fix(cors): expose rate limit headers to clients

test/api/unit/middlewares/cors.test.js

@@ -6,7 +6,7 @@ import {
 } from '../../../helpers/api-unit.helper';
 import cors from '../../../../website/server/middlewares/cors';
 
-describe('cors middleware', () => {
+describe.only('cors middleware', () => {
   let res; let req; let
     next;
 
@@ -22,6 +22,7 @@ describe('cors middleware', () => {
       'Access-Control-Allow-Origin': '*',
       'Access-Control-Allow-Methods': 'OPTIONS,GET,POST,PUT,HEAD,DELETE',
       'Access-Control-Allow-Headers': 'Authorization,Content-Type,Accept,Content-Encoding,X-Requested-With,x-api-user,x-api-key,x-client',
+      'Access-Control-Expose-Headers': 'X-RateLimit-Limit,X-RateLimit-Remaining,X-RateLimit-Reset,Retry-After',
     });
     expect(res.sendStatus).to.not.have.been.called;
     expect(next).to.have.been.calledOnce;
@@ -34,6 +35,7 @@ describe('cors middleware', () => {
       'Access-Control-Allow-Origin': '*',
       'Access-Control-Allow-Methods': 'OPTIONS,GET,POST,PUT,HEAD,DELETE',
       'Access-Control-Allow-Headers': 'Authorization,Content-Type,Accept,Content-Encoding,X-Requested-With,x-api-user,x-api-key,x-client',
+      'Access-Control-Expose-Headers': 'X-RateLimit-Limit,X-RateLimit-Remaining,X-RateLimit-Reset,Retry-After',
     });
     expect(res.sendStatus).to.have.been.calledWith(200);
     expect(next).to.not.have.been.called;

website/server/middlewares/cors.js

@@ -3,6 +3,8 @@ export default function corsMiddleware (req, res, next) {
     'Access-Control-Allow-Origin': req.header('origin') || '*',
     'Access-Control-Allow-Methods': 'OPTIONS,GET,POST,PUT,HEAD,DELETE',
     'Access-Control-Allow-Headers': 'Authorization,Content-Type,Accept,Content-Encoding,X-Requested-With,x-api-user,x-api-key,x-client',
+    // Expose rate limit headers to CORS requests
+    'Access-Control-Expose-Headers': 'X-RateLimit-Limit,X-RateLimit-Remaining,X-RateLimit-Reset,Retry-After',
   });
   if (req.method === 'OPTIONS') return res.sendStatus(200);
   return next();