@tus/server: allow passing custom headers

packages/server/README.md

@@ -68,6 +68,10 @@ Return a relative URL as the `Location` header to the client (`boolean`).
 
 Allow `Forwarded`, `X-Forwarded-Proto`, and `X-Forwarded-Host` headers to override the `Location` header returned by the server (`boolean`).
 
+#### `options.allowedHeaders`
+
+Additional headers sent in `Access-Control-Allow-Headers` (`string[]`).
+
 #### `options.namingFunction`
 
 Control how you want to name files (`(req) => string`)

packages/server/src/handlers/OptionsHandler.ts

@@ -1,14 +1,16 @@
 import {BaseHandler} from './BaseHandler'
-import {ALLOWED_METHODS, ALLOWED_HEADERS, MAX_AGE} from '../constants'
+import {ALLOWED_METHODS, MAX_AGE, HEADERS} from '../constants'
 
 import type http from 'node:http'
 
 // A successful response indicated by the 204 No Content status MUST contain
 // the Tus-Version header. It MAY include the Tus-Extension and Tus-Max-Size headers.
 export class OptionsHandler extends BaseHandler {
   async send(_: http.IncomingMessage, res: http.ServerResponse) {
+    const allowedHeaders = [...HEADERS, ...(this.options.allowedHeaders ?? [])]
+
     res.setHeader('Access-Control-Allow-Methods', ALLOWED_METHODS)
-    res.setHeader('Access-Control-Allow-Headers', ALLOWED_HEADERS)
+    res.setHeader('Access-Control-Allow-Headers', allowedHeaders.join(', '))
     res.setHeader('Access-Control-Max-Age', MAX_AGE)
     if (this.store.extensions.length > 0) {
       res.setHeader('Tus-Extension', this.store.extensions.join(','))

packages/server/src/types.ts

@@ -10,6 +10,8 @@ export type ServerOptions = {
   // Allow `Forwarded`, `X-Forwarded-Proto`, and `X-Forwarded-Host` headers
   // to override the `Location` header returned by the server.
   respectForwardedHeaders?: boolean
+  // adds custom headers sent in `Access-Control-Allow-Headers`.
+  allowedHeaders?: string[]
   // Control how you want to name files.
   // It is important to make these unique to prevent data loss. Only use it if you really need to.
   // Default uses `crypto.randomBytes(16).toString('hex')`.

packages/server/test/Server.test.ts

@@ -145,6 +145,19 @@ describe('Server', () => {
         })
     })
 
+    it('OPTIONS should return returns custom headers in Access-Control-Allow-Headers', (done) => {
+      server.options.allowedHeaders = ['Custom-Header']
+
+      request(listener)
+        .options('/')
+        .expect(204, '', (err, res) => {
+          res.headers.should.have.property('access-control-allow-headers')
+          res.headers['access-control-allow-headers'].should.containEql('Custom-Header')
+          server.options.allowedHeaders = []
+          done(err)
+        })
+    })
+
     it('HEAD should 404 non files', (done) => {
       request(listener)
         .head('/')