CLDSRV-881: fix missing CORS headers on 403 responses

[tcarmet]

When a bucket has CORS configured, cloudserver was omitting Access-Control-* headers from 403 responses. Browsers treat such responses as opaque and block the error from the web app, even though AWS S3 returns CORS headers on error responses when a matching rule exists.

The existing collectCorsHeaders helper only runs inside an API handler, after bucket metadata has been loaded. Auth failures from Vault return before any handler runs, so the route-level error response path sent no CORS headers.

The fix wraps callApiMethod's callback: on error, when the request has an Origin header and a known bucket, it fetches the bucket's CORS config and sets the matching Access-Control-* headers directly on the HTTP response before propagating the error. The extra metadata lookup only happens on failed requests with an Origin header - no cost for non-CORS traffic or successful requests.

Fixes: CLDSRV-881

[bert-e]

Hello tcarmet,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
/after_pull_request	Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval	Bypass the pull request author's approval	⭐
/bypass_build_status	Bypass the build and test status	⭐
/bypass_commit_size	Bypass the check on the size of the changeset TBA	⭐
/bypass_incompatible_branch	Bypass the check on the source branch prefix	⭐
/bypass_jira_check	Bypass the Jira issue check	⭐
/bypass_peer_approval	Bypass the pull request peers' approval	⭐
/bypass_leader_approval	Bypass the pull request leaders' approval	⭐
/approve	Instruct Bert-E that the author has approved the pull request.		✍️
/create_pull_requests	Allow the creation of integration pull requests.
/create_integration_branches	Allow the creation of integration branches.
/no_octopus	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity	Change review acceptance criteria from one reviewer at least to all reviewers
/wait	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
/help	Print Bert-E's manual in the pull request.
/status	Print Bert-E's current status in the pull request TBA
/clear	Remove all comments from Bert-E from the history TBA
/retry	Re-start a fresh build TBA
/build	Re-start a fresh build TBA
/force_reset	Delete integration branches & pull requests, and restart merge process from the beginning.
/reset	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

[bert-e]

Incorrect fix version

The Fix Version/s in issue CLDSRV-881 contains:

• None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

• 9.2.33

• 9.3.6

• 9.4.0

Please check the Fix Version/s of CLDSRV-881, or the target
branch of this pull request.

[claude]

LGTM

The fix is correct: standardMetadataValidateBucketAndObj intentionally returns bucket on error (line 427 of metadataUtils.js: "still return bucket for cors headers"), but updateEncryption was dropping it by calling cb(err) without forwarding the bucket. This caused collectCorsHeaders to receive undefined and return empty headers on 403 responses. The tests cover the right cases (specific origin, wildcard, and no-origin).

Review by Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 94.87179% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.36%. Comparing base (c1d3d6a) to head (3b23679).
⚠️ Report is 2 commits behind head on development/9.2.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
lib/api/api.js	93.75%	2 Missing ⚠️

Additional details and impacted files

Files with missing lines	Coverage Δ
lib/api/bucketGetCors.js	100.00% <100.00%> (+3.57%)	⬆️
lib/api/bucketGetLocation.js	100.00% <100.00%> (+4.00%)	⬆️
lib/api/bucketGetWebsite.js	100.00% <100.00%> (+3.57%)	⬆️
lib/metadata/metadataUtils.js	90.76% <100.00%> (+0.20%)	⬆️
lib/utilities/collectCorsHeaders.js	100.00% <ø> (ø)
lib/api/api.js	90.57% <93.75%> (+0.41%)	⬆️

... and 1 file with indirect coverage changes

@@                 Coverage Diff                 @@
##           development/9.2    #6126      +/-   ##
===================================================
+ Coverage            84.29%   84.36%   +0.06%     
===================================================
  Files                  204      204              
  Lines                13151    13181      +30     
===================================================
+ Hits                 11086    11120      +34     
+ Misses                2065     2061       -4     

Flag	Coverage Δ
file-ft-tests	67.86% <94.87%> (+0.17%)	⬆️
kmip-ft-tests	28.24% <20.51%> (-0.01%)	⬇️
mongo-v0-ft-tests	69.07% <94.87%> (+0.16%)	⬆️
mongo-v1-ft-tests	69.11% <94.87%> (+0.20%)	⬆️
multiple-backend	35.30% <25.64%> (-0.01%)	⬇️
sur-tests	36.56% <25.64%> (+0.79%)	⬆️
sur-tests-inflights	37.60% <25.64%> (-0.05%)	⬇️
unit	70.21% <84.61%> (+0.24%)	⬆️
utapi-v2-tests	34.54% <25.64%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bert-e]

Incorrect fix version

The Fix Version/s in issue CLDSRV-881 contains:

• None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

• 9.2.36

• 9.3.7

• 9.4.0

Please check the Fix Version/s of CLDSRV-881, or the target
branch of this pull request.

[claude]

LGTM

The one-line fix in updateEncryption correctly passes bucket through the error path, matching the documented callback signature (err, bucket, objMD). All 5 callers already destructure (err, bucket, ...) and will benefit from receiving the bucket reference on errors, enabling collectCorsHeaders to return proper CORS headers on 403 responses. Tests cover specific origin, wildcard, and no-origin scenarios.

