From 31d8a24fee672d17cf120ec37d94dbbd631e9abd Mon Sep 17 00:00:00 2001
From: Ilya Semenov <ilya@semenov.co>
Date: Tue, 15 Jul 2025 14:15:25 +0700
Subject: [PATCH] fix(cors): use defaults in handleCors

---
 src/utils/cors.ts      |  4 ++--
 test/unit/cors.test.ts | 48 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/src/utils/cors.ts b/src/utils/cors.ts
index 34ca2270..44e527eb 100644
--- a/src/utils/cors.ts
+++ b/src/utils/cors.ts
@@ -150,9 +150,9 @@ export function appendCorsHeaders(event: H3Event, options: CorsOptions): void {
 export function handleCors(event: H3Event, options: CorsOptions): false | "" {
   const _options = resolveCorsOptions(options);
   if (isPreflightRequest(event)) {
-    appendCorsPreflightHeaders(event, options);
+    appendCorsPreflightHeaders(event, _options);
     return noContent(event, _options.preflight.statusCode);
   }
-  appendCorsHeaders(event, options);
+  appendCorsHeaders(event, _options);
   return false;
 }
diff --git a/test/unit/cors.test.ts b/test/unit/cors.test.ts
index a1a169ab..f47fda11 100644
--- a/test/unit/cors.test.ts
+++ b/test/unit/cors.test.ts
@@ -5,6 +5,7 @@ import {
   isCorsOriginAllowed,
   appendCorsPreflightHeaders,
   appendCorsHeaders,
+  handleCors,
 } from "../../src/index.ts";
 import {
   resolveCorsOptions,
@@ -676,4 +677,51 @@ describe("cors (unit)", () => {
       }
     });
   });
+
+  describe("handleCors", () => {
+    it("handles preflight request", () => {
+      const eventMock = mockEvent("/", {
+        method: "OPTIONS",
+        headers: {
+          origin: "https://example.com",
+          "access-control-request-method": "POST",
+        },
+      });
+
+      // use defaults
+      handleCors(eventMock, {});
+
+      expect(eventMock.res.headers.get("access-control-allow-origin")).toEqual(
+        "*",
+      );
+      expect(eventMock.res.headers.get("access-control-allow-methods")).toEqual(
+        "*",
+      );
+      expect(
+        eventMock.res.headers.has("access-control-expose-headers"),
+      ).toEqual(false);
+    });
+
+    it("handles normal request", () => {
+      const eventMock = mockEvent("/", {
+        method: "POST",
+        headers: {
+          origin: "https://example.com",
+        },
+      });
+
+      // use defaults
+      handleCors(eventMock, {});
+
+      expect(eventMock.res.headers.get("access-control-allow-origin")).toEqual(
+        "*",
+      );
+      expect(eventMock.res.headers.has("access-control-allow-methods")).toEqual(
+        false,
+      );
+      expect(
+        eventMock.res.headers.get("access-control-expose-headers"),
+      ).toEqual("*");
+    });
+  });
 });