测试分支-部署-预检响应中缺少server请求头

app/process/Http.php

@@ -3,12 +3,12 @@
 namespace app\process;
 
 use Webman\App;
-use Webman\Http\Response;
 
 class Http extends App
 {
     /**
      * 在父类处理前拦截 OPTIONS 预检，直接返回 CORS 头（避免预检未命中路由时无 CORS）
+     * 必须与 AllowCrossDomain::optionsResponse 一致，否则会覆盖中间件里对 Allow-Headers（如 server）的配置
      */
     public function onMessage($connection, $request): void
     {
@@ -18,19 +18,8 @@ class Http extends App
             $path = is_string($path) ? trim($path, '/') : '';
             $isApiOrAdmin = $path !== '' && (str_starts_with($path, 'api') || str_starts_with($path, 'admin'));
             if ($isApiOrAdmin) {
-                $origin = $request->header('origin');
-                $origin = is_array($origin) ? ($origin[0] ?? '') : (is_string($origin) ? trim($origin) : '');
-                if ($origin === '') {
-                    $origin = '*';
-                }
-                $headers = [
-                    'Access-Control-Allow-Origin'      => $origin,
-                    'Access-Control-Allow-Credentials' => 'true',
-                    'Access-Control-Max-Age'           => '1800',
-                    'Access-Control-Allow-Methods'      => 'GET, POST, PUT, DELETE, PATCH, OPTIONS',
-                    'Access-Control-Allow-Headers'      => 'Content-Type, Authorization, batoken, ba-user-token, think-lang',
-                ];
-                $connection->send(new Response(204, $headers, ''));
+                $response = \app\common\middleware\AllowCrossDomain::optionsResponse($request);
+                $connection->send($response);
                 return;
             }
         }