add support and tests for simple/actual requests needing Access-Control-Allow-Credentials

src/actual.js

@@ -12,6 +12,7 @@ var restify = require('restify');
 exports.handler = function(options) {
 
   return restify.CORS({
+    credentials: options.credentials,
     origins: options.origins,
     headers: options.exposeHeaders
   });

src/index.js

@@ -7,6 +7,7 @@ module.exports = function(options) {
   if (! util.isArray(options.origins))       options.origins = ['*'];
   if (! util.isArray(options.allowHeaders))  options.allowHeaders = [];
   if (! util.isArray(options.exposeHeaders)) options.exposeHeaders = [];
+  if (options.origins[0] === '*')            options.credentials = false;
 
   return {
     actual: actual.handler(options),

test/cors.actual.spec.js

@@ -44,6 +44,32 @@ describe('CORS: simple / actual requests', function() {
         .end(done);
    });
 
+   it('6.1.3 Does not set Access-Control-Allow-Credentials header if Origin is *', function(done) {
+      var server = test.corsServer({
+        origins: ['*'],
+        credentials: true
+      });
+      request(server)
+        .get('/test')
+        .set('Origin', 'http://api.myapp.com')
+        .expect(test.noHeader('access-control-allow-credentials'))
+        .expect(200)
+        .end(done);
+    });
+
+   it('6.1.3 Sets Access-Control-Allow-Credentials header if configured', function(done) {
+      var server = test.corsServer({
+        origins: ['http://api.myapp.com'],
+        credentials: true
+      });
+      request(server)
+        .get('/test')
+        .set('Origin', 'http://api.myapp.com')
+        .expect('access-control-allow-credentials', 'true')
+        .expect(200)
+        .end(done);
+    });
+
    it('6.1.4 Does not set exposed headers if empty', function(done) {
       var server = test.corsServer({
         origins: ['http://api.myapp.com', 'http://www.myapp.com']