From d59babba9fb7581839cc6b0818cf35f78ef3a406 Mon Sep 17 00:00:00 2001
From: toimtoimtoim <desinformatsioon@gmail.com>
Date: Tue, 7 Jan 2025 21:45:44 +0200
Subject: [PATCH] CORS: reject requests with 401 for non-preflight request with
 not matching origin header

---
 middleware/cors.go      | 2 +-
 middleware/cors_test.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/middleware/cors.go b/middleware/cors.go
index a1f445321..c2f995cd2 100644
--- a/middleware/cors.go
+++ b/middleware/cors.go
@@ -262,7 +262,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 			// Origin not allowed
 			if allowOrigin == "" {
 				if !preflight {
-					return next(c)
+					return echo.ErrUnauthorized
 				}
 				return c.NoContent(http.StatusNoContent)
 			}
diff --git a/middleware/cors_test.go b/middleware/cors_test.go
index 5461e9362..d77c194c5 100644
--- a/middleware/cors_test.go
+++ b/middleware/cors_test.go
@@ -525,7 +525,7 @@ func TestCorsHeaders(t *testing.T) {
 			allowedOrigin: "http://example.com",
 			method:        http.MethodGet,
 			expected:      false,
-			expectStatus:  http.StatusOK,
+			expectStatus:  http.StatusUnauthorized,
 		},
 		{
 			name:          "non-preflight request, allow specific origin, matching origin header = CORS logic done",