From 6d6ae5dc67e2fac4e2746bf7adee096ae767ccd8 Mon Sep 17 00:00:00 2001 From: Martin Donadieu Date: Thu, 21 May 2026 23:24:58 +0200 Subject: [PATCH 1/2] fix(plugin): handle manifest size preflight --- cloudflare_workers/plugin/index.ts | 4 +++- tests/plugin-cors.unit.test.ts | 20 ++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 tests/plugin-cors.unit.test.ts diff --git a/cloudflare_workers/plugin/index.ts b/cloudflare_workers/plugin/index.ts index 6582adb0cf..8ea9b035ff 100644 --- a/cloudflare_workers/plugin/index.ts +++ b/cloudflare_workers/plugin/index.ts @@ -3,12 +3,14 @@ import { app as stats } from '../../supabase/functions/_backend/plugins/stats.ts import { app as updates } from '../../supabase/functions/_backend/plugins/updates.ts' import { app as latency } from '../../supabase/functions/_backend/private/latency.ts' import { app as ok } from '../../supabase/functions/_backend/public/ok.ts' -import { createAllCatch, createHono } from '../../supabase/functions/_backend/utils/hono.ts' +import { createAllCatch, createHono, useCors } from '../../supabase/functions/_backend/utils/hono.ts' import { version } from '../../supabase/functions/_backend/utils/version.ts' const functionName = 'plugin' const app = createHono(functionName, version) +app.use('*', useCors) + // TODO: deprecated remove when everyone use the new endpoint app.route('/plugin/ok', ok) app.route('/plugin/channel_self', channel_self) diff --git a/tests/plugin-cors.unit.test.ts b/tests/plugin-cors.unit.test.ts new file mode 100644 index 0000000000..42aa50d26a --- /dev/null +++ b/tests/plugin-cors.unit.test.ts @@ -0,0 +1,20 @@ +import { describe, expect, it } from 'vitest' +import pluginWorker from '../cloudflare_workers/plugin/index.ts' + +describe('cloudflare plugin CORS', () => { + it.concurrent('responds to manifest size preflight requests', async () => { + const response = await pluginWorker.fetch(new Request('https://api.capgo.app/updates/manifest_size', { + method: 'OPTIONS', + headers: { + 'origin': 'https://web.capgo.app', + 'access-control-request-method': 'POST', + 'access-control-request-headers': 'content-type,authorization', + }, + })) + + expect(response.status).toBe(204) + expect(response.headers.get('access-control-allow-origin')).toBe('*') + expect(response.headers.get('access-control-allow-methods')).toContain('OPTIONS') + expect(response.headers.get('access-control-allow-headers')?.toLowerCase()).toContain('content-type') + }) +}) From e228be484c90fa996e47174deaf83936cd067d4b Mon Sep 17 00:00:00 2001 From: Martin Donadieu Date: Thu, 21 May 2026 23:59:20 +0200 Subject: [PATCH 2/2] test(plugin): harden manifest preflight coverage --- tests/plugin-cors.unit.test.ts | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/plugin-cors.unit.test.ts b/tests/plugin-cors.unit.test.ts index 42aa50d26a..22838a6a7d 100644 --- a/tests/plugin-cors.unit.test.ts +++ b/tests/plugin-cors.unit.test.ts @@ -14,7 +14,11 @@ describe('cloudflare plugin CORS', () => { expect(response.status).toBe(204) expect(response.headers.get('access-control-allow-origin')).toBe('*') - expect(response.headers.get('access-control-allow-methods')).toContain('OPTIONS') - expect(response.headers.get('access-control-allow-headers')?.toLowerCase()).toContain('content-type') + const allowMethods = response.headers.get('access-control-allow-methods')?.toLowerCase() + const allowHeaders = response.headers.get('access-control-allow-headers')?.toLowerCase() + expect(allowMethods).toContain('options') + expect(allowMethods).toContain('post') + expect(allowHeaders).toContain('content-type') + expect(allowHeaders).toContain('authorization') }) })