Credential is not supported if Allowed Origin is '*'

bugdea1er · bugdea1er · commit 2b806701fcc9 · 2025-01-09T12:57:02.000+03:00
diff --git a/include/crow/middlewares/cors.h b/include/crow/middlewares/cors.h
@@ -118,15 +118,20 @@ namespace crow
         }
 
         /// Set response headers
-        void apply(crow::response& res)
+        void apply(const request& req, response& res)
         {
             if (ignore_) return;
-            set_header_no_override("Access-Control-Allow-Origin", origin_, res);
+
             set_header_no_override("Access-Control-Allow-Methods", methods_, res);
             set_header_no_override("Access-Control-Allow-Headers", headers_, res);
             set_header_no_override("Access-Control-Expose-Headers", exposed_headers_, res);
             set_header_no_override("Access-Control-Max-Age", max_age_, res);
             if (allow_credentials_) set_header_no_override("Access-Control-Allow-Credentials", "true", res);
+
+            if (allow_credentials_ && origin_ == "*")
+                set_header_no_override("Access-Control-Allow-Origin", req.get_header_value("Origin"), res);
+            else
+                set_header_no_override("Access-Control-Allow-Origin", origin_, res);
         }
 
         bool ignore_ = false;
@@ -158,7 +163,7 @@ namespace crow
         void after_handle(crow::request& req, crow::response& res, context& /*ctx*/)
         {
             auto& rule = find_rule(req.url);
-            rule.apply(res);
+            rule.apply(req, res);
         }
 
         /// Handle CORS on a specific prefix path
diff --git a/tests/unittest.cpp b/tests/unittest.cpp
@@ -1937,6 +1937,8 @@ TEST_CASE("middleware_cors")
     cors
       .prefix("/origin")
         .origin("test.test")
+      .prefix("/auth-origin")
+        .allow_credentials()
       .prefix("/expose")
         .expose("exposed-header")
       .prefix("/nocors")
@@ -1953,6 +1955,11 @@ TEST_CASE("middleware_cors")
         return "-";
     });
 
+    CROW_ROUTE(app, "/auth-origin")
+    ([&](const request&) {
+        return "-";
+    });
+
     CROW_ROUTE(app, "/expose")
     ([&](const request&) {
         return "-";
@@ -1979,6 +1986,10 @@ TEST_CASE("middleware_cors")
                                "GET /origin\r\n\r\n");
     CHECK(resp.find("Access-Control-Allow-Origin: test.test") != std::string::npos);
 
+    resp = HttpClient::request(LOCALHOST_ADDRESS, port,
+                                    "GET /auth-origin\r\nOrigin: test-client\r\n\r\n");
+    CHECK(resp.find("Access-Control-Allow-Origin: test-client") != std::string::npos);
+
     resp = HttpClient::request(LOCALHOST_ADDRESS, port,
                                "GET /expose\r\n\r\n");
     CHECK(resp.find("Access-Control-Expose-Headers: exposed-header") != std::string::npos);

Original file line number	Diff line number	Diff line change
`@@ -118,15 +118,20 @@ namespace crow`
`118`	`118`	`}`
`119`	`119`
`120`	`120`	`/// Set response headers`
`121`		`- void apply(crow::response& res)`
	`121`	`+ void apply(const request& req, response& res)`
`122`	`122`	`{`
`123`	`123`	`if (ignore_) return;`
`124`		`- set_header_no_override("Access-Control-Allow-Origin", origin_, res);`
	`124`	`+`
`125`	`125`	`set_header_no_override("Access-Control-Allow-Methods", methods_, res);`
`126`	`126`	`set_header_no_override("Access-Control-Allow-Headers", headers_, res);`
`127`	`127`	`set_header_no_override("Access-Control-Expose-Headers", exposed_headers_, res);`
`128`	`128`	`set_header_no_override("Access-Control-Max-Age", max_age_, res);`
`129`	`129`	`if (allow_credentials_) set_header_no_override("Access-Control-Allow-Credentials", "true", res);`
	`130`	`+`
	`131`	`+ if (allow_credentials_ && origin_ == "*")`
	`132`	`+ set_header_no_override("Access-Control-Allow-Origin", req.get_header_value("Origin"), res);`
	`133`	`+ else`
	`134`	`+ set_header_no_override("Access-Control-Allow-Origin", origin_, res);`
`130`	`135`	`}`
`131`	`136`
`132`	`137`	`bool ignore_ = false;`
`@@ -158,7 +163,7 @@ namespace crow`
`158`	`163`	`void after_handle(crow::request& req, crow::response& res, context& /ctx/)`
`159`	`164`	`{`
`160`	`165`	`auto& rule = find_rule(req.url);`
`161`		`- rule.apply(res);`
	`166`	`+ rule.apply(req, res);`
`162`	`167`	`}`
`163`	`168`
`164`	`169`	`/// Handle CORS on a specific prefix path`