feat: use the cors module to handle cross-origin requests

We'll now rely on the standard cors module (https://github.com/expressjs/cors),
instead of the custom implementation that is error-prone and not
really user-friendly.

Breaking change: the handlePreflightRequest option is removed by the
change.

Before:

```
new Server({
  handlePreflightRequest: (req, res) => {
    res.writeHead(200, {
      "Access-Control-Allow-Origin": 'https://example.com',
      "Access-Control-Allow-Methods": 'GET',
      "Access-Control-Allow-Headers": 'Authorization',
      "Access-Control-Allow-Credentials": true
    });
    res.end();
  }
})
```

After:

```
new Server({
  cors: {
    origin: "https://example.com",
    methods: ["GET"],
    allowedHeaders: ["Authorization"],
    credentials: true
  }
})
```

Author: darrachequesne

README.md

@@ -249,6 +249,7 @@ to a single process.
         headers. This cookie might be used for sticky-session. Defaults to not sending any cookie (`false`).
         See [here](https://github.com/jshttp/cookie#options-1) for all supported options.
       - `wsEngine` (`String`): what WebSocket server implementation to use. Specified module must conform to the `ws` interface (see [ws module api docs](https://github.com/websockets/ws/blob/master/doc/ws.md)). Default value is `ws`. An alternative c++ addon is also available by installing `uws` module.
+      - `cors` (`Object`): the options that will be forwarded to the cors module. See [there](https://github.com/expressjs/cors#configuration-options) for all available options. Defaults to no CORS allowed.
       - `initialPacket` (`Object`): an optional packet which will be concatenated to the handshake packet emitted by Engine.IO.
 - `close`
     - Closes all clients
@@ -277,7 +278,6 @@ to a single process.
       - `path` (`String`): name of the path to capture (`/engine.io`).
       - `destroyUpgrade` (`Boolean`): destroy unhandled upgrade requests (`true`)
       - `destroyUpgradeTimeout` (`Number`): milliseconds after which unhandled requests are ended (`1000`)
-      - `handlePreflightRequest` (`Boolean|Function`): whether to let engine.io handle the OPTIONS requests. You can also pass a custom function to handle the requests (`true`)
 - `generateId`
     - Generate a socket id.
     - Overwrite this method to generate your custom socket id.

lib/server.js

@@ -34,7 +34,8 @@ class Server extends EventEmitter {
         },
         httpCompression: {
           threshold: 1024
-        }
+        },
+        cors: false
       },
       opts
     );
@@ -51,6 +52,10 @@ class Server extends EventEmitter {
       );
     }
 
+    if (this.opts.cors) {
+      this.corsMiddleware = require("cors")(this.opts.cors);
+    }
+
     this.init();
   }
 
@@ -183,20 +188,27 @@ class Server extends EventEmitter {
     this.prepare(req);
     req.res = res;
 
-    const self = this;
-    this.verify(req, false, function(err, success) {
+    const callback = (err, success) => {
       if (!success) {
         sendErrorMessage(req, res, err);
         return;
       }
 
       if (req._query.sid) {
         debug("setting new request for existing client");
-        self.clients[req._query.sid].transport.onRequest(req);
+        this.clients[req._query.sid].transport.onRequest(req);
       } else {
-        self.handshake(req._query.transport, req);
+        this.handshake(req._query.transport, req);
       }
-    });
+    };
+
+    if (this.corsMiddleware) {
+      this.corsMiddleware.call(null, req, res, () => {
+        this.verify(req, false, callback);
+      });
+    } else {
+      this.verify(req, false, callback);
+    }
   }
 
   /**
@@ -380,12 +392,6 @@ class Server extends EventEmitter {
     path += "/";
 
     function check(req) {
-      if (
-        "OPTIONS" === req.method &&
-        false === options.handlePreflightRequest
-      ) {
-        return false;
-      }
       return path === req.url.substr(0, path.length);
     }
 
@@ -399,14 +405,7 @@ class Server extends EventEmitter {
     server.on("request", function(req, res) {
       if (check(req)) {
         debug('intercepting request for path "%s"', path);
-        if (
-          "OPTIONS" === req.method &&
-          "function" === typeof options.handlePreflightRequest
-        ) {
-          options.handlePreflightRequest.call(server, req, res);
-        } else {
-          self.handleRequest(req, res);
-        }
+        self.handleRequest(req, res);
       } else {
         let i = 0;
         const l = listeners.length;

lib/transports/index.js

@@ -1,4 +1,4 @@
-const XHR = require("./polling-xhr");
+const XHR = require("./polling");
 const JSONP = require("./polling-jsonp");
 
 /**

lib/transports/polling-xhr.js

@@ -28,6 +28,7 @@
     "accepts": "~1.3.4",
     "base64id": "2.0.0",
     "cookie": "0.3.1",
+    "cors": "~2.8.5",
     "debug": "~4.1.0",
     "engine.io-parser": "git+https://github.com/socketio/engine.io-parser.git#v4",
     "ws": "^7.1.2"
@@ -57,7 +58,7 @@
   "files": [
     "lib/"
   ],
-  "engines" : {
-    "node" : ">=8.0.0"
+  "engines": {
+    "node": ">=8.0.0"
   }
 }