Skip to content

br(v29): Global parsers and CORS splitting#3504

Merged
RobinTail merged 34 commits into
make-v29from
rev-selective-parsers-for-better-query-support
Jul 2, 2026
Merged

br(v29): Global parsers and CORS splitting#3504
RobinTail merged 34 commits into
make-v29from
rev-selective-parsers-for-better-query-support

Conversation

@RobinTail

@RobinTail RobinTail commented Jul 1, 2026

Copy link
Copy Markdown
Owner
  1. Related to feat(v29): Supporting QUERY method #3479
  2. Restores Muting upload logs related to non-eligible requests #1733
  3. Partially reverts Feat: Selective parsers with child logger #1741 to support both JSON and more conventional URL-encoded body types for QUERY method
  4. Splits CORS to maintain handling for the issue cors does not work with upload.limitError #2706
  5. Changes the type of the cors config option (breaking) to support RequestHandler, such as a middleware provided by the well-known cors library
  6. Featuring beforeParsers hook, while beforeRouting remains exactly before calling initRouting()

@RobinTail RobinTail added enhancement New feature or request breaking Backward incompatible changes labels Jul 1, 2026
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a534757c-7078-4258-9509-da9774eac132

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch rev-selective-parsers-for-better-query-support

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@RobinTail RobinTail changed the title Rev selective parsers for better query support br(v29): Global parsers and CORS splitting Jul 1, 2026
@RobinTail RobinTail added this to the v29 milestone Jul 1, 2026
@coveralls-official

coveralls-official Bot commented Jul 1, 2026

Copy link
Copy Markdown

Coverage Status

coverage: 100.0%. remained the same — rev-selective-parsers-for-better-query-support into make-v29

@RobinTail RobinTail added the documentation Improvements or additions to documentation label Jul 1, 2026
Comment thread express-zod-api/src/config-type.ts
Comment thread express-zod-api/src/config-type.ts
Comment thread express-zod-api/src/routing.ts
Comment thread CHANGELOG.md Outdated
Comment thread CHANGELOG.md Outdated
Comment thread CHANGELOG.md Outdated
Comment thread CHANGELOG.md Outdated
Comment thread CHANGELOG.md Outdated
Comment thread CHANGELOG.md Outdated
@RobinTail RobinTail marked this pull request as ready for review July 2, 2026 11:18

@pullfrog pullfrog Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Two changes require fixes before merge: attachRouting() no longer provides full CORS, and the migration rule for the old cors function can generate code with undefined references.

Reviewed changes — the PR makes body parsers global in createServer(), splits CORS into global and route-level layers, changes cors from HeadersProvider to RequestHandler, adds beforeParsers, and updates migration/docs/tests for v29.

  • Body parsers move from per-endpoint initRouting() to global app.use() calls in createServer().
  • cors config becomes boolean | RequestHandler, removing HeadersProvider.
  • CORS splits: ensureCorsMiddleware() sets Origin/Headers globally before parsers; route-level handlers now only set Access-Control-Allow-Methods.
  • Adds beforeParsers hook and repositions beforeRouting to run after parsers.
  • Adds migration rule for old cors functions and updates tests, examples, docs, and CHANGELOG.

🚨 attachRouting() no longer installs global CORS headers

createServer() runs setup(), which mounts ensureCorsMiddleware(config.cors) before parsers. attachRouting() calls initRouting() directly without that global layer. Since initRouting() now only sets Access-Control-Allow-Methods on method routes, attachRouting({ cors: true }, ...) users receive only Allow-Methods and no Access-Control-Allow-Origin or Access-Control-Allow-Headers.

Previously, initRouting() set all three CORS headers at the route level, so attachRouting() users got full CORS. The CHANGELOG mentions that attachRouting() users must install parsers manually, but it is silent on CORS. Either mount the global CORS middleware in attachRouting() or document the additional manual step.

Technical details
# attachRouting() no longer installs global CORS headers

## Affected sites
- `express-zod-api/src/server.ts:55-65``attachRouting()` calls `initRouting()` directly, skipping the global CORS layer in `setup()`.
- `express-zod-api/src/server.ts:85``ensureCorsMiddleware(config.cors)` is only mounted inside `setup()`.
- `express-zod-api/src/routing.ts:74-79` — route-level CORS now only sets `Access-Control-Allow-Methods`.

