deleteFile
     )
 
+    val isCORSInterceptorDefined = playServerOptions.interceptors.exists(_.isInstanceOf[CORSInterceptor[Future]])
+
     new PartialFunction[RequestHeader, Handler] {
       override def isDefinedAt(request: RequestHeader): Boolean = {
         val filtered = filterServerEndpoints(PlayServerRequest(request, request))
@@ -62,7 +65,16 @@ trait PlayServerInterpreter {
           // doesn't match, this will be handled by the RejectInterceptor
           filtered.exists { e =>
             val m = e.endpoint.method
-            m.isEmpty || m.contains(Method(request.method))
+            val requestMethod = Method(request.method)
+            val methodMatches = m.isEmpty || m.contains(requestMethod)
+
+            // When CORS interceptor is defined, also accept OPTIONS requests for non-OPTIONS endpoints
+            // to handle CORS preflight requests
+            val acceptOptionsForCORS = isCORSInterceptorDefined &&
+              requestMethod == Method.OPTIONS &&
+              m.exists(em => em != Method.OPTIONS)
+
+            methodMatches || acceptOptionsForCORS
           }
         } else {
           filtered.nonEmpty

server/tests/src/main/scala/sttp/tapir/server/tests/ServerCORSTests.scala

@@ -22,7 +22,7 @@ class ServerCORSTests[F[_], OPTIONS, ROUTE](createServerTest: CreateServerTest[F
 
   val preflightTests = List(
     testServer(
-      endpoint.options.in("path").out(stringBody),
+      endpoint.post.in("path").out(stringBody),
       "CORS with default config; valid preflight request",
       _.corsInterceptor(CORSInterceptor.default[F])
     )(_ => pureResult("foo".asRight[Unit])) { (backend, baseUri) =>
@@ -45,7 +45,7 @@ class ServerCORSTests[F[_], OPTIONS, ROUTE](createServerTest: CreateServerTest[F
         }
     },
     testServer(
-      endpoint.options.in("path"),
+      endpoint.post.in("path"),
       "CORS with specific allowed origin, method, headers, allowed credentials and max age; preflight request with matching origin, method and headers",
       _.corsInterceptor(
         CORSInterceptor.customOrThrow[F](
@@ -74,7 +74,7 @@ class ServerCORSTests[F[_], OPTIONS, ROUTE](createServerTest: CreateServerTest[F
         }
     },
     testServer(
-      endpoint.options.in("path"),
+      endpoint.post.in("path"),
       "CORS with multiple allowed origins, method, headers, allowed credentials and max age; preflight request with matching origin, method and headers",
       _.corsInterceptor(
         CORSInterceptor.customOrThrow[F](
@@ -103,7 +103,7 @@ class ServerCORSTests[F[_], OPTIONS, ROUTE](createServerTest: CreateServerTest[F
         }
     },
     testServer(
-      endpoint.options.in("path"),
+      endpoint.post.in("path"),
       "CORS with specific allowed origin; preflight request with unsupported origin",
       _.corsInterceptor(CORSInterceptor.customOrThrow[F](CORSConfig.default.allowOrigin(Origin.Host("https", "example.com"))))
     )(noop) { (backend, baseUri) =>
@@ -115,7 +115,7 @@ class ServerCORSTests[F[_], OPTIONS, ROUTE](createServerTest: CreateServerTest[F
         }
     },
     testServer(
-      endpoint.options.in("path"),
+      endpoint.post.in("path"),
       "CORS with multiple allowed origins; preflight request with unsupported origin",
       _.corsInterceptor(
         CORSInterceptor.customOrThrow[F](CORSConfig.default.allowMatchingOrigins(Set("https://example1.com", "https://example2.com")))
@@ -129,7 +129,7 @@ class ServerCORSTests[F[_], OPTIONS, ROUTE](createServerTest: CreateServerTest[F
         }
     },
     testServer(
-      endpoint.options.in("path"),
+      endpoint.post.in("path"),
       "CORS with specific allowed method; preflight request with unsupported method",
       _.corsInterceptor(CORSInterceptor.customOrThrow[F](CORSConfig.default.allowMethods(Method.PUT)))
     )(noop) { (backend, baseUri) =>
@@ -141,7 +141,7 @@ class ServerCORSTests[F[_], OPTIONS, ROUTE](createServerTest: CreateServerTest[F
         }
     },
     testServer(
-      endpoint.options.in("path"),
+      endpoint.post.in("path"),
       "CORS with specific allowed headers; preflight request with unsupported header",
       _.corsInterceptor(CORSInterceptor.customOrThrow[F](CORSConfig.default.allowHeaders("X-Bar")))
     )(noop) { (backend, baseUri) =>
@@ -153,7 +153,7 @@ class ServerCORSTests[F[_], OPTIONS, ROUTE](createServerTest: CreateServerTest[F
         }
     },
     testServer(
-      endpoint.options.in("path"),
+      endpoint.post.in("path"),
       "CORS with reflected allowed headers; preflight request",
       _.corsInterceptor(CORSInterceptor.customOrThrow[F](CORSConfig.default.reflectHeaders))
     )(noop) { (backend, baseUri) =>
@@ -165,7 +165,7 @@ class ServerCORSTests[F[_], OPTIONS, ROUTE](createServerTest: CreateServerTest[F
         }
     },
     testServer(
-      endpoint.options.in("path"),
+      endpoint.post.in("path"),
       "CORS with custom response code for preflight requests; valid preflight request",
       _.corsInterceptor(CORSInterceptor.customOrThrow[F](CORSConfig.default.preflightResponseStatusCode(StatusCode.Ok)))
     )(noop) { (backend, baseUri) =>