handleCors function

void handleCors(
  1. H4Event event, {
  2. String origin = "*",
  3. String methods = "GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH",
  4. String headers = "Content-Type, Authorization, X-Requested-With",
  5. bool credentials = false,
  6. int maxAge = 86400,
})

Handles Cross-Origin Resource Sharing (CORS) headers for HTTP requests.

This function sets the appropriate CORS headers on the response to enable cross-origin requests. It supports configuring allowed origins, methods, headers, credentials, and cache duration.

Example usage:

// Basic usage with default settings
router.get('/api', (event) {
  handleCors(event);
  return {'message': 'API response'};
});

// Set CORS headers for every request
var app = createApp(
onRequest: (event) {
  handleCors(event,
    origin: 'https://myapp.com',
    methods: 'GET, POST',
    headers: 'Content-Type, Authorization',
    credentials: true,
    maxAge: 3600
   )
 }
)

// Custom CORS configuration
router.post('/api/auth', (event) {
  handleCors(
    event,
    origin: 'https://myapp.com',
    methods: 'GET, POST',
    headers: 'Content-Type, Authorization',
    credentials: true,
    maxAge: 3600
  );
  return {'status': 'authenticated'};
});

Parameters:

  • event: The H4Event containing the request and response
  • origin: Allowed origin(s). Defaults to "*" for all origins
  • methods: Comma-separated list of allowed HTTP methods
  • headers: Comma-separated list of allowed request headers
  • credentials: Whether to allow credentials (cookies, auth headers)
  • maxAge: How long browsers should cache the preflight response (in seconds)

Implementation

void handleCors(
  H4Event event, {
  String origin = "*",
  String methods = "GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH",
  String headers = "Content-Type, Authorization, X-Requested-With",
  bool credentials = false,
  int maxAge = 86400, // 24 hours
}) {
  final response = event.node["value"]!.response;

  // Set basic CORS headers
  response.headers.set(HttpHeaders.accessControlAllowOriginHeader, origin);
  response.headers.set(HttpHeaders.accessControlAllowMethodsHeader, methods);
  response.headers.set(HttpHeaders.accessControlAllowHeadersHeader, headers);

  if (credentials) {
    response.headers
        .set(HttpHeaders.accessControlAllowCredentialsHeader, 'true');

    // When credentials are allowed, origin cannot be "*"
    if (origin == "*") {
      // Use the requesting origin if available
      final requestOrigin = event.node["value"]?.headers.value('Origin');
      if (requestOrigin != null) {
        response.headers
            .set(HttpHeaders.accessControlAllowOriginHeader, requestOrigin);
      }
    }
  }

  response.headers
      .set(HttpHeaders.accessControlMaxAgeHeader, maxAge.toString());

  if (event.node["value"]?.method == 'OPTIONS') {
    response.statusCode = HttpStatus.noContent; // 204
    response.headers.set(HttpHeaders.contentLengthHeader, '0');
  }
}