fix: don't respond to OPTIONS requests for non-oauth requests (#539)

Author: APTy

src/middleware/handle-request.ts

@@ -12,6 +12,13 @@ export async function handleRequest(
   { pathPrefix = "/api/github/oauth" }: HandlerOptions,
   request: OctokitRequest,
 ): Promise<OctokitResponse | undefined> {
+  // request.url may include ?query parameters which we don't want for `route`
+  // hence the workaround using new URL()
+  let { pathname } = new URL(request.url as string, "http://localhost");
+  if (!pathname.startsWith(`${pathPrefix}/`)) {
+    return undefined;
+  }
+
   if (request.method === "OPTIONS") {
     return {
       status: 200,
@@ -24,12 +31,6 @@ export async function handleRequest(
     };
   }
 
-  // request.url may include ?query parameters which we don't want for `route`
-  // hence the workaround using new URL()
-  let { pathname } = new URL(request.url as string, "http://localhost");
-  if (!pathname.startsWith(`${pathPrefix}/`)) {
-    return undefined;
-  }
   pathname = pathname.slice(pathPrefix.length + 1);
 
   const route = [request.method, pathname].join(" ");

test/node-middleware.test.ts

@@ -27,6 +27,45 @@ describe("createNodeMiddleware(app)", () => {
     server.close();
 
     expect(response.status).toEqual(200);
+    expect(response.headers.get("access-control-allow-origin")).toEqual("*");
+    expect(response.headers.get("access-control-allow-methods")).toEqual("*");
+    expect(response.headers.get("access-control-allow-headers")).toEqual(
+      "Content-Type, User-Agent, Authorization",
+    );
+  });
+
+  it("doesn't overwrite pre-flight requests unrelated to github oauth", async () => {
+    const app = new OAuthApp({
+      clientId: "0123",
+      clientSecret: "0123secret",
+    });
+
+    const server = createServer((req, res) => {
+      if (req.url === "/health") {
+        res.writeHead(200, {
+          "Content-Type": "text/plain",
+          "Access-Control-Allow-Origin": "http://localhost:8080",
+        });
+        res.end("OK");
+        return;
+      }
+      createNodeMiddleware(app);
+    }).listen();
+    // @ts-expect-error complains about { port } although it's included in returned AddressInfo interface
+    const { port } = server.address();
+
+    const response = await fetch(`http://localhost:${port}/health`, {
+      method: "OPTIONS",
+    });
+
+    server.close();
+
+    expect(response.status).toEqual(200);
+    expect(response.headers.get("access-control-allow-origin")).toEqual(
+      "http://localhost:8080",
+    );
+    expect(response.headers.get("access-control-allow-methods")).toEqual(null);
+    expect(response.headers.get("access-control-allow-headers")).toEqual(null);
   });
 
   it("GET /api/github/oauth/login", async () => {