barrel_server_cors (barrel_server v1.0.1)

View Source

CORS for the REST API, in front of auth.

Thin wrapper over livery_cors configured from {barrel_server, cors, Map}: origins (`*'' or a list of origin binaries), expose (response headers readable by browser JS; defaults to the x-barrel-* set so clients can fold the HLC clock), plus livery_cors passthroughs (methods, headers, credentials, max_age). Unconfigured = the middleware is not installed and no CORS headers are emitted. /mcp is skipped: the MCP endpoint carries its own origin policy (livery_mcp allowed_origins) and OPTIONS route, and double CORS headers break browsers.

Runs BEFORE barrel_server_auth so preflights (which carry no Authorization by spec) answer 204, while actual-request CORS headers wrap auth 401s and browser JS can read the error body.

Summary

Functions

Middleware state from the app env; undefined = no CORS.

Functions

call(Req, Next, Cfg)

state_from_env()

-spec state_from_env() -> map() | undefined.

Middleware state from the app env; undefined = no CORS.