micronaut-projects · ThomasIommi · Nov 23, 2024 · Nov 23, 2024 · Nov 23, 2024 · Nov 23, 2024
diff --git a/http-server-netty/src/test/groovy/io/micronaut/http/server/netty/cors/CorsFilterSpec.groovy b/http-server-netty/src/test/groovy/io/micronaut/http/server/netty/cors/CorsFilterSpec.groovy
@@ -301,7 +301,7 @@ class CorsFilterSpec extends Specification {
 
     @Property(name = "micronaut.server.cors.configurations.foo.allowed-origins", value = "http://www.foo.com")
     @Property(name = "micronaut.server.cors.configurations.foo.allowed-methods", value = "GET")
-    void "A preflight request is rejected for a non-existing route"() {
+    void "A preflight request is NOT rejected for a non-existing route if CORS configuration is valid"() {
         given:
         HttpRequest request = HttpRequest.OPTIONS("/doesnt-exists-route")
                 .header(HttpHeaders.ORIGIN, 'http://www.foo.com')
@@ -311,22 +311,7 @@ class CorsFilterSpec extends Specification {
         HttpResponse<?> response = execute(request)
 
         then:
-        HttpStatus.FORBIDDEN == response.status()
-    }
-
-    @Property(name = "micronaut.server.cors.configurations.foo.allowed-origins", value = "http://www.foo.com")
-    @Property(name = "micronaut.server.cors.configurations.foo.exposed-headers", value = "Foo-Header,Bar-Header")
-    void "A preflight request is rejected for a route that does exist but doesn't handle the requested HTTP Method"() {
-        given:
-        HttpRequest request = HttpRequest.OPTIONS("/example")
-                .header(HttpHeaders.ORIGIN, 'http://www.foo.com')
-                .header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, 'POST')
-
-        when:
-        HttpResponse<?> response = execute(request)
-
-        then:
-        HttpStatus.FORBIDDEN == response.status()
+        HttpStatus.OK == response.status()
     }
 
     @Requires(property = "spec.name", value = "CorsFilterSpec")

diff --git a/http-server-netty/src/test/groovy/io/micronaut/http/server/netty/cors/CorsVersionSpec.groovy b/http-server-netty/src/test/groovy/io/micronaut/http/server/netty/cors/CorsVersionSpec.groovy
@@ -95,8 +95,7 @@ class CorsVersionSpec extends Specification {
         client.exchange(request)
 
         then:
-        HttpClientResponseException ex = thrown()
-        ex.status == HttpStatus.FORBIDDEN
+        noExceptionThrown()
     }
 
     void "preflight for version routed from private network"() {
@@ -113,7 +112,7 @@ class CorsVersionSpec extends Specification {
 
         when:
         request = HttpRequest.OPTIONS("/new-not-allowed-from-private")
-        preflightHeaders(null, true).each { k, v -> request.header(k, v)}
+        preflightHeaders("x-api-version", true).each { k, v -> request.header(k, v)}
         client.exchange(request)
 
         then:

diff --git a/http-server-netty/src/test/groovy/io/micronaut/http/server/netty/cors/NettyCorsSpec.groovy b/http-server-netty/src/test/groovy/io/micronaut/http/server/netty/cors/NettyCorsSpec.groovy
@@ -273,7 +273,7 @@ class NettyCorsSpec extends AbstractMicronautSpec {
         }).blockFirst()
 
         expect:
-        response.code() == HttpStatus.FORBIDDEN.code
+        response.code() == HttpStatus.OK.code
     }
 
     void "test control headers are applied to error response routes"() {

diff --git a/http-server/src/main/java/io/micronaut/http/server/cors/CorsFilter.java b/http-server/src/main/java/io/micronaut/http/server/cors/CorsFilter.java
@@ -89,7 +89,7 @@ public class CorsFilter implements Ordered, ConditionalFilter {
     /**
      * @param corsConfiguration The {@link CorsOriginConfiguration} instance
      * @param httpHostResolver  HTTP Host resolver
-     * @deprecated use {@link CorsFilter(HttpServerConfiguration, HttpHostResolver, Router)} instead.
+     * @deprecated use {@link  CorsFilter(HttpServerConfiguration, HttpHostResolver, Router)} instead.
      */
     @Deprecated(since = "4.7", forRemoval = true)
     public CorsFilter(HttpServerConfiguration.CorsConfiguration corsConfiguration,
@@ -494,20 +494,15 @@ private MutableHttpResponse<?> handlePreflightRequest(@NonNull HttpRequest<?> re
 
     @Nullable
     private boolean validatePreflightRequest(@NonNull HttpRequest<?> request,
-                                                @NonNull CorsOriginConfiguration config) {
+                                             @NonNull CorsOriginConfiguration config) {
         Optional<HttpMethod> methodToMatchOptional = validateMethodToMatch(request, config);
         if (methodToMatchOptional.isEmpty()) {
             return false;
         }
-        HttpMethod methodToMatch = methodToMatchOptional.get();
 
         if (!CorsUtil.isPreflightRequest(request)) {
             return false;
         }
-        List<HttpMethod> availableHttpMethods = router.findAny(request).stream().map(UriRouteMatch::getHttpMethod).toList();
-        if (availableHttpMethods.stream().noneMatch(method -> method.equals(methodToMatch))) {
-            return false;
-        }
 
         if (!hasAllowedHeaders(request, config)) {
             return false;