fix expose all headers (#273)

* fix expose all headers

* update changelog

actix-cors/CHANGES.md

@@ -1,8 +1,11 @@
 # Changes
 
 ## Unreleased - 2022-xx-xx
+- Fix `expose_any_header` to return list of response headers. [#273]
 - Minimum supported Rust version (MSRV) is now 1.57 due to transitive `time` dependency.
 
+[#273]: https://github.com/actix/actix-extras/pull/273
+
 
 ## 0.6.1 - 2022-03-07
 - Do not consider requests without a `Access-Control-Request-Method` as preflight. [#226]

actix-cors/src/builder.rs

@@ -315,7 +315,7 @@ impl Cors {
         self
     }
 
-    /// Resets exposed response header list to a state where any header is accepted.
+    /// Resets exposed response header list to a state where all headers are exposed.
     ///
     /// See [`Cors::expose_headers`] for more info on exposed response headers.
     pub fn expose_any_header(mut self) -> Cors {

actix-cors/src/middleware.rs

@@ -121,10 +121,9 @@ impl<S> CorsMiddleware<S> {
                 .insert(header::ACCESS_CONTROL_EXPOSE_HEADERS, expose.clone());
         } else if matches!(inner.expose_headers, AllOrSome::All) {
             // intersperse_header_values requires that argument is non-empty
-            if !res.request().headers().is_empty() {
+            if !res.headers().is_empty() {
                 // extract header names from request
                 let expose_all_request_headers = res
-                    .request()
                     .headers()
                     .keys()
                     .into_iter()

actix-cors/tests/tests.rs

@@ -501,7 +501,15 @@ async fn test_allow_any_origin_any_method_any_header() {
 #[actix_web::test]
 async fn expose_all_request_header_values() {
     let cors = Cors::permissive()
-        .new_transform(test::ok_service())
+        .new_transform(fn_service(|req: ServiceRequest| async move {
+            let res = req.into_response(
+                HttpResponse::Ok()
+                    .insert_header((header::CONTENT_DISPOSITION, "test disposition"))
+                    .finish(),
+            );
+
+            Ok(res)
+        }))
         .await
         .unwrap();
 
@@ -509,20 +517,17 @@ async fn expose_all_request_header_values() {
         .insert_header((header::ORIGIN, "https://www.example.com"))
         .insert_header((header::ACCESS_CONTROL_REQUEST_METHOD, "POST"))
         .insert_header((header::ACCESS_CONTROL_REQUEST_HEADERS, "content-type"))
-        .insert_header(("X-XSRF-TOKEN", "xsrf-token"))
         .to_srv_request();
 
-    let resp = test::call_service(&cors, req).await;
+    let res = test::call_service(&cors, req).await;
 
-    assert!(resp
+    let cd_hdr = res
-        .headers()
-        .contains_key(header::ACCESS_CONTROL_EXPOSE_HEADERS));
-
-    assert!(resp
         .headers()
         .get(header::ACCESS_CONTROL_EXPOSE_HEADERS)
         .unwrap()
         .to_str()
-        .unwrap()
+        .unwrap();
-        .contains("xsrf-token"));
+
+    assert!(cd_hdr.contains("content-disposition"));
+    assert!(cd_hdr.contains("access-control-allow-origin"));
 }

actix-limitation/CHANGES.md

@@ -2,7 +2,7 @@
 
 ## Unreleased - 2022-xx-xx
 - Implement `Default` for `RateLimiter`.
-- `RateLimiter` can no longer be constructed without `::default()`.
+- `RateLimiter` is marked `#[non_exhaustive]`; use `RateLimiter::default()` instead.
 
 ## 0.3.0 - 2022-07-11
 - `Limiter::builder` now takes an `impl Into<String>`.