restify-cors-middleware/src/index.js

var restify = require('restify');
var util    = require('util');

DEFAULT_ALLOW_HEADERS = restify.CORS.ALLOW_HEADERS;

var HTTP_NO_CONTENT = 204;

function matchOrigin(req, origins) {
  var origin = req.headers["origin"];
  function belongs(o) {
    if (origin === o || o === "*") {
      origin = o;
      return true;
    }
    return false;
  }
  if (origin && origins.some(belongs)) {
    return origin;
  } else {
    return false;
  }
}

function preflightHandler(options) {
  return function(req, res, next) {
    if (req.method !== 'OPTIONS') return next();

    // 6.2.1 and 6.2.2
    if (matchOrigin(req, options.origins) === false) return next();

    // 6.2.3
    requestedMethod = req.headers['access-control-request-method'];
    if (!requestedMethod) return next();

    // 6.2.4
    requestedHeaders = req.headers['access-control-request-headers'];
    requestedHeaders = requestedHeaders ? requestedHeaders.split(', ') : [];

    allowedMethods = [requestedMethod, 'OPTIONS'];
    allowedHeaders = DEFAULT_ALLOW_HEADERS.concat(['x-requested-with'])
                                          .concat(options.allowHeaders);

    // 6.2.7
    res.header('Access-Control-Allow-Origin', req.headers['origin']);
    res.header('Access-Control-Allow-Credentials', true);

    // 6.2.9
    res.header('Access-Control-Allow-Methods', allowedMethods.join(', '));

    // 6.2.10
    res.header('Access-Control-Allow-Headers', allowedHeaders.join(', '));
    res.send(HTTP_NO_CONTENT);
  };
}

module.exports = function(options) {

  if (! util.isArray(options.origins))       options.origins = ['*'];
  if (! util.isArray(options.allowHeaders))  options.allowHeaders = [];
  if (! util.isArray(options.exposeHeaders)) options.exposeHeaders = [];

  return {

    actual: restify.CORS({
      origins: options.origins,
      headers: options.exposeHeaders
    }),

    preflight: preflightHandler({
      origins: options.origins,
      allowHeaders: options.allowHeaders
    })

  };

};