From aa88f16b08d239b93075f56b587dc4e650e05572 Mon Sep 17 00:00:00 2001
From: Javier Calvarro Nelson <jacalvar@microsoft.com>
Date: Wed, 24 Oct 2018 12:56:07 -0700
Subject: [PATCH] Fix cors with creds (#193)

---
 .../Infrastructure/CorsService.cs                   | 13 ++++++++++---
 test/FunctionalTests/test.js                        | 12 ++++++++----
 .../CorsMiddlewareTests.cs                          |  6 +++---
 .../CorsServiceTests.cs                             |  7 +++----
 test/WebSites/CorsMiddlewareWebSite/web.config      |  4 +++-
 5 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsService.cs b/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsService.cs
index 0d52489d81..78e2371c78 100644
--- a/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsService.cs
+++ b/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsService.cs
@@ -136,10 +136,17 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
             result.SupportsCredentials = policy.SupportsCredentials;
             result.PreflightMaxAge = policy.PreflightMaxAge;
 
-
+            // https://fetch.spec.whatwg.org/#http-new-header-syntax
             AddHeaderValues(result.AllowedExposedHeaders, policy.ExposedHeaders);
-            AddHeaderValues(result.AllowedMethods, policy.Methods);
-            AddHeaderValues(result.AllowedHeaders, policy.Headers);
+
+            var allowedMethods = policy.AllowAnyMethod && policy.SupportsCredentials ?
+                new[] { result.IsPreflightRequest ? (string)context.Request.Headers[CorsConstants.AccessControlRequestMethod] : context.Request.Method }
+                : policy.Methods;
+            AddHeaderValues(result.AllowedMethods, allowedMethods);
+
+            var allowedHeaders = policy.AllowAnyHeader && policy.SupportsCredentials ?
+                context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestHeaders) : policy.Headers;
+            AddHeaderValues(result.AllowedHeaders, allowedHeaders);
         }
 
         public virtual void EvaluateRequest(HttpContext context, CorsPolicy policy, CorsResult result)
diff --git a/test/FunctionalTests/test.js b/test/FunctionalTests/test.js
index 0f81bd3597..c39ffeaa6b 100644
--- a/test/FunctionalTests/test.js
+++ b/test/FunctionalTests/test.js
@@ -6,7 +6,7 @@ const corsServerPath = `http://${hostname}:9000`;
 
 // e.g., npm test --debug
 // In debug mode we show the editor, slow down operations, and increase the timeout for each test
-const debug = process.env.npm_config_debug || false;
+let debug = process.env.npm_config_debug || false;
 jest.setTimeout(debug ? 60000 : 30000);
 
 let browser;
@@ -38,8 +38,8 @@ describe('Browser is initialized', () => {
     test('no errors on launch', () => {
         expect(error).toBeUndefined();
         expect(browser).toBeDefined();
-    })
-})
+    });
+});
 
 describe('CORS allowed origin tests ', () => {
     const testPagePath = `http://${hostname}:9001/`;
@@ -176,7 +176,11 @@ describe('CORS allowed origin tests ', () => {
     test('allows Preflighted request with credentials', async () => {
         const result = await page.evaluate(async (corsServerPath) => {
             const url = `${corsServerPath}/allow-credentials`;
-            const options = { method: 'PUT', mode: 'cors', credentials: 'include' };
+            const options = {
+                method: 'PUT', mode: 'cors', credentials: 'include', headers: new Headers({
+                    'X-Custom-Header': 'X-Custom-Value'
+                })
+            };
 
             const response = await fetch(url, options);
             return response.status;
diff --git a/test/Microsoft.AspNetCore.Cors.Test/CorsMiddlewareTests.cs b/test/Microsoft.AspNetCore.Cors.Test/CorsMiddlewareTests.cs
index 85b79949b4..7d80e29fba 100644
--- a/test/Microsoft.AspNetCore.Cors.Test/CorsMiddlewareTests.cs
+++ b/test/Microsoft.AspNetCore.Cors.Test/CorsMiddlewareTests.cs
@@ -192,7 +192,7 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
         }
 
         [Fact]
-        public async Task PreFlight_WithCredentialsAllowed_ReturnsWildcardValues()
+        public async Task PreFlight_WithCredentialsAllowed_ReflectsRequestHeaders()
         {
             // Arrange
             var policy = new CorsPolicyBuilder(OriginUrl)
@@ -240,12 +240,12 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
                     kvp =>
                     {
                         Assert.Equal(CorsConstants.AccessControlAllowHeaders, kvp.Key);
-                        Assert.Equal(new[] { "*" }, kvp.Value);
+                        Assert.Equal(new[] { "X-Test1,X-Test2" }, kvp.Value);
                     },
                     kvp =>
                     {
                         Assert.Equal(CorsConstants.AccessControlAllowMethods, kvp.Key);
-                        Assert.Equal(new[] { "*" }, kvp.Value);
+                        Assert.Equal(new[] { "PUT" }, kvp.Value);
                     },
                     kvp =>
                     {
diff --git a/test/Microsoft.AspNetCore.Cors.Test/CorsServiceTests.cs b/test/Microsoft.AspNetCore.Cors.Test/CorsServiceTests.cs
index 4430d6ec75..fb47a3f70e 100644
--- a/test/Microsoft.AspNetCore.Cors.Test/CorsServiceTests.cs
+++ b/test/Microsoft.AspNetCore.Cors.Test/CorsServiceTests.cs
@@ -492,7 +492,6 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
             policy.Origins.Add(CorsConstants.AnyOrigin);
             policy.Methods.Add("*");
             policy.Headers.Add("*");
-            policy.SupportsCredentials = true;
 
             // Act
             var result = corsService.EvaluatePolicy(requestContext, policy);
@@ -527,7 +526,7 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
         }
 
         [Fact]
-        public void EvaluatePolicy_PreflightRequest_WithCredentials_ReturnsWildCard()
+        public void EvaluatePolicy_PreflightRequest_WithCredentials_ReflectsHeaders()
         {
             // Arrange
             var corsService = GetCorsService();
@@ -543,8 +542,8 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
 
             // Assert
             Assert.NotNull(result);
-            Assert.Equal(new[] { "*" }, result.AllowedMethods);
-            Assert.Equal(new[] { "*" }, result.AllowedHeaders);
+            Assert.Equal(new[] { "PUT" }, result.AllowedMethods);
+            Assert.Empty(result.AllowedHeaders);
             Assert.True(result.SupportsCredentials);
         }
 
diff --git a/test/WebSites/CorsMiddlewareWebSite/web.config b/test/WebSites/CorsMiddlewareWebSite/web.config
index f7ac679334..e149af83da 100644
--- a/test/WebSites/CorsMiddlewareWebSite/web.config
+++ b/test/WebSites/CorsMiddlewareWebSite/web.config
@@ -4,6 +4,8 @@
     <handlers>
       <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
     </handlers>
-    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="false" />
+    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="false">
+      <environmentVariables />
+    </aspNetCore>
   </system.webServer>
 </configuration>
\ No newline at end of file