KTOR-4499 Fix 405 by adding tailcard OPTIONS route where the plugin is installed (#4943)

Stexxe · web-flow · commit fdf7d362141e · 2025-07-14T09:27:30.000+03:00
diff --git a/ktor-server/ktor-server-core/common/src/io/ktor/server/application/ApplicationPlugin.kt b/ktor-server/ktor-server-core/common/src/io/ktor/server/application/ApplicationPlugin.kt
@@ -168,6 +168,10 @@ private fun <B : Any, F : Any> RoutingNode.installIntoRoute(
     val installed = plugin.install(fakePipeline, configure)
     pluginRegistry.put(plugin.key, installed)
 
+    for (child in fakePipeline.children) { // We need to transfer nodes added into the fake pipeline
+        copyChildrenRecursively(child)
+    }
+
     mergePhases(fakePipeline)
     receivePipeline.mergePhases(fakePipeline.receivePipeline)
     sendPipeline.mergePhases(fakePipeline.sendPipeline)
@@ -179,6 +183,18 @@ private fun <B : Any, F : Any> RoutingNode.installIntoRoute(
     return installed
 }
 
+private fun Route.copyChildrenRecursively(child: RoutingNode) {
+    val copiedChild = createChild(child.selector)
+
+    for (handler in child.handlers) {
+        copiedChild.handle(handler)
+    }
+
+    for (ch in child.children) {
+        copiedChild.copyChildrenRecursively(ch)
+    }
+}
+
 private fun <B : Any, F : Any, TSubject, TContext, P : Pipeline<TSubject, TContext>> P.addAllInterceptors(
     fakePipeline: P,
     plugin: BaseRouteScopedPlugin<B, F>,
diff --git a/ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/routing/CORS.kt b/ktor-server/ktor-server-plugins/ktor-server-cors/common/src/io/ktor/server/plugins/cors/routing/CORS.kt
@@ -6,6 +6,7 @@ package io.ktor.server.plugins.cors.routing
 
 import io.ktor.server.application.*
 import io.ktor.server.plugins.cors.*
+import io.ktor.server.routing.options
 
 /**
  * A plugin that allows you to configure handling cross-origin requests.
@@ -24,5 +25,9 @@ import io.ktor.server.plugins.cors.*
  * [Report a problem](https://ktor.io/feedback/?fqname=io.ktor.server.plugins.cors.routing.CORS)
  */
 public val CORS: RouteScopedPlugin<CORSConfig> = createRouteScopedPlugin("CORS", ::CORSConfig) {
+    route?.options("{cors-options-wildcard...}") {
+        // Handled by an interceptor of the Call phase added in the plugin
+    }
+
     buildPlugin()
 }
diff --git a/ktor-server/ktor-server-tests/common/test/io/ktor/tests/server/plugins/CORSTest.kt b/ktor-server/ktor-server-tests/common/test/io/ktor/tests/server/plugins/CORSTest.kt
@@ -9,7 +9,8 @@ import io.ktor.client.statement.*
 import io.ktor.http.*
 import io.ktor.server.application.*
 import io.ktor.server.application.hooks.*
-import io.ktor.server.plugins.cors.routing.*
+import io.ktor.server.plugins.cors.routing.CORS
+import io.ktor.server.request.httpMethod
 import io.ktor.server.response.*
 import io.ktor.server.routing.*
 import io.ktor.server.testing.*
@@ -125,6 +126,14 @@ class CORSTest {
             }
         }
 
