npm - @jaypie/express - Versions diffs - 1.2.6 → 1.2.8 - Mend

@jaypie/express 1.2.6 → 1.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/cjs/cors.helper.d.ts +10 -0
package/dist/cjs/index.cjs +81 -0
package/dist/cjs/index.cjs.map +1 -1
package/dist/esm/cors.helper.d.ts +10 -0
package/dist/esm/index.js +81 -0
package/dist/esm/index.js.map +1 -1
package/package.json +1 -1

package/dist/cjs/cors.helper.d.ts CHANGED Viewed

@@ -5,5 +5,15 @@ export interface CorsConfig {
 }
 type CorsCallback = (err: Error | null, allow?: boolean) => void;
 export declare const dynamicOriginCallbackHandler: (origin?: string | string[]) => ((requestOrigin: string | undefined, callback: CorsCallback) => void);
+/**
+ * CORS middleware with Lambda streaming support.
+ *
+ * For OPTIONS preflight requests, this middleware handles them early and
+ * terminates the response immediately. This is critical for Lambda streaming
+ * handlers where the response stream would otherwise stay open waiting for
+ * streaming data that never comes.
+ *
+ * For regular requests, delegates to the standard cors package behavior.
+ */
 declare const _default: (config?: CorsConfig) => ((req: Request, res: Response, next: NextFunction) => void);
 export default _default;

package/dist/cjs/index.cjs CHANGED Viewed

@@ -1222,9 +1222,90 @@ const corsHelper = (config = {}) => {
     };
     return expressCors(options);
 };
+//
+//
+// Constants
+//
+const HTTP_CODE_NO_CONTENT = 204;
+const HTTP_METHOD_OPTIONS = "OPTIONS";
+/**
+ * CORS middleware with Lambda streaming support.
+ *
+ * For OPTIONS preflight requests, this middleware handles them early and
+ * terminates the response immediately. This is critical for Lambda streaming
+ * handlers where the response stream would otherwise stay open waiting for
+ * streaming data that never comes.
+ *
+ * For regular requests, delegates to the standard cors package behavior.
+ */
 var cors_helper = (config) => {
     const cors = corsHelper(config);
+    const { origin, overrides = {} } = config || {};
+    const originHandler = dynamicOriginCallbackHandler(origin);
     return (req, res, next) => {
+        // Handle OPTIONS preflight requests early for Lambda streaming compatibility.
+        // The standard cors package would eventually call res.end(), but with Lambda
+        // streaming, we need to ensure the response is terminated immediately without
+        // going through any async middleware chains that might keep the stream open.
+        if (req.method === HTTP_METHOD_OPTIONS) {
+            const requestOrigin = req.headers.origin;
+            originHandler(requestOrigin, (error, isAllowed) => {
+                if (error || !isAllowed) {
+                    // Origin not allowed - send CORS error
+                    const corsError = error;
+                    if (corsError?.status && corsError?.body) {
+                        res.status(corsError.status);
+                        res.setHeader("Content-Type", "application/json");
+                        res.json(corsError.body());
+                    }
+                    else {
+                        // Fallback for non-CorsError errors
+                        res.status(HTTP_CODE_NO_CONTENT);
+                        if (typeof res.flushHeaders === "function") {
+                            res.flushHeaders();
+                        }
+                        res.end();
+                    }
+                    return;
+                }
+                // Origin is allowed - send preflight response
+                // Set CORS headers
+                if (requestOrigin) {
+                    res.setHeader("Access-Control-Allow-Origin", requestOrigin);
+                }
+                res.setHeader("Vary", "Origin");
+                // Allow all methods by default (or use overrides if specified)
+                const methods = overrides.methods || "GET,HEAD,PUT,PATCH,POST,DELETE";
+                res.setHeader("Access-Control-Allow-Methods", methods);
+                // Reflect requested headers (standard cors behavior)
+                const requestedHeaders = req.headers["access-control-request-headers"];
+                if (requestedHeaders) {
+                    res.setHeader("Access-Control-Allow-Headers", requestedHeaders);
+                }
+                // Handle credentials if configured
+                if (overrides.credentials === true) {
+                    res.setHeader("Access-Control-Allow-Credentials", "true");
+                }
+                // Handle max age if configured
+                if (overrides.maxAge !== undefined) {
+                    res.setHeader("Access-Control-Max-Age", String(overrides.maxAge));
+                }
+                // Send 204 No Content response and terminate immediately
+                // This is critical for Lambda streaming - we must end the response
+                // synchronously to prevent the stream from hanging.
+                // CRITICAL: Flush headers first to initialize the Lambda stream wrapper.
+                // Without this, _wrappedStream may be null when _final() is called,
+                // causing the Lambda response stream to never close.
+                res.statusCode = HTTP_CODE_NO_CONTENT;
+                res.setHeader("Content-Length", "0");
+                if (typeof res.flushHeaders === "function") {
+                    res.flushHeaders();
+                }
+                res.end();
+            });
+            return;
+        }
+        // For non-OPTIONS requests, use the standard cors middleware
         cors(req, res, (error) => {
             if (error) {
                 const corsError = error;