Multiple ‘Access-Control-Allow-Origin’ headers are being sent

[infinitiayush]

Initial checklist

• I understand this is a bug report and questions should be posted in the Community Forum
• I searched issues and couldn’t find anything (or linked relevant results below)

Steps to reproduce

I am implementing file upload functionality using tus and this is a basic tus server setup code

const tusServer: Server = new Server({
    path: '/app/upload/media',
    datastore: new FileStore({
        directory: imagesPath,
        configstore: config
    }),
    allowedOrigins: [],
    exposedHeaders: [''],
    allowedHeaders: [''],
    respectForwardedHeaders: true,
    namingFunction: async (req: Request, metadata?: Record<string, string | null>): Promise<string> => {
        if (metadata?.filename) return metadata?.filename;
        return "";
    },

The issue is that even thought I have set allowedOrigins: , it is still sending header “*” in response. which is causing CORS error on the FE. My BE framework also sends a Access-Control-Allow-Origin which causes the issue. Can tus ignore the Access-Control-Allow-Origin header all together if I have provided an empty list?

This is what I got on FE,

Expected behavior

There should be an option to override the headers or remove them all together

Actual behavior

Tus is managing the headers all by itself and cannot be overriden.

[angelorc]

Same issue here! I use caddy as reverse proxy

(cors) {
        @cors_preflight method OPTIONS

        header {
                Access-Control-Allow-Origin "{header.origin}"
                Vary Origin
                Access-Control-Expose-Headers "Authorization, Upload-Offset, Location, Upload-Length, Tus-Version, Tus-Resumable, Tus-Max-Size, Tus-Exte>
                Access-Control-Allow-Credentials "true"
        }

        handle @cors_preflight {
                header {
                        Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE"
                        Access-Control-Allow-Headers "Authorization, Content-Type, Tus-Resumable, Upload-Length, Upload-Metadata, Upload-Offset"
                        Access-Control-Max-Age "3600"
                }
                respond "" 204
        }
}

upload-api.domain.com {
        reverse_proxy localhost:3000
        import cors
}

[infinitiayush]

For the time being I have used node post install to patch this issue. But it needs to be resolved