+        client.options("/1") {
+            header(HttpHeaders.Origin, "http://my-host")
+            header(HttpHeaders.AccessControlRequestMethod, "GET")
+        }.let { response ->
+            assertEquals(HttpStatusCode.OK, response.status)
+            assertEquals("http://my-host", response.headers[HttpHeaders.AccessControlAllowOrigin])
+        }
+
         client.get("/1") {
             header(HttpHeaders.Origin, "http://my-host")
         }.let { response ->
@@ -1275,4 +1284,312 @@ class CORSTest {
             }.status
         )
     }
+
+    @Test
+    fun preflightRoutingCorsAfter() = testApplication {
+        routing {
+            get("/test") {
+                call.respond("OK")
+            }
+
+            install(CORS) {
+                allowHost("example.com")
+            }
+        }
+
+        val response = client.options("/test") {
+            header(HttpHeaders.Origin, "https://example.com")
+            header(HttpHeaders.AccessControlRequestMethod, "GET")
+        }
+
+        assertEquals(response.status, HttpStatusCode.OK)
+        assertEquals(HttpHeaders.Origin, response.headers[HttpHeaders.Vary])
+        assertEquals("https://example.com", response.headers[HttpHeaders.AccessControlAllowOrigin])
+    }
+
+    @Test
+    fun preflightRoutingNested() = testApplication {
+        routing {
+            install(CORS) {
+                allowHost("example.com")
+            }
+
+            route("/sub") {
+                install(CORS) {
+                    allowHost("another.com")
+                }
+
+                get {
+                    call.respond("OK")
+                }
+            }
+
+            get {
+                call.respond("OK")
+            }
+        }
+
+        client.options("/sub") {
+            header(HttpHeaders.Origin, "https://another.com")
+            header(HttpHeaders.AccessControlRequestMethod, "GET")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.OK)
+            assertEquals(HttpHeaders.Origin, response.headers[HttpHeaders.Vary])
+            assertEquals("https://another.com", response.headers[HttpHeaders.AccessControlAllowOrigin])
+        }
+
+        client.options("/sub") {
+            header(HttpHeaders.Origin, "https://example.com")
+            header(HttpHeaders.AccessControlRequestMethod, "GET")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.Forbidden)
+        }
+
+        client.options("/") {
+            header(HttpHeaders.Origin, "https://example.com")
+            header(HttpHeaders.AccessControlRequestMethod, "GET")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.OK)
+            assertEquals(HttpHeaders.Origin, response.headers[HttpHeaders.Vary])
+            assertEquals("https://example.com", response.headers[HttpHeaders.AccessControlAllowOrigin])
+        }
+
+        client.options("/") {
+            header(HttpHeaders.Origin, "https://another.com")
+            header(HttpHeaders.AccessControlRequestMethod, "GET")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.Forbidden)
+        }
+    }
+
+    @Test
+    fun preflightNoRouting() = testApplication {
+        application {
+            intercept(ApplicationCallPipeline.Call) {
+                if (context.request.httpMethod == HttpMethod.Get) {
+                    call.respondText("OK")
+                }
+            }
+        }
+
+        install(CORS) {
+            allowHost("example.com")
+        }
+
+        client.options("/") {
+            header(HttpHeaders.Origin, "https://example.com")
+            header(HttpHeaders.AccessControlRequestMethod, "GET")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.OK)
+            assertEquals(HttpHeaders.Origin, response.headers[HttpHeaders.Vary])
+            assertEquals("https://example.com", response.headers[HttpHeaders.AccessControlAllowOrigin])
+        }
+
+        client.get("/") {
+            header(HttpHeaders.Origin, "https://example.com")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.OK)
+            assertEquals(response.bodyAsText(), "OK")
+            assertEquals(HttpHeaders.Origin, response.headers[HttpHeaders.Vary])
+            assertEquals("https://example.com", response.headers[HttpHeaders.AccessControlAllowOrigin])
+        }
+    }
+
+    @Test
+    fun preflightHasOptionsRoute() = testApplication {
+        routing {
+            route("/test") {
+                get {
+                    call.respond("OK")
+                }
+
+                options {
+                    call.respond("OPTIONS")
+                }
+            }
+        }
+
+        install(CORS) {
+            allowHost("example.com")
+        }
+
+        client.options("/test") {
+            header(HttpHeaders.Origin, "https://example.com")
+            header(HttpHeaders.AccessControlRequestMethod, "GET")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.OK)
+            assertEquals(HttpHeaders.Origin, response.headers[HttpHeaders.Vary])
+            assertEquals("https://example.com", response.headers[HttpHeaders.AccessControlAllowOrigin])
+        }
+    }
+
+    @Test
+    fun preflightRoutingHasOptionsRouteAfter() = testApplication {
+        routing {
+            route("/test") {
+                install(CORS) {
