refactor: Normalize CORS errors (#24)

nzakas · web-flow · commit 2e08e65d4312 · 2025-01-28T19:26:58.000-05:00
diff --git a/src/cors.js b/src/cors.js
@@ -87,6 +87,28 @@ function isSimpleRangeHeader(range) {
 // Exports
 //-----------------------------------------------------------------------------
 
+/**
+ * Represents an error that occurs when a CORS request is blocked.
+ */
+export class CorsError extends Error {
+	
+	/**
+	 * The name of the error.
+	 * @type {string}
+	 */
+	name = "CorsError";
+	
+	/**
+	 * Creates a new instance.
+	 * @param {string} requestUrl The URL of the request.
+	 * @param {string} origin The origin of the client making the request.
+	 * @param {string} message The error message.
+	 */
+	constructor(requestUrl, origin, message) {
+		super(`Access to fetch at '${requestUrl}' from origin '${origin}' has been blocked by CORS policy: ${message}`);
+	}
+}
+
 /**
  * Asserts that the response has the correct CORS headers.
  * @param {Response} response The response to check.
@@ -98,14 +120,18 @@ export function assertCorsResponse(response, origin) {
 	const originHeader = response.headers.get(CORS_ALLOW_ORIGIN);
 
 	if (!originHeader) {
-		throw new Error(
-			`Access to fetch at '${response.url}' from origin '${origin}' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.`,
+		throw new CorsError(
+			response.url,
+			origin,
+			"Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."
 		);
 	}
 
 	if (originHeader !== "*" && originHeader !== origin) {
-		throw new Error(
-			`Access to fetch at '${response.url}' from origin '${origin}' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value '${originHeader}' that is not equal to the supplied origin.`,
+		throw new CorsError(
+			response.url,
+			origin,
+			`The 'Access-Control-Allow-Origin' header has a value '${originHeader}' that is not equal to the supplied origin.`,
 		);
 	}
 
@@ -234,29 +260,39 @@ export class CorsPreflightData {
 
 	/**
 	 * Validates a method against the preflight data.
-	 * @param {string} method The method to validate.
+	 * @param {Request} request The request with the method to validate.
+	 * @param {string} origin The origin of the request.
 	 * @returns {void}
 	 * @throws {Error} When the method is not allowed.
 	 */
-	#validateMethod(method) {
+	#validateMethod(request, origin) {
+		
+		const method = request.method.toUpperCase();
+		
 		if (
 			!this.allowAllMethods &&
 			!corsSafeMethods.has(method) &&
 			!this.allowedMethods.has(method)
 		) {
-			throw new Error(
-				`Request is blocked by CORS policy: Method ${method} is not allowed.`,
+			throw new CorsError(
+				request.url,
+				origin,
+				`Method ${method} is not allowed.`,
 			);
 		}
 	}
 
 	/**
 	 * Validates a set of headers against the preflight data.
-	 * @param {Headers} headers The headers to validate.
+	 * @param {Request} request The request with headers to validate.
+	 * @param {string} origin The origin of the request.
 	 * @returns {void}
 	 * @throws {Error} When the headers are not allowed.
 	 */
-	#validateHeaders(headers) {
+	#validateHeaders(request, origin) {
+		
+		const { headers } = request;
+		
 		for (const header of headers.keys()) {
 			// simple headers are always allowed
 			if (corsSafeHeaders.has(header)) {
@@ -268,14 +304,18 @@ export class CorsPreflightData {
 				header === "authorization" &&
 				!this.allowedHeaders.has(header)
 			) {
-				throw new Error(
-					`Request is blocked by CORS policy: Header ${header} is not allowed.`,
+				throw new CorsError(
+					request.url,
+					origin,
+					`Header ${header} is not allowed.`,
 				);
 			}
 
 			if (!this.allowAllHeaders && !this.allowedHeaders.has(header)) {
-				throw new Error(
-					`Request is blocked by CORS policy: Header ${header} is not allowed.`,
+				throw new CorsError(
+					request.url,
+					origin,
+					`Header ${header} is not allowed.`,
 				);
 			}
 		}
@@ -284,11 +324,12 @@ export class CorsPreflightData {
 	/**
 	 * Validates a request against the preflight data.
 	 * @param {Request} request The request to validate.
+	 * @param {string} origin The origin of the request.
 	 * @returns {void}
 	 * @throws {Error} When the request is not allowed.
 	 */
-	validate(request) {
-		this.#validateMethod(request.method);
-		this.#validateHeaders(request.headers);
+	validate(request, origin) {
+		this.#validateMethod(request, origin);
+		this.#validateHeaders(request, origin);
 	}
 }
diff --git a/src/fetch-mocker.js b/src/fetch-mocker.js
@@ -15,6 +15,7 @@ import {
 	CORS_REQUEST_METHOD,
 	CORS_REQUEST_HEADERS,
 	CORS_ORIGIN,
+	CorsError
 } from "./cors.js";
 
 //-----------------------------------------------------------------------------
@@ -205,7 +206,7 @@ export class FetchMocker {
 					// if it's not a simple request then we'll need a preflight check
 					if (!isCorsSimpleRequest(request)) {
 						preflightData = await this.#preflightFetch(request);
-						preflightData.validate(request);
+						preflightData.validate(request, this.#baseUrl.origin);
 					}
 
 					// add the origin header to the request
@@ -315,9 +316,7 @@ export class FetchMocker {
 
 		// if the preflight response is successful, then we can make the actual request
 		if (!preflightResponse.ok) {
-			throw new Error(
-				`Request to ${preflightRequest.url} from ${this.#baseUrl.origin} is blocked by CORS policy:  Response to preflight request doesn't pass access control check: It does not have HTTP ok status.`,
-			);
+			throw new CorsError(preflightRequest.url, this.#baseUrl.origin, "Response to preflight request doesn't pass access control check: It does not have HTTP ok status.");
 		}
 
 		assertCorsResponse(preflightResponse, this.#baseUrl.origin);
diff --git a/tests/fetch-mocker.test.js b/tests/fetch-mocker.test.js
@@ -74,7 +74,7 @@ Partial matches:
   ❌ Headers do not match. Expected authorization=Bearer ABC but received authorization=Bearer XYZ.`.trim();
 
 const PREFLIGHT_FAILED = `
-Request to https://api.example.com/hello from https://api.example.org is blocked by CORS policy:  Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
+Access to fetch at 'https://api.example.com/hello' from origin 'https://api.example.org' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
 `.trim();
 
 //-----------------------------------------------------------------------------
@@ -455,7 +455,7 @@ describe("FetchMocker", () => {
 				server.get("/hello", 200);
 
 				await assert.rejects(fetchMocker.fetch(url), {
-					name: "Error",
+					name: "CorsError",
 					message: `Access to fetch at '${url.href}' from origin '${origin}' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.`,
 				});
 			});
@@ -472,13 +472,12 @@ describe("FetchMocker", () => {
 				server.get("/hello", {
 					status: 200,
 					headers: {
-						"Access-Control-Allow-Origin":
-							"https://api.example.com",
+						"Access-Control-Allow-Origin": "https://api.example.com",
 					},
 				});
 
 				await assert.rejects(fetchMocker.fetch(url), {
-					name: "Error",
+					name: "CorsError",
 					message: `Access to fetch at '${url.href}' from origin '${origin}' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://api.example.com' that is not equal to the supplied origin.`,
 				});
 			});
@@ -891,7 +890,7 @@ describe("FetchMocker", () => {
 					await assert.rejects(
 						fetchMocker.fetch(url, { headers: { Custom: "Foo" } }),
 						{
-							name: "Error",
+							name: "CorsError",
 							message: `Access to fetch at '${url.href}' from origin '${origin}' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.`,
 						},
 					);
@@ -919,7 +918,7 @@ describe("FetchMocker", () => {
 					await assert.rejects(
 						fetchMocker.fetch(url, { headers: { Custom: "Foo" } }),
 						{
-							name: "Error",
+							name: "CorsError",
 							message: `Access to fetch at '${url.href}' from origin '${origin}' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://api.example.com' that is not equal to the supplied origin.`,
 						},
 					);
