fix: set everything in the before filter for CORS

system/Filters/Cors.php

@@ -58,22 +58,24 @@ public function before(RequestInterface $request, $arguments = null)
 
         $this->createCorsService($arguments);
 
-        if (! $this->cors->isPreflightRequest($request)) {
-            return null;
-        }
-
         /** @var ResponseInterface $response */
         $response = service('response');
 
-        $response = $this->cors->handlePreflightRequest($request, $response);
+        if ($request->is('OPTIONS')) {
+            // Always adds `Vary: Access-Control-Request-Method` header for cacheability.
+            // If there is an intermediate cache server such as a CDN, if a plain
+            // OPTIONS request is sent, it may be cached. But valid preflight requests
+            // have this header, so it will be cached separately.
+            $response->appendHeader('Vary', 'Access-Control-Request-Method');
+        }
+
+        if ($this->cors->isPreflightRequest($request)) {
+            return $this->cors->handlePreflightRequest($request, $response);
+        }
 
-        // Always adds `Vary: Access-Control-Request-Method` header for cacheability.
-        // If there is an intermediate cache server such as a CDN, if a plain
-        // OPTIONS request is sent, it may be cached. But valid preflight requests
-        // have this header, so it will be cached separately.
-        $response->appendHeader('Vary', 'Access-Control-Request-Method');
+        $this->cors->addResponseHeaders($request, $response);
 
-        return $response;
+        return null;
     }
 
     /**
@@ -87,25 +89,9 @@ private function createCorsService(?array $arguments): void
 
     /**
      * @param list<string>|null $arguments
-     *
-     * @return ResponseInterface|null
      */
     public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
     {
-        if (! $request instanceof IncomingRequest) {
-            return null;
-        }
-
-        $this->createCorsService($arguments);
-
-        // Always adds `Vary: Access-Control-Request-Method` header for cacheability.
-        // If there is an intermediate cache server such as a CDN, if a plain
-        // OPTIONS request is sent, it may be cached. But valid preflight requests
-        // have this header, so it will be cached separately.
-        if ($request->is('OPTIONS')) {
-            $response->appendHeader('Vary', 'Access-Control-Request-Method');
-        }
-
-        return $this->cors->addResponseHeaders($request, $response);
+        return null;
     }
 }

user_guide_src/source/changelogs/v4.6.1.rst

@@ -22,6 +22,8 @@ Message Changes
 Changes
 *******
 
+- **Cors:** From now on only the ``before`` filter is used. You can remove all the ``after`` filter occurrences from your configuration for CORS.
+
 ************
 Deprecations
 ************
@@ -31,6 +33,7 @@ Bugs Fixed
 **********
 
 - **CURLRequest:** Fixed an issue where multiple header sections appeared in the CURL response body during multiple redirects from the target server.
+- **Cors:** Fixed a bug in the Cors filter that caused the appropriate headers to not be added when another filter returned a response object. From now on all CORS headers are added in the ``before`` filter and the ``after`` filter is no longer used.
 
 See the repo's
 `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_

user_guide_src/source/libraries/cors/002.php

@@ -13,7 +13,6 @@ class Filters extends BaseFilters
         // ...
         'cors' => [
             'before' => ['api/*'],
-            'after'  => ['api/*'],
         ],
     ];
 }