From 9729323363c677509ddd1c0d444c7f8a1cb0e3bd Mon Sep 17 00:00:00 2001
From: blazinbanana <4808.2021@students.ku.ac.ke>
Date: Mon, 1 Dec 2025 12:48:58 +0300
Subject: [PATCH] Fix OPTIONS preflight to respect PATCH in httpNodeCors

---
 .../@node-red/editor-api/lib/index.js         | 26 ++++++++++++++-----
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/packages/node_modules/@node-red/editor-api/lib/index.js b/packages/node_modules/@node-red/editor-api/lib/index.js
index 9264550b3..cf1fb15b7 100644
--- a/packages/node_modules/@node-red/editor-api/lib/index.js
+++ b/packages/node_modules/@node-red/editor-api/lib/index.js
@@ -47,13 +47,26 @@ function init(settings,_server,storage,runtimeAPI) {
     if (settings.httpAdminRoot !== false) {
         adminApp = apiUtil.createExpressApp(settings);
 
-        var cors = require('cors');
-        var corsHandler = cors({
-           origin: "*",
-           methods: "GET,PUT,POST,DELETE"
+        const cors = require('cors');
+
+        //CORS fix for OPTIONS preflight
+        // Reads allowed methods from runtime settings, defaults to standard methods
+        const httpNodeCors = settings.httpNodeCors || {};
+        let allowedMethods = httpNodeCors.methods || "GET,PUT,POST,DELETE";
+
+        // Ensure PATCH is included in preflight response
+        if (!allowedMethods.includes("PATCH")) {
+            allowedMethods += ",PATCH";
+        }
+
+        // Apply CORS handler for admin API
+        const corsHandler = cors({
+            origin: httpNodeCors.origin || "*",
+            methods: allowedMethods
         });
         adminApp.use(corsHandler);
 
+
         if (settings.httpAdminMiddleware) {
             if (typeof settings.httpAdminMiddleware === "function" || Array.isArray(settings.httpAdminMiddleware)) {
                 adminApp.use(settings.httpAdminMiddleware);
@@ -92,10 +105,11 @@ function init(settings,_server,storage,runtimeAPI) {
         }
 
         if (settings.httpAdminCors) {
-            var corsHandler = cors(settings.httpAdminCors);
-            adminApp.use(corsHandler);
+            const extraCorsHandler = cors(settings.httpAdminCors);
+            adminApp.use(extraCorsHandler);  // avoids declaring CorsHandler twice
         }
 
+
         var adminApiApp = require("./admin").init(settings, runtimeAPI);
         adminApp.use(adminApiApp);
     } else {