@jaypie/express 1.2.5 → 1.2.7

package/dist/cjs/cors.helper.d.ts

@@ -5,5 +5,15 @@ export interface CorsConfig {
 }
 type CorsCallback = (err: Error | null, allow?: boolean) => void;
 export declare const dynamicOriginCallbackHandler: (origin?: string | string[]) => ((requestOrigin: string | undefined, callback: CorsCallback) => void);
+/**
+ * CORS middleware with Lambda streaming support.
+ *
+ * For OPTIONS preflight requests, this middleware handles them early and
+ * terminates the response immediately. This is critical for Lambda streaming
+ * handlers where the response stream would otherwise stay open waiting for
+ * streaming data that never comes.
+ *
+ * For regular requests, delegates to the standard cors package behavior.
+ */
 declare const _default: (config?: CorsConfig) => ((req: Request, res: Response, next: NextFunction) => void);
 export default _default;

package/dist/cjs/index.cjs

@@ -151,7 +151,8 @@ function buildQueryFromMultiValue(multiValueParams) {
         const existingValues = result[key];
         if (existingValues === undefined) {
             // First occurrence - use array if multiple values or bracket notation
-            result[key] = values.length === 1 && !rawKey.endsWith("[]") ? values[0] : values;
+            result[key] =
+                values.length === 1 && !rawKey.endsWith("[]") ? values[0] : values;
         }
         else if (Array.isArray(existingValues)) {
             existingValues.push(...values);
@@ -1049,7 +1050,9 @@ function createLambdaHandler(app, _options) {
                         {
                             status: 500,
                             title: "Internal Server Error",
-                            detail: error instanceof Error ? error.message : "Unknown error occurred",
+                            detail: error instanceof Error
+                                ? error.message
+                                : "Unknown error occurred",
                         },
                     ],
                 }),
@@ -1136,6 +1139,33 @@ const ensureProtocol = (url) => {
         return url;
     return HTTPS_PROTOCOL + url;
 };
+const extractHostname = (origin) => {
+    try {
+        const url = new URL(origin);
+        return url.hostname;
+    }
+    catch {
+        return undefined;
+    }
+};
+const isOriginAllowed = (requestOrigin, allowed) => {
+    const normalizedAllowed = ensureProtocol(allowed);
+    const normalizedRequest = ensureProtocol(requestOrigin);
+    const allowedHostname = extractHostname(normalizedAllowed);
+    const requestHostname = extractHostname(normalizedRequest);
+    if (!allowedHostname || !requestHostname) {
+        return false;
+    }
+    // Exact match
+    if (requestHostname === allowedHostname) {
+        return true;
+    }
+    // Subdomain match
+    if (requestHostname.endsWith(`.${allowedHostname}`)) {
+        return true;
+    }
+    return false;
+};
 const dynamicOriginCallbackHandler = (origin) => {
     return (requestOrigin, callback) => {
         // Handle wildcard origin
@@ -1169,7 +1199,7 @@ const dynamicOriginCallbackHandler = (origin) => {
             if (allowed instanceof RegExp) {
                 return allowed.test(requestOrigin);
             }
-            return requestOrigin.includes(allowed);
+            return isOriginAllowed(requestOrigin, allowed);
         });
         if (isAllowed) {
             callback(null, true);
@@ -1192,9 +1222,81 @@ const corsHelper = (config = {}) => {
     };
     return expressCors(options);
 };
+//
+//
+// Constants
+//
+const HTTP_CODE_NO_CONTENT = 204;
+const HTTP_METHOD_OPTIONS = "OPTIONS";
+/**
+ * CORS middleware with Lambda streaming support.
+ *
+ * For OPTIONS preflight requests, this middleware handles them early and
+ * terminates the response immediately. This is critical for Lambda streaming
+ * handlers where the response stream would otherwise stay open waiting for
+ * streaming data that never comes.
+ *
+ * For regular requests, delegates to the standard cors package behavior.
+ */
 var cors_helper = (config) => {
     const cors = corsHelper(config);
+    const { origin, overrides = {} } = config || {};
+    const originHandler = dynamicOriginCallbackHandler(origin);
     return (req, res, next) => {
+        // Handle OPTIONS preflight requests early for Lambda streaming compatibility.
+        // The standard cors package would eventually call res.end(), but with Lambda
+        // streaming, we need to ensure the response is terminated immediately without
+        // going through any async middleware chains that might keep the stream open.
+        if (req.method === HTTP_METHOD_OPTIONS) {
+            const requestOrigin = req.headers.origin;
+            originHandler(requestOrigin, (error, isAllowed) => {
+                if (error || !isAllowed) {
+                    // Origin not allowed - send CORS error
+                    const corsError = error;
+                    if (corsError?.status && corsError?.body) {
+                        res.status(corsError.status);
+                        res.setHeader("Content-Type", "application/json");
+                        res.json(corsError.body());
+                    }
+                    else {
+                        // Fallback for non-CorsError errors
+                        res.status(HTTP_CODE_NO_CONTENT);
+                        res.end();
+                    }
+                    return;
+                }
+                // Origin is allowed - send preflight response
+                // Set CORS headers
+                if (requestOrigin) {
+                    res.setHeader("Access-Control-Allow-Origin", requestOrigin);
+                }
+                res.setHeader("Vary", "Origin");
+                // Allow all methods by default (or use overrides if specified)
+                const methods = overrides.methods || "GET,HEAD,PUT,PATCH,POST,DELETE";
+                res.setHeader("Access-Control-Allow-Methods", methods);
+                // Reflect requested headers (standard cors behavior)
+                const requestedHeaders = req.headers["access-control-request-headers"];
+                if (requestedHeaders) {
+                    res.setHeader("Access-Control-Allow-Headers", requestedHeaders);
+                }
+                // Handle credentials if configured
+                if (overrides.credentials === true) {
+                    res.setHeader("Access-Control-Allow-Credentials", "true");
+                }
+                // Handle max age if configured
+                if (overrides.maxAge !== undefined) {
+                    res.setHeader("Access-Control-Max-Age", String(overrides.maxAge));
+                }
+                // Send 204 No Content response and terminate immediately
+                // This is critical for Lambda streaming - we must end the response
+                // synchronously to prevent the stream from hanging.
+                res.statusCode = HTTP_CODE_NO_CONTENT;
+                res.setHeader("Content-Length", "0");
+                res.end();
+            });
+            return;
+        }
+        // For non-OPTIONS requests, use the standard cors middleware
         cors(req, res, (error) => {
             if (error) {
                 const corsError = error;
@@ -1440,7 +1542,7 @@ const logger$1 = logger$2.log;
  * Uses Symbol marker to survive prototype chain modifications from Express and dd-trace.
  */
 function isLambdaMockResponse(res) {
-    return res[JAYPIE_LAMBDA_MOCK] === true;
+    return (res[JAYPIE_LAMBDA_MOCK] === true);
 }
 /**
  * Safely send a JSON response, avoiding dd-trace interception.