From 405181998d9b46dce68f0ec8b14b2f6de6b10a03 Mon Sep 17 00:00:00 2001
From: Wolf <cblack@cblack.com>
Date: Tue, 28 Feb 2023 16:41:05 +0000
Subject: [PATCH] Fix Access-Control-Request-Headers parsing issue for AWS API
 Gateway

---
 cors.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/cors.go b/cors.go
index a47b7df..5669a67 100644
--- a/cors.go
+++ b/cors.go
@@ -305,7 +305,12 @@ func (c *Cors) handlePreflight(w http.ResponseWriter, r *http.Request) {
 		c.logf("  Preflight aborted: method '%s' not allowed", reqMethod)
 		return
 	}
-	reqHeaders := parseHeaderList(r.Header.Get("Access-Control-Request-Headers"))
+	// Amazon API Gateway is sometimes feeding multiple values for
+	// Access-Control-Request-Headers in a way where r.Header.Values() picks
+	// them all up, but r.Header.Get() does not.
+	// I suspect it is something like this: https://stackoverflow.com/a/4371395
+	reqHeaderList := strings.Join(r.Header.Values("Access-Control-Request-Headers"), ",")
+	reqHeaders := parseHeaderList(reqHeaderList)
 	if !c.areHeadersAllowed(reqHeaders) {
 		c.logf("  Preflight aborted: headers '%v' not allowed", reqHeaders)
 		return