chore(guard): centralize cors config

MasterPtato · MasterPtato · commit d3bae7855c72 · 2026-02-04T10:49:01.000-08:00
diff --git a/engine/packages/guard-core/src/proxy_service.rs b/engine/packages/guard-core/src/proxy_service.rs
@@ -581,6 +581,28 @@ impl ProxyService {
 				HeaderValue::from_str(&cors.expose_headers)?,
 			);
 
+			if let Some(allow_methods) = &cors.allow_methods {
+				headers.insert(
+					"access-control-allow-methods",
+					HeaderValue::from_str(allow_methods)?,
+				);
+			}
+
+			if let Some(allow_headers) = &cors.allow_headers {
+				headers.insert(
+					"access-control-allow-headers",
+					HeaderValue::from_str(allow_headers)?,
+				);
+			}
+
+			if let Some(max_age) = &cors.max_age {
+				headers.insert(
+					"access-control-max-age",
+					HeaderValue::from_str(&max_age.to_string())?,
+				);
+			}
+
+			// Add Vary header to prevent cache poisoning when echoing origin
 			if cors.allow_origin != "*" {
 				headers.insert("vary", HeaderValue::from_static("Origin"));
 			}
diff --git a/engine/packages/guard-core/src/request_context.rs b/engine/packages/guard-core/src/request_context.rs
@@ -150,4 +150,11 @@ pub struct CorsConfig {
 	pub allow_origin: String,
 	pub allow_credentials: bool,
 	pub expose_headers: String,
+
+	// Only set for OPTIONS requests
+	// TODO: Vec of Method
+	pub allow_methods: Option<String>,
+	pub allow_headers: Option<String>,
+	// Seconds
+	pub max_age: Option<u32>,
 }
diff --git a/engine/packages/pegboard-gateway/src/lib.rs b/engine/packages/pegboard-gateway/src/lib.rs
@@ -132,31 +132,29 @@ impl PegboardGateway {
 				.and_then(|v| v.to_str().ok())
 				.unwrap_or("*");
 
-			let mut response = Response::builder()
+			req_ctx.set_cors(CorsConfig {
+				allow_origin: origin.clone(),
+				allow_credentials: true,
+				expose_headers: "*".to_string(),
+				allow_methods: Some("GET, POST, PUT, DELETE, OPTIONS, PATCH".to_string()),
+				allow_headers: Some(requested_headers.to_string()),
+				max_age: Some(86400),
+			});
+
+			return Ok(Response::builder()
 				.status(StatusCode::NO_CONTENT)
-				.header("access-control-allow-origin", &origin)
-				.header("access-control-allow-credentials", "true")
-				.header(
-					"access-control-allow-methods",
-					"GET, POST, PUT, DELETE, OPTIONS, PATCH",
-				)
-				.header("access-control-allow-headers", requested_headers)
-				.header("access-control-expose-headers", "*")
-				.header("access-control-max-age", "86400");
-
-			// Add Vary header to prevent cache poisoning when echoing origin
-			if origin != "*" {
-				response = response.header("vary", "Origin");
-			}
-
-			return Ok(response.body(ResponseBody::Full(Full::new(Bytes::new())))?);
+				.body(ResponseBody::Full(Full::new(Bytes::new())))?);
 		}
 
 		// Set CORS headers through guard
 		req_ctx.set_cors(CorsConfig {
 			allow_origin: origin.clone(),
 			allow_credentials: true,
 			expose_headers: "*".to_string(),
+			// Not an options req, not required
+			allow_methods: None,
+			allow_headers: None,
+			max_age: None,
 		});
 
 		let body_bytes = req
