Handle CORS preflight options

TurkeyMan · TurkeyMan · commit 4e263d31b567 · 2025-12-03T21:59:19.000+10:00
diff --git a/src/apps/api/package.d b/src/apps/api/package.d
@@ -73,6 +73,7 @@ nothrow @nogc:
         {
             _server.add_uri_handler(HTTPMethod.GET, _uri, &handle_request);
             _server.add_uri_handler(HTTPMethod.POST, _uri, &handle_request);
+            _server.add_uri_handler(HTTPMethod.OPTIONS, _uri, &handle_request);
         }
         else
             _default_handler = _server.hook_global_handler(&handle_request);
@@ -110,6 +111,10 @@ private:
     {
         const(char)[] tail = request.request_target[_uri.length .. $];
 
+        // Handle CORS preflight OPTIONS requests
+        if (request.method == HTTPMethod.OPTIONS)
+            return handle_options(request, stream);
+
         if (tail == "/health")
             return handle_health(request, stream);
         if (tail == "/cli/execute")
@@ -126,9 +131,25 @@ private:
         return 0;
     }
 
+    void add_cors_headers(ref HTTPMessage response)
+    {
+        response.headers ~= HTTPParam(StringLit!"Access-Control-Allow-Origin", StringLit!"*");
+        response.headers ~= HTTPParam(StringLit!"Access-Control-Allow-Methods", StringLit!"GET, POST, PUT, DELETE, OPTIONS");
+        response.headers ~= HTTPParam(StringLit!"Access-Control-Allow-Headers", StringLit!"Content-Type");
+    }
+
+    int handle_options(ref const HTTPMessage request, ref Stream stream)
+    {
+        HTTPMessage response = create_response(request.http_version, 204, StringLit!"No Content", String(), null);
+        add_cors_headers(response);
+        stream.write(response.format_message()[]);
+        return 0;
+    }
+
     int handle_health(ref const HTTPMessage request, ref Stream stream)
     {
         HTTPMessage response = create_response(request.http_version, 200, StringLit!"OK", StringLit!"application/json", tconcat("{\"status\":\"healthy\",\"uptime\":", getAppTime().as!"seconds", "}"));
+        add_cors_headers(response);
         stream.write(response.format_message()[]);
         return 0;
     }
@@ -149,6 +170,7 @@ private:
         if (command_text.length == 0)
         {
             HTTPMessage response = create_response(request.http_version, 400, StringLit!"Bad Request", StringLit!"application/json", "{\"error\":\"Command body required\"}");
+            add_cors_headers(response);
             stream.write(response.format_message()[]);
             return 0;
         }
@@ -186,7 +208,7 @@ private:
         }
         else
             response.content ~= "\"\"}";
-
+        add_cors_headers(response);
         stream.write(response.format_message()[]);
     }
 
diff --git a/src/protocol/http/message.d b/src/protocol/http/message.d
@@ -198,6 +198,8 @@ nothrow @nogc:
                         break;
                     }
 
+                    message.content_type = message.header("Content-Type");
+
                     if (state == ParseState.ReadingTailHeaders || message.method == HTTPMethod.HEAD)
                         goto message_done;
 
@@ -323,7 +325,7 @@ nothrow @nogc:
 private:
     static bool read_http_version(ref const(char)[] msg, ref HTTPMessage message)
     {
-        string http = "HTTP/";
+        enum http = "HTTP/";
         if (msg[0..http.length] != http)
             return false;
 
@@ -353,7 +355,7 @@ private:
 
     static bool is_response(const char[] msg)
     {
-        string http = "HTTP/";
+        enum http = "HTTP/";
         return msg[0..http.length] == http;
     }
 
@@ -417,14 +419,6 @@ private:
             return 0;
         }
 
-        // asterisk-form
-        if (message.method == HTTPMethod.OPTIONS)
-        {
-            // OPTIONS * HTTP/1.1
-            message.request_target = StringLit!"/";
-            return 0;
-        }
-
         const(char)[] query = request_target;
         request_target = query.split!('?', false);
 
