fix(server): cors support for 404 responses (#1912)

Fdawgs · Aug 28, 2024 · b059ec3 · b059ec3
1 parent 6af259a
commit b059ec3
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 12 deletions.
diff --git a/src/server.js b/src/server.js
@@ -8,6 +8,7 @@ const { joinSafe } = require("upath");
 const accepts = require("@fastify/accepts");
 const bearer = require("@fastify/bearer-auth");
 const compress = require("@fastify/compress");
+const cors = require("@fastify/cors");
 const helmet = require("@fastify/helmet");
 const disableCache = require("fastify-disablecache");
 const flocOff = require("fastify-floc-off");
@@ -191,15 +192,23 @@ async function plugin(server, config) {
 				});
 		})
 
-		// Rate limit 404 responses
-		.setNotFoundHandler(
-			{
-				preHandler: server.rateLimit(),
-			},
-			(req, res) => {
-				res.notFound(`Route ${req.method}:${req.url} not found`);
-			}
-		)
+		/**
+		 * Encapsulate the 404 handler into a child context, so that CORS
+		 * headers can be set explicitly for 404 responses.
+		 */
+		.register(async (notFoundContext) => {
+			await notFoundContext.register(cors, config.cors);
+
+			notFoundContext.setNotFoundHandler(
+				{
+					// Rate limit 404 responses to prevent URL enumeration
+					preHandler: server.rateLimit(),
+				},
+				(req, res) => {
+					res.notFound(`Route ${req.method}:${req.url} not found`);
+				}
+			);
+		})
 
 		// Errors thrown by routes and plugins are caught here
 		// eslint-disable-next-line promise/prefer-await-to-callbacks -- False positive

diff --git a/src/server.test.js b/src/server.test.js
@@ -904,7 +904,7 @@ describe("Server deployment", () => {
 							delete expResHeadersCors["content-type"];
 
 							/**
-							 * Vary header should not be set if CORS_ORIGIN is a a single domain
+							 * Vary header should not be set if CORS_ORIGIN is a single domain
 							 * or wildcard.
 							 * @see {@link https://github.com/fastify/fastify-cors/issues/287}
 							 */
@@ -971,7 +971,9 @@ describe("Server deployment", () => {
 							statusCode: 404,
 						});
 						expect(response.headers).toStrictEqual(
-							expResHeaders404Errors
+							envVariables.CORS_ORIGIN
+								? expected.response.headers.json
+								: expResHeaders404Errors
 						);
 						expect(response.statusCode).toBe(404);
 					});
@@ -982,14 +984,20 @@ describe("Server deployment", () => {
 							url: "/invalid",
 							headers: {
 								accept: "application/xml",
+								origin: request.headers.origin,
 							},
 						});
 
 						expect(response.body).toBe(
 							'<?xml version="1.0" encoding="UTF-8"?><response><statusCode>404</statusCode><error>Not Found</error><message>Route GET:/invalid not found</message></response>'
 						);
 						expect(response.headers).toStrictEqual(
-							expResHeaders404ErrorsXml
+							envVariables.CORS_ORIGIN
+								? {
+										...expected.response.headers.json,
+										...expResHeaders404ErrorsXml,
+									}
+								: expResHeaders404ErrorsXml
 						);
 						expect(response.statusCode).toBe(404);
 					});