## Required outcome
- `attachRouting({ cors: true }, ...)` must continue to produce `Access-Control-Allow-Origin: *` and `Access-Control-Allow-Headers: content-type`, or the release notes must explicitly state that these headers are no longer provided automatically.

## Suggested approach
Mount `ensureCorsMiddleware(config.cors)` in `attachRouting()` before calling `initRouting()`, or move the global CORS mount into a shared helper used by both `setup()` and `attachRouting()`.

## Open questions for the human
- Is the intended behavior that `attachRouting()` users now install CORS themselves, matching the parser manual-install note?

Note: 1 inline comment(s) dropped because they did not anchor to lines inside the PR diff:

  • express-zod-api/src/server-helpers.ts:126 (RIGHT) — line 126 (RIGHT) is not inside a diff hunk

Pullfrog  | Fix all ➔Fix 👍s ➔View workflow run | Using Kimi K2 (free via Pullfrog for OSS) | 𝕏

Comment thread migration/index.ts
Comment thread README.md Outdated
Comment thread express-zod-api/src/config-type.ts Outdated
@RobinTail

Copy link
Copy Markdown
Owner Author

I fixed the attachRouting + CORS concern in 4f27ce4 , @pullfrog

@pullfrog pullfrog Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ℹ️ No new issues introduced by this commit; the prior attachRouting() CORS concern is now resolved.

Reviewed changes — the latest commit restores full CORS handling for attachRouting() users and updates the corresponding test assertions.

  • attachRouting() now mounts ensureCorsMiddleware() before calling initRouting(), so cors: true users continue to receive Access-Control-Allow-Origin: * and Access-Control-Allow-Headers: content-type.
  • server.spec.ts assertions updated to expect two app.use() calls (logging + CORS) for attachRouting().

Pullfrog  | Fix it ➔View workflow run | Using Kimi K2 (free via Pullfrog for OSS) | 𝕏

@pullfrog pullfrog Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ℹ️ No new issues introduced by this follow-up commit; the invalid beforeParsers JSDoc example is now fixed.

Reviewed changes — the latest commit replaces the invalid app.use() example in the beforeParsers hook JSDoc with a concrete app.use(helmet()) example.

  • beforeParsers JSDoc example fixed from ({ app }) => { app.use(); } to ({ app }) => { app.use(helmet()); }, giving users a valid, concrete middleware usage pattern.

Pullfrog  | Fix it ➔View workflow run | Using Kimi K2 (free via Pullfrog for OSS) | 𝕏

@pullfrog pullfrog Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ No new issues found.

Reviewed changes — the latest commit restores full CORS handling for attachRouting() users by mounting the same global ensureCorsMiddleware() that createServer() uses.

  • attachRouting() now installs ensureCorsMiddleware(config.cors) before initRouting(), matching setup() behavior in createServer().
  • routing.ts keeps the route-level Access-Control-Allow-Methods handler, relying on the global middleware for origin/headers.
  • server.spec.ts assertions reflect the additional CORS app.use() call in attachRouting().
  • Also resolved the open README thread: attachRouting() users should install extra middleware/parsers on their custom app, since beforeRouting/beforeParsers are ServerConfig hooks only.
  • Migration rule and tests for the cors config change remain intact.

Pullfrog  | View workflow run | Using Kimi K2 (free via Pullfrog for OSS) | 𝕏

@pullfrog pullfrog Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ No new issues found.

Reviewed changes — the two incremental commits address the remaining open documentation feedback from the prior review.

  • README.md no longer points attachRouting() users toward beforeRouting/beforeParsers config options; it now correctly says to install extra middleware/parsers on the custom app directly.
  • config-type.ts beforeParsers JSDoc example now uses a concrete app.use(helmet()) instead of the invalid empty app.use().

Pullfrog  | View workflow run | Using Kimi K2 (free via Pullfrog for OSS) | 𝕏

Comment thread express-zod-api/src/server.ts Outdated

@RobinTail RobinTail left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🏁

@RobinTail RobinTail merged commit 4771737 into make-v29 Jul 2, 2026
13 checks passed
@RobinTail RobinTail deleted the rev-selective-parsers-for-better-query-support branch July 2, 2026 14:38
RobinTail added a commit that referenced this pull request Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

breaking Backward incompatible changes documentation Improvements or additions to documentation enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant