bug: responseMeta sets wrong value to AllowOrigin CORS header

[gnllucena]

Provide environment information

  System:
    OS: macOS 14.2.1
    CPU: (10) arm64 Apple M1 Pro
    Memory: 1.17 GB / 32.00 GB
    Shell: 3.5.0 - /opt/homebrew/bin/fish
  Binaries:
    Node: 20.10.0 - ~/.nvm/versions/node/v20.10.0/bin/node
    npm: 10.2.3 - ~/.nvm/versions/node/v20.10.0/bin/npm
    pnpm: 9.0.6 - ~/Library/pnpm/pnpm
    bun: 1.0.29 - ~/.bun/bin/bun
  Browsers:
    Chrome: 124.0.6367.201
    Safari: 17.2.1

Describe the bug

When I set AllowOrigin headers instead of having only the value I set, responseMeta also adds *

Repo with reproduction: https://github.com/gnllucena/trpc-sst/blob/b2467045c71fdb8591830b73d278e309076e2c27/apps/server/index.ts#L5C1-L21C3

export const handler = awsLambdaRequestHandler({
  router: router,
  createContext: (opts) => opts,
  onError({ error, ctx }) {
    console.error("Error", error)
  },
  responseMeta({ data, ctx, errors, type }) {
    return {
      status: errors ? 400 : 200,
      headers: {
        "Access-Control-Allow-Origin": getAccessControlAllowOrigin("dev"),
        // "Access-Control-Allow-Headers": "Origin, X-Requested-With, Content-Type, Accept, Authorization",
        // "Access-Control-Allow-Methods": "OPTIONS,POST,GET",
      },
    }
  },
})

Access to fetch at 'https://jlh3dwfayd3z4inbuzrgkta4a40bspmf.lambda-url.us-east-2.on.aws/greet?batch=1&input=%7B%7D' from origin 'http://localhost:5173' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values 'http://localhost:5173, *', but only one is allowed. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Link to reproduction

https://github.com/gnllucena/trpc-sst/tree/feat/cors

To reproduce

Install Ion

curl -fsSL https://ion.sst.dev/install | bash

Install pnpm

curl -fsSL https://get.pnpm.io/install.sh | sh -

Run the project

git clone https://github.com/gnllucena/trpc-sst.git

cd trpc-sst

git checkout feat/cors

pnpm install

pnpm dev

Go to http://localhost:5173

Additional information

No response

👨‍👧‍👦 Contributing

• 🙋‍♂️ Yes, I'd be down to file a PR fixing this bug!

Funding

• You can sponsor this specific effort via a Polar.sh pledge below
• We receive the pledge once the issue is completed & verified

[KATT]

Your repo doesn't seem to include responseMeta?

https://github.com/gnllucena/trpc-sst/blob/main/apps%2Fserver%2Findex.ts

[gnllucena]

Hello, Katt, thank you for you quick reply!

It seem's that you're looking at the main branch.

The repo has a feat/cors branch with the described issue.

Would it be better if I merge that to main?

Edit: I have updated that reproduction steps to describe the branch change

[KATT]

Hey @gnllucena

I wasn't able to test your example because I don't have sst setup.

It was easier to do an example test of the lambda adapter - you can see in #5721

trpc/packages/tests/server/adapters/awsLambda.test.tsx

Lines 516 to 527 in c08f7b3

	const handler = trpcLambda.awsLambdaRequestHandler({
	router,
	createContext,
	responseMeta() {
	// set cors
	return {
	headers: {
	'Access-Control-Allow-Origin': 'https://example.com',
	},
	};
	},
	});

The exact result we return to the lambda is this:

trpc/packages/tests/server/adapters/awsLambda.test.tsx

Lines 540 to 549 in c08f7b3

	expect(result).toMatchInlineSnapshot(`
	Object {
	"body": "{"result":{"data":{"text":"I've come to talk with you again"}}}",
	"headers": Object {
	"access-control-allow-origin": "https://example.com",
	"content-type": "application/json",
	},
	"statusCode": 200,
	}
	`);

Do you see anything wrong? I doubt somehow that this is us doing something wrong.

Headers keys are case insensitive per definition but maybe AWS requires proper casing somehow? Otherwise, I'm clueless.

[arpadgabor]

This issue was posted in the SST Discord as well, it's most likely a problem caused by SST Ion because it sets a default CORS configuration on AWS Lambda Function URL's. The most likely solution is to disable CORS in SST https://ion.sst.dev/docs/component/aws/function/#url.

[KATT]

Hey there! 👋

We appreciate the time you've taken to write this issue.

Unfortunately, we don't have the capacity to assist here as this issue does not seem to be related to tRPC itself.

Please feel free to re-open if you do think this is a bug help or write in our help channel on Discord or in our GitHub Discussions.

[gnllucena]

This issue was posted in the SST Discord as well, it's most likely a problem caused by SST Ion because it sets a default CORS configuration on AWS Lambda Function URL's. The most likely solution is to disable CORS in SST https://ion.sst.dev/docs/component/aws/function/#url.

I can confirm the fix.

Thanks for the help @KATT @arpadgabor

[github-actions]

This issue has been locked because we are very unlikely to see comments on closed issues. If you are running into a similar issue, please create a new issue. Thank you.