From 5600cf2d6ed18c4fe87ac96661c3fab134461057 Mon Sep 17 00:00:00 2001
From: Matthew Wratt <matt.wratt@trineo.co.nz>
Date: Wed, 12 Apr 2017 11:52:02 +0200
Subject: [PATCH] Allow override of default options response

---
 cors_test.go        | 28 ++++++++++++++++++++++++++++
 docs/hooks.md       |  2 ++
 unrouted_handler.go |  6 +++---
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/cors_test.go b/cors_test.go
index 0dfb537..e7876e5 100644
--- a/cors_test.go
+++ b/cors_test.go
@@ -2,6 +2,7 @@ package tusd_test
 
 import (
 	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	. "github.com/tus/tusd"
@@ -46,4 +47,31 @@ func TestCORS(t *testing.T) {
 			},
 		}).Run(handler, t)
 	})
+
+	SubTest(t, "AppendHeaders", func(t *testing.T, store *MockFullDataStore) {
+		handler, _ := NewHandler(Config{
+			DataStore: store,
+		})
+
+		req, _ := http.NewRequest("OPTIONS", "", nil)
+		req.Header.Set("Tus-Resumable", "1.0.0")
+		req.Header.Set("Origin", "tus.io")
+		req.Host = "tus.io"
+
+		res := httptest.NewRecorder()
+		res.HeaderMap.Set("Access-Control-Allow-Headers", "HEADER")
+		res.HeaderMap.Set("Access-Control-Allow-Methods", "METHOD")
+		handler.ServeHTTP(res, req)
+
+		headers := res.HeaderMap["Access-Control-Allow-Headers"]
+		methods := res.HeaderMap["Access-Control-Allow-Methods"]
+
+		if headers[0] != "HEADER" {
+			t.Errorf("expected header to contain HEADER but got: %#v", headers)
+		}
+
+		if methods[0] != "METHOD" {
+			t.Errorf("expected header to contain HEADER but got: %#v", methods)
+		}
+	})
 }
diff --git a/docs/hooks.md b/docs/hooks.md
index 55d6101..a76c960 100644
--- a/docs/hooks.md
+++ b/docs/hooks.md
@@ -50,6 +50,8 @@ The process of the hook files are provided with information about the event and
 }
 ```
 
+Be aware that this environment does *not* contain direct data from any HTTP request, in particular not any header values or cookies. If you would like to pass information from the client to the hook, such as authentication details, you may wish to use the [metadata system](http://tus.io/protocols/resumable-upload.html#upload-metadata).
+
 ## Blocking and Non-Blocking Hooks
 
 If not otherwise noted, all hooks are invoked in a *non-blocking* way, meaning that tusd will not wait until the hook process has finished and exited. Therefore, the hook process is not able to influence how tusd may continue handling the current request, regardless of which exit code it may set. Furthermore, the hook process' stdout and stderr will be piped to tusd's stdout and stderr correspondingly, allowing one to use these channels for additional logging.
diff --git a/unrouted_handler.go b/unrouted_handler.go
index 0e10248..0cd6c6a 100644
--- a/unrouted_handler.go
+++ b/unrouted_handler.go
@@ -157,13 +157,13 @@ func (handler *UnroutedHandler) Middleware(h http.Handler) http.Handler {
 
 			if r.Method == "OPTIONS" {
 				// Preflight request
-				header.Set("Access-Control-Allow-Methods", "POST, GET, HEAD, PATCH, DELETE, OPTIONS")
-				header.Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Upload-Length, Upload-Offset, Tus-Resumable, Upload-Metadata")
+				header.Add("Access-Control-Allow-Methods", "POST, GET, HEAD, PATCH, DELETE, OPTIONS")
+				header.Add("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Upload-Length, Upload-Offset, Tus-Resumable, Upload-Metadata")
 				header.Set("Access-Control-Max-Age", "86400")
 
 			} else {
 				// Actual request
-				header.Set("Access-Control-Expose-Headers", "Upload-Offset, Location, Upload-Length, Tus-Version, Tus-Resumable, Tus-Max-Size, Tus-Extension, Upload-Metadata")
+				header.Add("Access-Control-Expose-Headers", "Upload-Offset, Location, Upload-Length, Tus-Version, Tus-Resumable, Tus-Max-Size, Tus-Extension, Upload-Metadata")
 			}
 		}