Odd CORS error

[dhrubabasu]

I'm on version 0.8.0-next.8.

I've configured CORS like so:

API.prepare = CORS.preflight({
  origin: true,
  headers: ['Cache-Control', 'Content-Type'],
  methods: ['POST'],
  credentials: true,
});

My understanding is that origin: true will reflect the origin of the requesting domain under the Access-Control-Allow-Origin header. Checking the source here also indicates that: https://github.com/lukeed/worktop/blob/next/packages/worktop/src/cors.ts

This is where things get interesting.

Now, most of the time it does indeed reflect the origin of the requesting domain under the Access-Control-Allow-Origin. However, it non-deterministically returns "false" or some other domain that is not the origin of the requesting domain. I tested this by moving the cors.ts file linked above into my worktop project and modifying the bottom to be:

    context.defer(res => {
      res.headers.set('x-1', JSON.stringify(origin));
      res.headers.set('x-2', JSON.stringify(options.origin));
      res.headers.set('x-3', JSON.stringify(isStatic));
      res.headers.set('x-4', JSON.stringify(typeof origin));
      headers(res, req.headers.get('Origin') ?? '', options as Config);
    });

and altered the headers method to take in the origin as a parameter like so:

export function headers(res: Response, origin: string, options?: Partial<Config>): Config {
	let opts = (options ? { ...config, ...options } : config) as Required<Config>;

	res.headers.set('Access-Control-Allow-Origin', origin);
	if (opts.origin !== '*') res.headers.append('Vary', 'Origin');
	if (opts.credentials) res.headers.set('Access-Control-Allow-Credentials', 'true');
	if (opts.expose.length) res.headers.set('Access-Control-Expose-Headers', opts.expose);

	return opts;
}

With this setup, I got the correct Access-Control-Allow-Origin header but received these for the x- headers:

x-1: true
x-2: "false"
x-3: false
x-4: "boolean"

It seems like there's a race-condition in worktop but I can't seem to narrow it down. Happy to help chase this bug down, this stopgap solution works okay but very curious what the error actually is.

My other hypothesis is that each worker run doesn't truly run in an isolated environment and two requests are being processed in the same isolate. This would explain the random domain under x-2 that occurs sometimes.

[dhrubabasu]

Putting some findings here:

we read the origin from the request here: https://github.com/lukeed/worktop/blob/next/packages/worktop/src/cors.ts#L33-L35
but don't set the header till here: https://github.com/lukeed/worktop/blob/next/packages/worktop/src/cors.ts#L16
which is called at the end of the response handling here via context.defer: https://github.com/lukeed/worktop/blob/next/packages/worktop/src/cors.ts#L57

Perhaps there's a scoping issue with context.defer?

[lukeed]

Sorry for the delay on this.

If you still have the ability to test this out (somewhat) easily, I think the linked commit fixes this. Thanks for the detailed report, I think you were spot on :)

[lukeed]

Available in worktop@0.8.0-next.9
Will reopen if this wasn't fixed!