Add CORS headers to actual responses and fix premature response flush

- Remove early ctx.writeAndFlush(response) to avoid sending response before headers are finalized
- Add dynamic CORS headers (Access-Control-Allow-Origin, Vary, Allow-Credentials) to normal responses
- Respect request Origin header and configuration for allowed origins and credentials

Author: m0ver

src/main/java/org/tinystruct/handler/HttpRequestHandler.java

@@ -99,8 +99,6 @@ protected void channelRead0(ChannelHandlerContext ctx, FullHttpRequest original)
             return;
         }
 
-        ctx.writeAndFlush(response);
-
         // Decide whether to close the connection or not.
         boolean keepAlive = HttpUtil.isKeepAlive(original);
         boolean ssl = Boolean.parseBoolean(configuration.getOrDefault("ssl.enabled", "false"));
@@ -126,6 +124,18 @@ private void service(final ChannelHandlerContext ctx, final Request<FullHttpRequ
 
         HttpResponseStatus status = OK;
         ResponseBuilder response = new ResponseBuilder(new DefaultFullHttpResponse(HTTP_1_1, status), ctx);
+
+        // Set CORS headers on the actual response
+        Object origin = request.headers().get(Header.ORIGIN);
+        String allowOrigin = configuration.getOrDefault("cors.allowed.origins", origin != null ? origin.toString() : "*");
+        response.addHeader(HttpHeaderNames.ACCESS_CONTROL_ALLOW_ORIGIN.toString(), allowOrigin);
+        if (origin != null) {
+            response.addHeader(HttpHeaderNames.VARY.toString(), "Origin");
+        }
+        if ("true".equalsIgnoreCase(configuration.get("cors.allow.credentials"))) {
+            response.addHeader(HttpHeaderNames.ACCESS_CONTROL_ALLOW_CREDENTIALS.toString(), "true");
+        }
+
         String host = request.headers().get(Header.HOST).toString();
         Object message;
         try {