Allow CORS middleware to send Access-Control-Max-Age: 0

middleware/cors.go

@@ -99,8 +99,9 @@ type (
 // MaxAge determines the value of the Access-Control-Max-Age response header.
 // This header indicates how long (in seconds) the results of a preflight
 // request can be cached.
+// The header is set only if MaxAge != 0, negative value sends "0" which instructs browsers not to cache that response.
 //
-// Optional. Default value 0. The header is set only if MaxAge > 0.
+// Optional. Default value 0 - meaning header is not sent.
 //
 // See also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
 MaxAge int `yaml:"max_age"`
@@ -159,7 +160,11 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 allowMethods := strings.Join(config.AllowMethods, ",")
 allowHeaders := strings.Join(config.AllowHeaders, ",")
 exposeHeaders := strings.Join(config.ExposeHeaders, ",")
-maxAge := strconv.Itoa(config.MaxAge)
+
+maxAge := "0"
+if config.MaxAge > 0 {
+maxAge = strconv.Itoa(config.MaxAge)
+}
 
 return func(next echo.HandlerFunc) echo.HandlerFunc {
 return func(c echo.Context) error {
@@ -282,7 +287,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 res.Header().Set(echo.HeaderAccessControlAllowHeaders, h)
 }
 }
-if config.MaxAge > 0 {
+if config.MaxAge != 0 {
 res.Header().Set(echo.HeaderAccessControlMaxAge, maxAge)
 }
 return c.NoContent(http.StatusNoContent)

middleware/cors_test.go

@@ -60,6 +60,59 @@ func TestCORS(t *testing.T) {
 echo.HeaderAccessControlMaxAge: "3600",
 },
 },
+{
+name: "ok, preflight request when `Access-Control-Max-Age` is set",
+givenMW: CORSWithConfig(CORSConfig{
+AllowOrigins: []string{"localhost"},
+AllowCredentials: true,
+MaxAge: 1,
+}),
+whenMethod: http.MethodOptions,
+whenHeaders: map[string]string{
+echo.HeaderOrigin: "localhost",
+echo.HeaderContentType: echo.MIMEApplicationJSON,
+},
+expectHeaders: map[string]string{
+echo.HeaderAccessControlMaxAge: "1",
+},
+},
+{
+name: "ok, preflight request when `Access-Control-Max-Age` is set to 0 - not to cache response",
+givenMW: CORSWithConfig(CORSConfig{
+AllowOrigins: []string{"localhost"},
+AllowCredentials: true,
+MaxAge: -1, // forces `Access-Control-Max-Age: 0`
+}),
+whenMethod: http.MethodOptions,
+whenHeaders: map[string]string{
+echo.HeaderOrigin: "localhost",
+echo.HeaderContentType: echo.MIMEApplicationJSON,
+},
+expectHeaders: map[string]string{
+echo.HeaderAccessControlMaxAge: "0",
+},
+},
+{
+name: "ok, CORS check are skipped",
+givenMW: CORSWithConfig(CORSConfig{
+AllowOrigins: []string{"localhost"},
+AllowCredentials: true,
+Skipper: func(c echo.Context) bool {
+return true
+},
+}),
+whenMethod: http.MethodOptions,
+whenHeaders: map[string]string{
+echo.HeaderOrigin: "localhost",
+echo.HeaderContentType: echo.MIMEApplicationJSON,
+},
+notExpectHeaders: map[string]string{
+echo.HeaderAccessControlAllowOrigin: "localhost",
+echo.HeaderAccessControlAllowMethods: "GET,HEAD,PUT,PATCH,POST,DELETE",
+echo.HeaderAccessControlAllowCredentials: "true",
+echo.HeaderAccessControlMaxAge: "3600",
+},
+},
 {
 name: "ok, preflight request with wildcard `AllowOrigins` and `AllowCredentials` true",
 givenMW: CORSWithConfig(CORSConfig{