Skip to content

fix(gateway): allow browser CORS preflight without publishable key#28

Open
bjstarlight wants to merge 1 commit into
PACTO-LAT:mainfrom
bjstarlight:fix/cors-preflight-browser-support
Open

fix(gateway): allow browser CORS preflight without publishable key#28
bjstarlight wants to merge 1 commit into
PACTO-LAT:mainfrom
bjstarlight:fix/cors-preflight-browser-support

Conversation

@bjstarlight

Copy link
Copy Markdown

Summary

This PR fixes browser CORS preflight handling for /v1/session.

Currently, browser-generated OPTIONS requests are rejected with 401 Unauthorized because the publishable key validation runs before the preflight handler. Since browsers do not include application headers such as x-pacto-publishable-key on preflight requests, this prevents the actual POST request from ever being sent.

Changes

  • Handle OPTIONS requests before publishable key validation.
  • Return the existing CORS headers for browser preflight requests.
  • Remove the unreachable preflight handler later in the middleware.
  • Update the existing preflight test to match real browser behaviour.
  • Add a regression test to ensure OPTIONS requests without a publishable key continue returning 204.

Verification

  • All gateway tests pass (21/21).
  • Existing security checks for publishable keys and allowed origins remain unchanged for actual application requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant