The way that CORS delegation was implemented, the CorsHandler is sometimes called multiple times. For most requests this is fine (albeit inefficient). However, the vertx CorsHandlerImpl sends a response if handling an OPTIONS request instead of calling routingContext.next(). The result is that the first time the default handler is called, the request only has CHECK_DELEGATE_CORS set, and since the check has not yet happened, CORS is handled by OKAPI and the response is set, even in cases when delegateCORS=true.
Steps to Reproduce:
- Set a handler so that delegateCORS=true
- Register/Enable the module descriptor
- make a preflight request to that endpoint via the /_/invoke/tenant/<tid>/path API
- Observe via X-Okapi-Trace that the request was never proxied to the module, but rather CORS was handled by OKAPI.
The OPTIONS request is proxied to the module
OKAPI handles CORS