Skip to content

fix preflight requests#10943

Merged
loks0n merged 1 commit into1.8.xfrom
fix-preflight-requests
Dec 12, 2025
Merged

fix preflight requests#10943
loks0n merged 1 commit into1.8.xfrom
fix-preflight-requests

Conversation

@loks0n
Copy link
Copy Markdown
Member

@loks0n loks0n commented Dec 12, 2025

No description provided.

@loks0n loks0n changed the base branch from main to 1.8.x December 12, 2025 09:22
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Dec 12, 2025
edited
Loading

Warning

Rate limit exceeded

@loks0n has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 2 minutes and 33 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 646504e and 2cb86c5.

📒 Files selected for processing (2)
  • app/init/resources.php (1 hunks)
  • tests/e2e/General/HTTPTest.php (1 hunks)
📝 Walkthrough

Walkthrough

The pull request modifies CORS preflight request handling by updating the allowedHostnames resource to include the request hostname when the HTTP method is OPTIONS. A corresponding test method is added to HTTPTest to validate that preflight requests properly echo the origin header in the access-control-allow-origin response header.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

  • Verify the logic for appending the hostname to the allowed list during preflight (OPTIONS) requests is correct and doesn't introduce unintended side effects
  • Confirm the test method accurately simulates a CORS preflight scenario with appropriate headers (Origin, Access-Control-Request-Headers, Access-Control-Request-Method)
  • Check that the preflight response behavior aligns with CORS specification requirements

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
Description check ❓ Inconclusive No pull request description was provided by the author. While the check is lenient, the absence of any description makes it impossible to assess relatedness to the changeset. Consider adding a brief description explaining the preflight request handling fix and why it was needed.
✅ Passed checks (1 passed)
Check name Status Explanation
Title check ✅ Passed The title 'fix preflight requests' is directly related to the main changeset, which adds preflight request handling for CORS by including the request hostname in allowed hostnames when HTTP method is OPTIONS.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Dec 12, 2025
edited
Loading

Security Scan Results for PR

Docker Image Scan Results

Package Version Vulnerability Severity
libpng 1.6.51-r0 CVE-2025-66293 HIGH
libpng-dev 1.6.51-r0 CVE-2025-66293 HIGH

Source Code Scan Results

🎉 No vulnerabilities found!

@loks0n loks0n force-pushed the fix-preflight-requests branch from a61c1a4 to 646504e Compare December 12, 2025 09:27
coderabbitai[bot]
coderabbitai bot reviewed Dec 12, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
tests/e2e/General/HTTPTest.php (1)

187-203: Strengthen preflight assertions (status code + core CORS headers)

Right now this mainly checks echoing the origin. To make this test catch regressions better, assert the preflight status code and a couple of critical headers:

     public function testPreflight()
     {
-
         $endpoint = '/v1/projects'; // Can be any non-404 route
-
         /**
          * Test for SUCCESS
          */
         $response = $this->client->call(Client::METHOD_OPTIONS, $endpoint, [
             'origin' => 'http://random.com',
             'access-control-request-headers' => 'X-Appwrite-Project',
             'access-control-request-method' => 'GET'
         ]);
+        $this->assertEquals(204, $response['headers']['status-code']);
         $this->assertEquals('http://random.com', $response['headers']['access-control-allow-origin']);
+        $this->assertEquals('true', $response['headers']['access-control-allow-credentials']);
+        $this->assertStringContainsString('X-Appwrite-Project', $response['headers']['access-control-allow-headers']);
     }

If the intended behavior is not to allow arbitrary origins on preflight, add a negative preflight case (similar to testCors()’s failure assertions) to lock that down.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 278679a and 646504e.

📒 Files selected for processing (2)
  • app/init/resources.php (1 hunks)
  • tests/e2e/General/HTTPTest.php (1 hunks)
🧰 Additional context used
🧬 Code graph analysis (1)
tests/e2e/General/HTTPTest.php (1)
tests/e2e/Client.php (1)
  • Client (8-342)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)
  • GitHub Check: Benchmark
  • GitHub Check: E2E Service Test (Webhooks)
  • GitHub Check: E2E Service Test (FunctionsSchedule)
  • GitHub Check: E2E Service Test (Messaging)
  • GitHub Check: E2E Service Test (Sites)
  • GitHub Check: E2E Service Test (Databases/TablesDB)
  • GitHub Check: E2E Service Test (Avatars)
  • GitHub Check: E2E Service Test (Databases/Legacy)
🔇 Additional comments (1)
app/init/resources.php (1)

186-213: The preflight fix correctly allows legitimate requests without CORS bypass risk

The addition of $request->getHostname() for OPTIONS requests is sound. The Cors class extracts the host from the Origin header (line 73 of Cors.php), not the Host header, so including request.getHostname() in the allowlist only enables CORS when the Origin header's extracted host matches an allowed value. For legitimate preflight requests, the Host and Origin domains are identical (same-origin to the browser), so this change correctly permits the preflight to succeed.

The concern about Host header spoofing does not apply here because the CORS decision is based on the Origin header host, not the Host header value. Empty hostnames are also handled gracefully (lines 74-76 of Cors.php), returning without setting the Allow-Origin header if the extracted host is invalid.

No changes needed.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Dec 12, 2025
edited
Loading

✨ Benchmark results

  • Requests per second: 1,165
  • Requests with 200 status code: 209,714
  • P99 latency: 0.166484511

⚡ Benchmark Comparison

Metric This PR Latest version
RPS 1,165 1,115
200 209,714 200,742
P99 0.166484511 0.188706489

@loks0n loks0n force-pushed the fix-preflight-requests branch from 646504e to 8845318 Compare December 12, 2025 09:47
@loks0n loks0n force-pushed the fix-preflight-requests branch from 8845318 to 2cb86c5 Compare December 12, 2025 09:49
@loks0n loks0n requested a review from ChiragAgg5k December 12, 2025 09:54
@loks0n loks0n merged commit bbc76ff into 1.8.x Dec 12, 2025
72 of 73 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@levivannoort levivannoort levivannoort approved these changes

@ChiragAgg5k ChiragAgg5k ChiragAgg5k approved these changes

+1 more reviewer

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@loks0n @levivannoort @ChiragAgg5k