Review by Claude Code

[claude]

LGTM

The fix is minimal and correct: passing bucket in the error callback at updateEncryption.js:111 ensures all five callers (objectGet, objectHead, objectPut, objectCopy, initiateMultipartUpload) can compute CORS headers on error responses. Without it, collectCorsHeaders(origin, method, undefined) returned {}, stripping CORS headers from error responses like 403. Tests cover the key scenarios for objectGet (specific origin, wildcard, no origin) and objectHead.

Review by Claude Code

[bert-e]

Incorrect fix version

The Fix Version/s in issue CLDSRV-881 contains:

• None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

• 9.2.37

• 9.3.7

• 9.4.0

Please check the Fix Version/s of CLDSRV-881, or the target
branch of this pull request.

[claude]

LGTM — the callback-wrapping approach in api.js is clean: it only pays the extra metadata lookup on error+Origin, guards headersSent, and correctly short-circuits on success. Two minor test quality notes posted inline.

- tests/unit/api/corsErrorHeaders.js:238 — require() calls inside describe block should be at file top
- Move the two require statements to join the imports at lines 1-13
- tests/unit/api/corsErrorHeaders.js:199 — stale comment describes default CorsConfigTester rules, not the custom config from setupBucketWithCors
- Update to reflect that rule 0 was overridden and rule 1 (GET from *) still exists

Review by Claude Code

[dvasilas]

Are there any cases in which api handlers pass corsHeaders to the callback on error (when they have already done the bucket lookup), and we can use them to avoid the getBucket ?

[tcarmet]

There are, good catch. The only annoying part is that the parameter placement in which they can be returned is a bit inconsistent but I've added a a little helper to help us identify the cases where there can be one. Also added a extra testcase for it.

[tcarmet]

Also your suggestion found a couple of pre-existing bug on bucketGetCors and bucketGetWebsite so nice 👌

[bert-e]

Incorrect fix version

The Fix Version/s in issue CLDSRV-881 contains:

• None

Considering where you are trying to merge, I ignored possible hotfix versions and I expected to find:

• 9.2.38

• 9.3.7

• 9.4.0

Please check the Fix Version/s of CLDSRV-881, or the target
branch of this pull request.

[claude]

Clean, well-structured fix. The wrapper approach correctly limits the extra metadata lookup to error + Origin scenarios, and the fast-path check via hasCorsHeaders avoids redundant lookups when handlers already computed CORS headers.

- Stale comment in collectCorsHeaders.js (lines 12-20) now contradicts the new behavior and should be updated
- It says the server opts not to return CORS headers for pre-handler errors, which is exactly what this PR fixes

Review by Claude Code

[claude]

LGTM — clean approach wrapping the callback at the callApiMethod boundary to inject CORS headers on pre-handler errors without touching individual API handlers.

One minor nit:
- tests/unit/api/corsErrorHeaders.js:120 — arrow function captures wrong this in newRequestLoggerFromSerializedUids (see inline comment)

Review by Claude Code

[claude]

LGTM

Review by Claude Code

[claude]

LGTM

The approach is sound: wrapping callApiMethod's callback intercepts pre-handler errors (auth failures, header-size checks) exactly where CORS headers were missing, without touching each individual route or handler. The hasCorsHeaders scan prevents redundant metadata lookups when the handler already computed CORS headers. The bucketGetCors / bucketGetWebsite changes fix a pre-existing bug where corsHeaders was passed at the wrong callback position ((err, corsHeaders) vs the success-path (null, xml, corsHeaders)). Unit and functional tests cover both the fallback path and the fast path, including negative cases (no origin, non-matching origin).

Review by Claude Code

[dvasilas]

The same issue seems to exist here:

cloudserver/lib/api/bucketGetLocation.js

Line 33 in bb5ca88

return callback(err, corsHeaders);

[tcarmet]

good catch, thanks. There are other calls where corsHeaders is in the same position but on those cases the routing is correct. I think this should be the last one in the wrong position.

[dvasilas]

If the handler computes corsHeaders and gets back {} (bucket has no CORS config), and then calls callback(err, null, {}), the wrapper will still do metadata.getBucket, right? (but it does not need to, I think).

Not sure if it's a good idea, but we could cache the bucket in request (something like request._loadedBucket) and first check there before metadata.getBucket

[tcarmet]

Was able to confirm this with a extra test, indeed there would be 2 metadata call in this case.

So yeah we could consider {} as there's no header, and skip the bucket call in this case, it seems to be implicitly true, or we cache the bucket as you stated.

I'm debating between both right now, I pushed a code with the bucket cache on request. seems like the safest option between the two. Let me know what you think.

[claude]

LGTM

The approach is sound: wrapping the callApiMethod callback to inject CORS headers on pre-handler failures (auth denials, header-size checks) fills the gap where the existing collectCorsHeaders call inside handlers never runs. The three-tier fallback (handler-provided headers → cached bucket → metadata lookup) avoids redundant work on the common path while still covering the edge cases.

The callback signature fix in bucketGetCors, bucketGetLocation, and bucketGetWebsite is correct — previously on error these passed corsHeaders as the second arg, but routeGET destructures as (err, xml, corsHeaders), so the headers were landing in the xml position.

Review by Claude Code