From f3298726a0a68a2969bc5a23fb81032c473c622a Mon Sep 17 00:00:00 2001
From: Josh Eilers <josh.eilers@evernow.com>
Date: Fri, 29 Apr 2022 15:16:07 -0700
Subject: [PATCH] fix empty response body when allowedOrigins is set

---
 internal/core/middleware/middleware.go      |  7 ++++---
 internal/core/middleware/middleware_test.go | 20 ++++++++++++++++++++
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/internal/core/middleware/middleware.go b/internal/core/middleware/middleware.go
index d0483b7d..723e8170 100644
--- a/internal/core/middleware/middleware.go
+++ b/internal/core/middleware/middleware.go
@@ -129,14 +129,15 @@ func CORS(next http.Handler) http.Handler {
 			headers = corsContext.AllowedHeaders()
 		}
 		if len(domains) > 0 {
+			domain := domains[0]
 			for _, d := range domains {
 				if r.Header.Get("Origin") == d {
-					browser.SetCORSHeaders(w, d, headers)
-					return
+					domain = d
+					break
 				}
 			}
 			// Not a valid origin, set allowed origin to any allowed origin
-			browser.SetCORSHeaders(w, domains[0], headers)
+			browser.SetCORSHeaders(w, domain, headers)
 		} else {
 			origin := browser.DefaultAllowedOrigin
 			if r.Header.Get("Origin") != "" {
diff --git a/internal/core/middleware/middleware_test.go b/internal/core/middleware/middleware_test.go
index 0cf18094..2459563c 100644
--- a/internal/core/middleware/middleware_test.go
+++ b/internal/core/middleware/middleware_test.go
@@ -353,6 +353,26 @@ func TestCORSMiddlewareOnlyCallsWrappedHandlerIfMethodIsNotOPTIONS(t *testing.T)
 	assert.Equal(t, 1, totalTimesCalled) // wrappedHandler was not called this time
 }
 
+func TestCORSMiddlewareCallsWrappedHandlerWhenOriginMatchesAndMethodIsGET(t *testing.T) {
+	totalTimesCalled := 0
+	wrappedHandler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		totalTimesCalled++
+		w.WriteHeader(200)
+	})
+	corsHandler := CORS(wrappedHandler)
+
+	headers := make(http.Header)
+	headers.Set("Origin", "blah")
+	cc := testCORSContext{origins: []string{"abc", "blah"}}
+	req := buildPreRoutedRequest("GET", nil, headers, nil, nil)
+	req = req.WithContext(browser.WithCORSContext(req.Context(), cc))
+	res := httptest.NewRecorder()
+	corsHandler.ServeHTTP(res, req)
+	assert.Equal(t, 200, res.Result().StatusCode)
+	assert.Equal(t, "blah", res.Result().Header.Get("Access-Control-Allow-Origin"))
+	assert.Equal(t, 1, totalTimesCalled)
+}
+
 func TestStreaming(t *testing.T) {
 	req := buildPreRoutedRequest("GET", nil, nil, nil, nil)
 	resp := httptest.NewRecorder()