Merge 9729323363 into 89fe24929e

packages/node_modules/@node-red/editor-api/lib/index.js

@@ -47,13 +47,26 @@ function init(settings,_server,storage,runtimeAPI) {
     if (settings.httpAdminRoot !== false) {
         adminApp = apiUtil.createExpressApp(settings);
 
-        var cors = require('cors');
-        var corsHandler = cors({
-           origin: "*",
-           methods: "GET,PUT,POST,DELETE"
+        const cors = require('cors');
+
+        //CORS fix for OPTIONS preflight
+        // Reads allowed methods from runtime settings, defaults to standard methods
+        const httpNodeCors = settings.httpNodeCors || {};
+        let allowedMethods = httpNodeCors.methods || "GET,PUT,POST,DELETE";
+
+        // Ensure PATCH is included in preflight response
+        if (!allowedMethods.includes("PATCH")) {
+            allowedMethods += ",PATCH";
+        }
+
+        // Apply CORS handler for admin API
+        const corsHandler = cors({
+            origin: httpNodeCors.origin || "*",
+            methods: allowedMethods
         });
         adminApp.use(corsHandler);
 
+
         if (settings.httpAdminMiddleware) {
             if (typeof settings.httpAdminMiddleware === "function" || Array.isArray(settings.httpAdminMiddleware)) {
                 adminApp.use(settings.httpAdminMiddleware);
@@ -92,10 +105,11 @@ function init(settings,_server,storage,runtimeAPI) {
         }
 
         if (settings.httpAdminCors) {
-            var corsHandler = cors(settings.httpAdminCors);
-            adminApp.use(corsHandler);
+            const extraCorsHandler = cors(settings.httpAdminCors);
+            adminApp.use(extraCorsHandler);  // avoids declaring CorsHandler twice
         }
 
+
         var adminApiApp = require("./admin").init(settings, runtimeAPI);
         adminApp.use(adminApiApp);
     } else {