From 9b8400049d46981be53ccfdc2daf031dbae4aca8 Mon Sep 17 00:00:00 2001
From: William Hilton <wmhilton@gmail.com>
Date: Thu, 20 Sep 2018 14:56:01 -0400
Subject: [PATCH] fix: Fix CORS handling

---
 index.js      | 5 ++++-
 micro-cors.js | 6 +++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/index.js b/index.js
index b3b6038..21efd8b 100644
--- a/index.js
+++ b/index.js
@@ -48,6 +48,7 @@ const cors = require('./micro-cors.js')({
   allowHeaders,
   exposeHeaders,
   allowMethods,
+  allowCredentials: false,
   origin
 })
 const allow = require('./allow-request.js')
@@ -86,6 +87,8 @@ async function service (req, res) {
     // Don't waste my precious bandwidth
     return send(res, 403, '')
   }
+
+  // Handle CORS preflight request
   if (req.method === 'OPTIONS') {
     return send(res, 200, '')
   }
@@ -120,4 +123,4 @@ async function service (req, res) {
   f.body.pipe(res)
 }
 
-module.exports = cors(service)
\ No newline at end of file
+module.exports = cors(service)
diff --git a/micro-cors.js b/micro-cors.js
index ed3200c..a5d9b7b 100644
--- a/micro-cors.js
+++ b/micro-cors.js
@@ -1,5 +1,6 @@
 // MIT License
 // https://github.com/possibilities/micro-cors
+// source: https://github.com/possibilities/micro-cors/pull/42
 const DEFAULT_ALLOW_METHODS = [
   'POST',
   'GET',
@@ -26,11 +27,14 @@ const cors = (options = {}) => handler => (req, res, ...restArgs) => {
     maxAge = DEFAULT_MAX_AGE_SECONDS,
     allowMethods = DEFAULT_ALLOW_METHODS,
     allowHeaders = DEFAULT_ALLOW_HEADERS,
+    allowCredentials = true,
     exposeHeaders = []
   } = options
 
   res.setHeader('Access-Control-Allow-Origin', origin)
-  res.setHeader('Access-Control-Allow-Credentials', 'true')
+  if (allowCredentials) {
+    res.setHeader('Access-Control-Allow-Credentials', 'true')
+  }
   if (exposeHeaders.length) {
     res.setHeader('Access-Control-Expose-Headers', exposeHeaders.join(','))
   }