From abed694080a34efcd19a31a818e484440927b0e0 Mon Sep 17 00:00:00 2001
From: Mahmoud Hamdi <hmdy7486@gmail.com>
Date: Sun, 29 Mar 2026 04:11:47 +0200
Subject: [PATCH] test: add coverage for origin callback edge cases

Add tests for behaviors that were previously untested:

- Origin callback receives the correct request origin parameter
- Errors from origin callback are forwarded to next()
- Origin callback returning a specific string (not just boolean)
- Preflight requests with regexp origin
- Preflight requests with array of origin checks
- Preflight requests with origin set to true
- Methods option specified as a string
---
 test/test.js | 118 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 118 insertions(+)

diff --git a/test/test.js b/test/test.js
index 34ddb41..33cce7e 100644
--- a/test/test.js
+++ b/test/test.js
@@ -400,6 +400,124 @@ var util = require('util')
       });
 
 
+      it('should pass the request origin to the origin callback', function (done) {
+        var req, res, next, options;
+        options = {
+          origin: function (sentOrigin, cb) {
+            assert.equal(sentOrigin, 'http://example.com')
+            cb(null, true);
+          }
+        };
+        req = fakeRequest('GET');
+        res = fakeResponse();
+        next = function () {
+          done();
+        };
+
+        cors(options)(req, res, next);
+      });
+
+      it('should forward error from origin callback to next', function (done) {
+        var req, res, next, options;
+        var err = new Error('origin check failed');
+        options = {
+          origin: function (sentOrigin, cb) {
+            cb(err);
+          }
+        };
+        req = fakeRequest('GET');
+        res = fakeResponse();
+        next = function (nextErr) {
+          assert.equal(nextErr, err)
+          done();
+        };
+
+        cors(options)(req, res, next);
+      });
+
+      it('should allow origin when callback returns a string', function (done) {
+        var req, res, next, options;
+        options = {
+          origin: function (sentOrigin, cb) {
+            cb(null, 'http://allowed.com');
+          }
+        };
+        req = fakeRequest('GET');
+        res = fakeResponse();
+        next = function () {
+          assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://allowed.com')
+          assert.equal(res.getHeader('Vary'), 'Origin')
+          done();
+        };
+
+        cors(options)(req, res, next);
+      });
+
+      it('matches request origin against regexp on preflight', function (done) {
+        var cb = after(1, done)
+        var req = new FakeRequest('OPTIONS')
+        var res = new FakeResponse()
+        var options = { origin: /:\/\/(.+\.)?example.com$/ }
+
+        res.on('finish', function () {
+          assert.equal(res.getHeader('Access-Control-Allow-Origin'), req.headers.origin)
+          assert.equal(res.getHeader('Vary'), 'Origin, Access-Control-Request-Headers')
+          cb()
+        })
+
+        cors(options)(req, res, function (err) {
+          cb(err || new Error('should not be called'))
+        })
+      });
+
+      it('matches request origin against array of origin checks on preflight', function (done) {
+        var cb = after(1, done)
+        var req = new FakeRequest('OPTIONS')
+        var res = new FakeResponse()
+        var options = { origin: [ /foo\.com$/, 'http://example.com' ] }
+
+        res.on('finish', function () {
+          assert.equal(res.getHeader('Access-Control-Allow-Origin'), req.headers.origin)
+          assert.equal(res.getHeader('Vary'), 'Origin, Access-Control-Request-Headers')
+          cb()
+        })
+
+        cors(options)(req, res, function (err) {
+          cb(err || new Error('should not be called'))
+        })
+      });
+
+      it('handles preflight when origin is set to true', function (done) {
+        var cb = after(1, done)
+        var req = new FakeRequest('OPTIONS')
+        var res = new FakeResponse()
+
+        res.on('finish', function () {
+          assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://example.com')
+          assert.equal(res.getHeader('Access-Control-Allow-Methods'), 'GET,HEAD,PUT,PATCH,POST,DELETE')
+          cb()
+        })
+
+        cors({ origin: true })(req, res, function (err) {
+          cb(err || new Error('should not be called'))
+        })
+      });
+
+      it('can override methods with a string', function (done) {
+        var cb = after(1, done)
+        var req = new FakeRequest('OPTIONS')
+        var res = new FakeResponse()
+
+        res.on('finish', function () {
+          assert.equal(res.getHeader('Access-Control-Allow-Methods'), 'GET,POST')
+          cb()
+        })
+
+        cors({ methods: 'GET,POST' })(req, res, function (err) {
+          cb(err || new Error('should not be called'))
+        })
+      });
+
       it('can override methods', function (done) {
         var cb = after(1, done)
         var req = new FakeRequest('OPTIONS')