fix: allow methods check (#8968)

teemingc · web-flow · commit bef54f63d231 · 2023-02-09T11:18:36.000+01:00
fixes #8967
diff --git a/.changeset/dirty-days-fix.md b/.changeset/dirty-days-fix.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: correctly include exported http methods in allow header
diff --git a/packages/kit/src/runtime/server/utils.js b/packages/kit/src/runtime/server/utils.js
@@ -41,7 +41,7 @@ export function method_not_allowed(mod, method) {
 export function allowed_methods(mod) {
 	const allowed = [];
 
-	for (const method in ['GET', 'POST', 'PUT', 'PATCH', 'DELETE']) {
+	for (const method of ['GET', 'POST', 'PUT', 'PATCH', 'DELETE']) {
 		if (method in mod) allowed.push(method);
 	}
 
diff --git a/packages/kit/test/apps/basics/test/server.test.js b/packages/kit/test/apps/basics/test/server.test.js
@@ -108,6 +108,13 @@ test.describe('Endpoints', () => {
 		});
 	});
 
+	test('invalid request method returns allow header', async ({ request }) => {
+		const response = await request.post('/endpoint-output/body');
+
+		expect(response.status()).toBe(405);
+		expect(response.headers()['allow'].includes('GET'));
+	});
+
 	// TODO all the remaining tests in this section are really only testing
 	// setResponse, since we're not otherwise changing anything on the response.
 	// might be worth making these unit tests instead

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@sveltejs/kit': patch
 +---
++
 +fix: correctly include exported http methods in allow header
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ export function method_not_allowed(mod, method) {`
`41`	`41`	`export function allowed_methods(mod) {`
`42`	`42`	`const allowed = [];`
`43`	`43`
`44`		`- for (const method in ['GET', 'POST', 'PUT', 'PATCH', 'DELETE']) {`
	`44`	`+ for (const method of ['GET', 'POST', 'PUT', 'PATCH', 'DELETE']) {`
`45`	`45`	`if (method in mod) allowed.push(method);`
`46`	`46`	`}`
`47`	`47`