+                    allowHost("example.com")
+                }
+
+                get {
+                    call.respond("OK")
+                }
+
+                options {
+                    call.respond("OPTIONS")
+                }
+            }
+        }
+
+        client.options("/test") {
+            header(HttpHeaders.Origin, "https://example.com")
+            header(HttpHeaders.AccessControlRequestMethod, "GET")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.OK)
+            assertEquals(HttpHeaders.Origin, response.headers[HttpHeaders.Vary])
+            assertEquals("https://example.com", response.headers[HttpHeaders.AccessControlAllowOrigin])
+        }
+    }
+
+    @Test
+    fun preflightRoutingHasOptionsRouteBefore() = testApplication {
+        routing {
+            route("/test") {
+                options {
+                    call.respond("OPTIONS")
+                }
+
+                install(CORS) {
+                    allowHost("example.com")
+                }
+
+                get {
+                    call.respond("OK")
+                }
+            }
+        }
+
+        client.options("/test") {
+            header(HttpHeaders.Origin, "https://example.com")
+            header(HttpHeaders.AccessControlRequestMethod, "GET")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.OK)
+            assertEquals(HttpHeaders.Origin, response.headers[HttpHeaders.Vary])
+            assertEquals("https://example.com", response.headers[HttpHeaders.AccessControlAllowOrigin])
+        }
+    }
+
+    @Test
+    fun preflightAllowedMethodsConfinedToRoutes() = testApplication {
+        routing {
+            route("/test") {
+                install(CORS) {
+                    allowHost("example.com")
+                    allowMethod(HttpMethod.Put)
+                }
+            }
+
+            route("/other") {
+                install(CORS) {
+                    allowHost("example.com")
+                    allowMethod(HttpMethod.Patch)
+                }
+            }
+        }
+
+        client.options("/test") {
+            header(HttpHeaders.Origin, "https://example.com")
+            header(HttpHeaders.AccessControlRequestMethod, "PUT")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.OK)
+            assertEquals(HttpHeaders.Origin, response.headers[HttpHeaders.Vary])
+            assertEquals("https://example.com", response.headers[HttpHeaders.AccessControlAllowOrigin])
+        }
+
+        client.options("/test") {
+            header(HttpHeaders.Origin, "https://example.com")
+            header(HttpHeaders.AccessControlRequestMethod, "PATCH")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.Forbidden)
+        }
+
+        client.options("/other") {
+            header(HttpHeaders.Origin, "https://example.com")
+            header(HttpHeaders.AccessControlRequestMethod, "PATCH")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.OK)
+            assertEquals(HttpHeaders.Origin, response.headers[HttpHeaders.Vary])
+            assertEquals("https://example.com", response.headers[HttpHeaders.AccessControlAllowOrigin])
+        }
+
+        client.options("/other") {
+            header(HttpHeaders.Origin, "https://example.com")
+            header(HttpHeaders.AccessControlRequestMethod, "PUT")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.Forbidden)
+        }
+    }
+
+    @Test
+    fun preflightPluginInParentHandlesChildRoutes() = testApplication {
+        routing {
+            route("/outer") {
+                install(CORS) {
+                    anyHost()
+                }
+
+                route("/inner1") {
+                    route("/inner2") {
+                        get {
+                            call.respond("OK")
+                        }
+                    }
+                }
+            }
+        }
+
+        client.options("/outer/inner1/inner2") {
+            header(HttpHeaders.Origin, "https://example.com")
+            header(HttpHeaders.AccessControlRequestMethod, "GET")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.OK)
+            assertEquals("*", response.headers[HttpHeaders.AccessControlAllowOrigin])
+        }
+    }
+
+    @Test
+    fun preflightNoEffectWithoutOriginHeader() = testApplication {
+        routing {
+            install(CORS) {
+                anyHost()
+            }
+        }
+
+        client.options("/") {
+            header(HttpHeaders.AccessControlRequestMethod, "GET")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.NotFound)
+            assertNull(response.headers[HttpHeaders.AccessControlAllowOrigin])
+        }
+    }
+
+    @Test
+    fun routeInsideCorsPluginConfig() = testApplication {
+        routing {
+            install(CORS) {
+                route("/abc") {
+                    get {
+                        call.respond("OK")
+                    }
+                }
+            }
+        }
+
+        client.options("/abc") {
+            header(HttpHeaders.Origin, "https://example.com")
+            header(HttpHeaders.AccessControlRequestMethod, "GET")
+        }.let { response ->
+            assertEquals(response.status, HttpStatusCode.Forbidden)
+        }
+    }
 }
