From 83d866f7511983e1dcbc5470a489247b42515e1c Mon Sep 17 00:00:00 2001
From: Christopher Stoll <cstoll@onshift.com>
Date: Fri, 28 Jul 2017 15:11:17 -0400
Subject: [PATCH] Add support for overridding cors response header values

---
 README.md           | 10 ++++++++++
 bin/canned          | 12 ++++++++++++
 lib/canned.js       |  5 ++++-
 lib/response.js     | 23 +++++++++++------------
 spec/canned.spec.js | 24 ++++++++++++++++++++++++
 5 files changed, 61 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 2549933..459e6bb 100644
--- a/README.md
+++ b/README.md
@@ -288,6 +288,14 @@ If for whatever reason you want to turn of CORS support do so via
 
     $ canned --cors=false ./my/responses/
 
+If you need to override the values of the cors response headers
+
+    $ canned \
+    --access_control_allow_credentials "true" \
+    --access_control_allow_headers "authorization" \
+    --access_control_allow_origin "http://0.0.0.0:3000" \
+    ./my/responses/
+
 Also if you need additional headers to be served alongside the CORS headers
 these can be added like this (thanks to runemadsen)
 
@@ -355,6 +363,7 @@ feel free to [bug me on twitter](https://twitter.com/ischi)
 Release History
 ---------------
 ### next
+* adding support for overridding cors response header values
 * adding PATCH to default Access-Control-Allow-Method Cors header #113 (@william-mcmillian)
 * adding support for delayed responses #114 (@Onatolich)
 * adding support to make sanatize optional #115 (@YuliyaMarholina)
@@ -453,6 +462,7 @@ Contributors
 * [mazoni](https://github.com/mazoni)
 * [william-mcmillian](https://github.com/william-mcmillian)
 * [Onatolich](https://github.com/Onatolich)
+* [stollcri](https://github.com/stollcri)
 
 License
 -------
diff --git a/bin/canned b/bin/canned
index c86d937..4667278 100755
--- a/bin/canned
+++ b/bin/canned
@@ -18,6 +18,12 @@ var canned = require('../index')
           .describe('cors', 'disable cors support')
           .default('headers', false)
           .describe('headers', 'add custom headers allowed in cors requests')
+          .default('access_control_allow_credentials', 'false')
+          .describe('access_control_allow_credentials', 'overide cors credentials')
+          .default('access_control_allow_headers', 'X-Requested-With')
+          .describe('access_control_allow_headers', 'overide cors headers')
+          .default('access_control_allow_origin', '*')
+          .describe('access_control_allow_origin', 'overide cors origin')
           .default('h', false)
           .alias('h', 'help')
           .describe('h', 'show the help')
@@ -34,6 +40,9 @@ var dir = ''
 ,   relaxed_accept = argv.relaxed_accept
 ,   cors = argv.cors
 ,   cors_headers = argv.headers
+,   access_control_allow_credentials = argv.access_control_allow_credentials
+,   access_control_allow_headers = argv.access_control_allow_headers
+,   access_control_allow_origin = argv.access_control_allow_origin
 ,   logger
 ,   cannedDir
 ,   wildcard = argv.wildcard
@@ -53,6 +62,9 @@ var can = canned(dir, {
   relaxed_accept: relaxed_accept,
   cors: cors,
   cors_headers: cors_headers,
+  access_control_allow_credentials: access_control_allow_credentials,
+  access_control_allow_headers: access_control_allow_headers,
+  access_control_allow_origin: access_control_allow_origin,
   wildcard: wildcard,
   response_delay: response_delay
 })
diff --git a/lib/canned.js b/lib/canned.js
index 73dd5a1..774c4d4 100644
--- a/lib/canned.js
+++ b/lib/canned.js
@@ -21,7 +21,10 @@ function Canned(dir, options) {
   this.response_opts = {
     response_delay: options.response_delay,
     cors_enabled: options.cors,
-    cors_headers: cors_headers
+    cors_headers: cors_headers,
+    access_control_allow_credentials: options.access_control_allow_credentials,
+    access_control_allow_headers: options.access_control_allow_headers,
+    access_control_allow_origin: options.access_control_allow_origin
   }
   this.dir = process.cwd() + '/' + dir
 }
diff --git a/lib/response.js b/lib/response.js
index 34c179b..3d963f8 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -4,6 +4,9 @@ var fs = require('fs')
 function Response(content_type, content, statusCode, res, options, custom_headers) {
   this.cors_enabled = !!options.cors_enabled
   this.cors_headers = options.cors_headers
+  this.access_control_allow_credentials = options.access_control_allow_credentials || 'false'
+  this.access_control_allow_headers = options.access_control_allow_headers || 'X-Requested-With'
+  this.access_control_allow_origin = options.access_control_allow_origin || '*'
   this.response_delay = options.response_delay
   this.content_type = content_type
   this.content = content
@@ -19,12 +22,6 @@ Response.content_types = {
   'js': 'application/javascript'
 }
 
-Response.cors_headers = [
-  ['Access-Control-Allow-Origin', '*'],
-  ['Access-Control-Allow-Headers', 'X-Requested-With'],
-  ['Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS']
-]
-
 Response.prototype.send = function () {
   this.headers().forEach(function (header) {
     this.res.setHeader(header[0], header[1])
@@ -52,12 +49,14 @@ Response.prototype._addContentTypeHeaders = function (headers) {
 Response.prototype._addCORSHeaders = function (headers) {
   var that = this;
   if (this.cors_enabled) {
-    Response.cors_headers.forEach(function (h) {
-      if (!!that.cors_headers && h[0] === 'Access-Control-Allow-Headers')
-        headers.push([h[0], h[1] + ", " + that.cors_headers])
-      else
-        headers.push(h)
-    })
+    headers.push(['Access-Control-Allow-Credentials', that.access_control_allow_credentials])
+    if (!!that.cors_headers) {
+      headers.push(['Access-Control-Allow-Headers', that.access_control_allow_headers + ", " + that.cors_headers])
+    } else {
+      headers.push(['Access-Control-Allow-Headers', that.access_control_allow_headers])
+    }
+    headers.push(['Access-Control-Allow-Origin', that.access_control_allow_origin])
+    headers.push(['Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS'])
   }
   return headers
 }
diff --git a/spec/canned.spec.js b/spec/canned.spec.js
index 5a9761a..a845a11 100644
--- a/spec/canned.spec.js
+++ b/spec/canned.spec.js
@@ -461,6 +461,30 @@ describe('canned', function () {
       }
       can2(req, res)
     })
+
+    it('overrides Access-Control-Allow-* response headers', function (done) {
+      var can2 = canned('./spec/test_responses', {
+        cors: true,
+        access_control_allow_credentials: "true",
+        access_control_allow_headers: "authorization",
+        access_control_allow_origin: "http://0.0.0.0:3000"
+      })
+      req.url = '/'
+      var expectedHeaders = {
+        'Access-Control-Allow-Credentials': "true",
+        'Access-Control-Allow-Headers': "authorization",
+        'Access-Control-Allow-Origin': "http://0.0.0.0:3000"
+      }
+      res.setHeader = function (name, value) {
+        if (expectedHeaders[name]) {
+          expect(expectedHeaders[name]).toBe(value)
+          delete expectedHeaders[name]
+        }
+        // all expected headers have been set!
+        if (Object.keys(expectedHeaders).length === 0) done()
+      }
+      can2(req, res)
+    })
   })
 
   describe('variable GET responses', function () {