From 574ba9b2bc6d1b52d227efccb671bef3dd9e0bcf Mon Sep 17 00:00:00 2001
From: Laurence Isla <lau.isla.c@gmail.com>
Date: Thu, 23 May 2024 17:50:15 -0500
Subject: [PATCH] fix: handle CORS pre-flight requests correctly

---
 cabal.project                     | 4 ++++
 nix/overlays/haskell-packages.nix | 9 +++++++++
 src/PostgREST/Cors.hs             | 2 +-
 src/PostgREST/Response.hs         | 3 +--
 stack.yaml                        | 2 ++
 5 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/cabal.project b/cabal.project
index aa3aa3a9ea..a7693dee59 100644
--- a/cabal.project
+++ b/cabal.project
@@ -2,3 +2,7 @@ packages: postgrest.cabal
 tests: true
 package *
   ghc-options: -split-sections
+source-repository-package
+  type: git
+  location: https://github.com/laurenceisla/wai-cors.git
+  tag: e2da0d7a3e56592a5f4b35fd3aa6ccd3175525cc
diff --git a/nix/overlays/haskell-packages.nix b/nix/overlays/haskell-packages.nix
index 804f97c527..b321124bb0 100644
--- a/nix/overlays/haskell-packages.nix
+++ b/nix/overlays/haskell-packages.nix
@@ -73,6 +73,15 @@ let
         { }
       );
 
+      wai-cors = lib.dontCheck (
+        prev.callCabal2nixWithOptions "wai-cors" (super.fetchFromGitHub {
+          owner = "laurenceisla";
+          repo  = "wai-cors";
+          rev = "e2da0d7a3e56592a5f4b35fd3aa6ccd3175525cc";
+          sha256 = "sha256-lTzFiH7c7ZpR+hg6jJXvPKM2DtwMs8gdjdk68GTmtaQ=";
+        }) "--subpath=." {}
+      );
+
     };
 in
 {
diff --git a/src/PostgREST/Cors.hs b/src/PostgREST/Cors.hs
index 1e4c34b367..e2d18278d0 100644
--- a/src/PostgREST/Cors.hs
+++ b/src/PostgREST/Cors.hs
@@ -39,7 +39,7 @@ corsPolicy corsAllowedOrigins req = case lookup "origin" headers of
     , Wai.corsMaxAge = Just $ 60*60*24
     , Wai.corsVaryOrigin = False
     , Wai.corsRequireOrigin = False
-    , Wai.corsIgnoreFailures = True
+    , Wai.corsIgnoreFailures = False
     }
   Nothing -> Nothing
   where
diff --git a/src/PostgREST/Response.hs b/src/PostgREST/Response.hs
index d50f825ba2..3813ac9d4f 100644
--- a/src/PostgREST/Response.hs
+++ b/src/PostgREST/Response.hs
@@ -251,8 +251,7 @@ actionResponse (NoDbResult SchemaInfoPlan) _ _ _ _ _ _ = respondInfo "OPTIONS,GE
 
 respondInfo :: ByteString -> Either Error.Error PgrstResponse
 respondInfo allowHeader =
-  let allOrigins = ("Access-Control-Allow-Origin", "*") in
-  Right $ PgrstResponse HTTP.status200 [allOrigins, (HTTP.hAllow, allowHeader)] mempty
+  Right $ PgrstResponse HTTP.status200 [(HTTP.hAllow, allowHeader)] mempty
 
 -- Status and headers can be overridden as per https://postgrest.org/en/stable/references/transactions.html#response-headers
 overrideStatusHeaders :: Maybe Text -> Maybe BS.ByteString -> HTTP.Status -> [HTTP.Header]-> Either Error.Error (HTTP.Status, [HTTP.Header])
diff --git a/stack.yaml b/stack.yaml
index 987599fc17..df368817da 100644
--- a/stack.yaml
+++ b/stack.yaml
@@ -13,3 +13,5 @@ extra-deps:
   - fuzzyset-0.2.4
   - hasql-notifications-0.2.2.0
   - hasql-pool-1.0.1
+  - git: https://github.com/laurenceisla/wai-cors.git
+    commit: e2da0d7a3e56592a5f4b35fd3aa6ccd3175525cc