Skip to content

HARMONY-2317: Add CORS support#885

Merged
chris-durbin merged 5 commits intomainfrom
harmony-2317
Apr 1, 2026
Merged

HARMONY-2317: Add CORS support#885
chris-durbin merged 5 commits intomainfrom
harmony-2317

Conversation

@chris-durbin
Copy link
Copy Markdown
Contributor

@chris-durbin chris-durbin commented Apr 1, 2026
edited by coderabbitai bot
Loading

Jira Issue ID

HARMONY-2317

Description

EDSC is looking to call the harmony capabilities endpoint from JavaScript code in the browser. They were hitting issues with cross-origin issues in their testing because harmony did not support CORS.

Local Test Steps

Verify you can reach the OPTIONS routes now and the CORS information is included in the headers: curl -v -X OPTIONS http://localhost:3000/capabilities

> OPTIONS /capabilities HTTP/1.1
...
< HTTP/1.1 204 No Content
...
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
< Access-Control-Allow-Headers: Authorization, Content-Type, Content-Length, Accept
< Access-Control-Expose-Headers: Content-Encoding, Content-Disposition
< Access-Control-Max-Age: 86400
...

Verify that all routes include the Access-Control-Allow-Origin now
curl -v -X OPTIONS http://localhost:3000/capabilities

I deployed this change to the harmony SIT environment and EDSC verified it is working correctly for them now.

PR Acceptance Checklist

  • Acceptance criteria met
  • Tests added/updated (if needed) and passing
  • Documentation updated (if needed)
  • Harmony in a Box tested (if changes made to microservices or new dependencies added)

Summary by CodeRabbit

  • New Features

    • Added Cross-Origin Resource Sharing (CORS) support, enabling the application to handle requests from different web origins.
    • Improved authentication flow to allow CORS preflight requests to bypass authentication checks, preventing request failures.

  • Tests

    • Added comprehensive test coverage for CORS middleware functionality.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 1, 2026
edited
Loading

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (7)
  • services/cron-service/package-lock.json is excluded by !**/package-lock.json
  • services/harmony/package-lock.json is excluded by !**/package-lock.json
  • services/query-cmr/package-lock.json is excluded by !**/package-lock.json
  • services/service-runner/package-lock.json is excluded by !**/package-lock.json
  • services/work-failer/package-lock.json is excluded by !**/package-lock.json
  • services/work-scheduler/package-lock.json is excluded by !**/package-lock.json
  • services/work-updater/package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: df59b08e-4dd2-4ddb-9ef1-318b6b2e3753

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR introduces CORS (Cross-Origin Resource Sharing) middleware to the Harmony service. It adds handlers for preflight OPTIONS requests and general CORS headers, registers them in the router, and updates authorization middleware to bypass OPTIONS requests to prevent blocking preflight requests.

Changes

Cohort / File(s) Summary
CORS Middleware Implementation
services/harmony/app/middleware/cors.ts		 Added two Express middleware handlers: optionsHandler responds to CORS preflight OPTIONS requests with appropriate CORS headers and HTTP 204; corsHandler sets Access-Control-Allow-Origin header and passes control to next middleware.
Authorization Middleware Updates
services/harmony/app/middleware/earthdata-login-oauth-authorizer.ts, services/harmony/app/middleware/earthdata-login-token-authorizer.ts		 Modified authentication requirement logic to exclude HTTP OPTIONS requests from triggering Earthdata Login authorization, preventing CORS preflight requests from being blocked.
Router Configuration
services/harmony/app/routers/router.ts		 Registered CORS middleware handlers globally on router: optionsHandler for all preflight requests and corsHandler applied before authorization middleware.
CORS Middleware Tests
services/harmony/test/middleware/cors.ts		 Added comprehensive test suite validating optionsHandler sets correct headers, responds with HTTP 204, and does not call next; validating corsHandler sets origin header and calls next without terminating response.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Router
    participant CORSHandler
    participant AuthHandler
    participant NextMiddleware

    Client->>Router: OPTIONS /api/resource (preflight)
    Router->>CORSHandler: optionsHandler
    CORSHandler->>CORSHandler: Set CORS headers
    CORSHandler->>Client: 204 No Content (end)
    
    Client->>Router: POST /api/resource
    Router->>CORSHandler: corsHandler
    CORSHandler->>CORSHandler: Set Access-Control-Allow-Origin
    CORSHandler->>AuthHandler: next()
    AuthHandler->>AuthHandler: Check auth (skip if OPTIONS)
    AuthHandler->>NextMiddleware: next()
    NextMiddleware->>Client: Response
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

  • indiejames
  • flamingbear
  • ygliuvt

Poem

🐰 A rabbit hops through CORS with grace,
OPTIONS preflight find their place,
No auth to block the browser's call,
Headers set for one and all! 🌐

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title 'HARMONY-2317: Add CORS support' clearly and specifically describes the main change: adding CORS (Cross-Origin Resource Sharing) support to the Harmony service.
Description check ✅ Passed The PR description covers the Jira issue ID, explains the business context and purpose, provides detailed local test steps with expected output, and includes a partially completed acceptance checklist.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch harmony-2317

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@chris-durbin chris-durbin merged commit 8a55c07 into main Apr 1, 2026
6 checks passed
@chris-durbin chris-durbin deleted the harmony-2317 branch April 1, 2026 20:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@indiejames indiejames indiejames approved these changes

@ygliuvt ygliuvt Awaiting requested review from ygliuvt ygliuvt is a code owner

@flamingbear flamingbear Awaiting requested review from flamingbear flamingbear is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chris-durbin @indiejames