Allow CORS to be a parameter

Author: inlined

spec/v2/providers/https.spec.ts

@@ -32,6 +32,7 @@ import { FULL_ENDPOINT, MINIMAL_V2_ENDPOINT, FULL_OPTIONS, FULL_TRIGGER } from "
 import { onInit } from "../../../src/v2/core";
 import { Handler } from "express";
 import { genkit } from "genkit";
+import { clearParams, defineList } from "../../../src/params";
 
 function request(args: {
   data?: any;
@@ -227,6 +228,46 @@ describe("onRequest", () => {
     });
   });
 
+  it("should allow cors params", async () => {
+    const origins = defineList("ORIGINS");
+
+    try {
+      process.env.ORIGINS = '["example.com","example2.com"]';
+      const func = https.onRequest(
+        {
+          cors: origins,
+        },
+        (req, res) => {
+          res.send("42");
+        }
+      );
+      const req = new MockRequest(
+        {
+          data: {},
+        },
+        {
+          referrer: "example.com",
+          "content-type": "application/json",
+          origin: "example.com",
+        }
+      );
+      req.method = "OPTIONS";
+
+      const response = await runHandler(func, req as any);
+
+      expect(response.status).to.equal(204);
+      expect(response.headers).to.deep.equal({
+        "Access-Control-Allow-Origin": "example.com",
+        "Access-Control-Allow-Methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
+        "Content-Length": "0",
+        Vary: "Origin, Access-Control-Request-Headers",
+      });
+    } finally {
+      delete process.env.ORIGINS;
+      clearParams();
+    }
+  });
+
   it("should add CORS headers if debug feature is enabled", async () => {
     sinon.stub(debug, "isDebugFeatureEnabled").withArgs("enableCors").returns(true);
 

src/v2/providers/https.ts

@@ -72,7 +72,13 @@ export interface HttpsOptions extends Omit<GlobalOptions, "region" | "enforceApp
    * If this is an `Array`, allows requests from domains matching at least one entry of the array.
    * Defaults to true for {@link https.CallableFunction} and false otherwise.
    */
-  cors?: string | boolean | RegExp | Array<string | RegExp>;
+  cors?:
+    | string
+    | Expression<string>
+    | Expression<string[]>
+    | boolean
+    | RegExp
+    | Array<string | RegExp>;
 
   /**
    * Amount of memory to allocate to a function.
@@ -308,7 +314,7 @@ export function onRequest(
   }
 
   if (isDebugFeatureEnabled("enableCors") || "cors" in opts) {
-    let origin = opts.cors;
+    let origin = opts.cors instanceof Expression ? opts.cors.value() : opts.cors;
     if (isDebugFeatureEnabled("enableCors")) {
       // Respect `cors: false` to turn off cors even if debug feature is enabled.
       origin = opts.cors === false ? false : true;
@@ -418,7 +424,18 @@ export function onCall<T = any, Return = any | Promise<any>, Stream = unknown>(
     opts = optsOrHandler as CallableOptions;
   }
 
-  let origin = isDebugFeatureEnabled("enableCors") ? true : "cors" in opts ? opts.cors : true;
+  let cors: string | boolean | RegExp | Array<string | RegExp> | undefined;
+  if ("cors" in opts) {
+    if (opts.cors instanceof Expression) {
+      cors = opts.cors.value();
+    } else {
+      cors = opts.cors;
+    }
+  } else {
+    cors = true;
+  }
+
+  let origin = isDebugFeatureEnabled("enableCors") ? true : cors;
   // Arrays cause the access-control-allow-origin header to be dynamic based
   // on the origin header of the request. If there is only one element in the
   // array, this is unnecessary.