access-control-allow-methods is "DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT" while only post defined about litestar HOT 7 CLOSED

Not sure, but I can try.

from litestar.

Thanks for the report.

Can you add a failing test case? Would be great.

from litestar.

Seems like this issue is related to Starlette CORSMiddleware
I've added a discussion in Starlette encode/starlette#1582

from litestar.

About test, you can just update existing one test_setting_cors_middleware by changing this line
assert cors_middleware.allow_methods == ("DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT") 🙂

from litestar.

ok, I will check this out during the weekend.

from litestar.

So, i tested this as you suggested by adjusting that test. This is working correctly:

def test_setting_cors_middleware() -> None:
    cors_config = CORSConfig(allow_methods=["OPTIONS", "POST"])
    assert cors_config.allow_credentials is False
    assert cors_config.allow_headers == ["*"]
    assert cors_config.allow_methods == ["OPTIONS", "POST"]
    assert cors_config.allow_origins == ["*"]
    assert cors_config.allow_origin_regex is None
    assert cors_config.max_age == 600
    assert cors_config.expose_headers == []

    client = create_test_client(route_handlers=[handler], cors_config=cors_config)
    unpacked_middleware = []
    cur = client.app.middleware_stack
    while hasattr(cur, "app"):
        unpacked_middleware.append(cur)
        cur = cur.app  # type: ignore
    assert len(unpacked_middleware) == 2
    cors_middleware = unpacked_middleware[0]
    assert isinstance(cors_middleware, CORSMiddleware)
    assert cors_middleware.allow_headers == ["*", "accept", "accept-language", "content-language", "content-type"]
    assert cors_middleware.allow_methods == ['OPTIONS', 'POST']
    assert cors_middleware.allow_origins == cors_config.allow_origins
    assert cors_middleware.allow_origin_regex == cors_config.allow_origin_regex

Note that ['OPTIONS', 'POST'] are used everywhere.

Now, I understand what the issue is as far as you are concerned. You want the allowed methods to be based not on a global configuration but be per endpoint. I am afraid this is not possible using the middleware pattern because middleware is unaware of the endpoints. While it might be possible to modify this, it would be a complex architectural change to do.

The alternative approaches you can take are to use either a dependency that receives some parameters, or a decorator that takes the route handler and does something similar. These you will need to create on your end and if you think they are generic enough, you might add a PR to suggest them.

Inside Starlite the only possibility is to create a CORS layer separate from the middleware that is able to parse individual route_handlers and respond. This though is not a small change and will require substanital work. If you want to give it a try, you are welcome to do so.

from litestar.

There is work going in this direction in Starlette encode/starlette#1286, encode/starlette#685, so I think it is better to wait.

from litestar.