Auto-commit 2026-04-29 16:31

2026-04-29 16:31:27 -04:00
parent e8687bb6b2
commit 0495ee5bd2
19691 changed files with 3272886 additions and 138 deletions
--- a/node_modules/@fastify/cors/test/cors.test.js
+++ b/node_modules/@fastify/cors/test/cors.test.js
--- a/node_modules/@fastify/cors/test/hooks.test.js
+++ b/node_modules/@fastify/cors/test/hooks.test.js
@@ -0,0 +1,787 @@
+'use strict'
+
+const { test } = require('node:test')
+const Fastify = require('fastify')
+const kFastifyContext = require('fastify/lib/symbols').kRouteContext
+const cors = require('..')
+const { setTimeout: sleep } = require('node:timers/promises')
+
+test('Should error on invalid hook option', async (t) => {
+  t.plan(3)
+
+  const fastify = Fastify()
+  await t.assert.rejects(
+    async () => fastify.register(cors, { hook: 'invalid' }),
+    (err) => {
+      t.assert.strictEqual(err.name, 'TypeError')
+      t.assert.strictEqual(err.message, '@fastify/cors: Invalid hook option provided.')
+      return true
+    }
+  )
+})
+
+test('Should set hook onRequest if hook option is not set', async (t) => {
+  t.plan(10)
+
+  const fastify = Fastify()
+
+  fastify.register(cors)
+
+  fastify.addHook('onResponse', (request, _reply, done) => {
+    t.assert.strictEqual(request[kFastifyContext].onError, null)
+    t.assert.strictEqual(request[kFastifyContext].onRequest.length, 1)
+    t.assert.strictEqual(request[kFastifyContext].onSend, null)
+    t.assert.strictEqual(request[kFastifyContext].preHandler, null)
+    t.assert.strictEqual(request[kFastifyContext].preParsing, null)
+    t.assert.strictEqual(request[kFastifyContext].preSerialization, null)
+    t.assert.strictEqual(request[kFastifyContext].preValidation, null)
+    done()
+  })
+
+  fastify.get('/', (_req, reply) => {
+    reply.send('ok')
+  })
+
+  await fastify.ready()
+
+  const res = await fastify.inject({
+    method: 'GET',
+    url: '/'
+  })
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 200)
+  t.assert.strictEqual(res.payload, 'ok')
+  const actualHeader = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin']
+  }
+  t.assert.deepStrictEqual(actualHeader, {
+    'access-control-allow-origin': '*'
+  })
+})
+
+test('Should set hook onRequest if hook option is set to onRequest', async (t) => {
+  t.plan(10)
+
+  const fastify = Fastify()
+
+  fastify.register(cors, {
+    hook: 'onRequest'
+  })
+
+  fastify.addHook('onResponse', (request, _reply, done) => {
+    t.assert.strictEqual(request[kFastifyContext].onError, null)
+    t.assert.strictEqual(request[kFastifyContext].onRequest.length, 1)
+    t.assert.strictEqual(request[kFastifyContext].onSend, null)
+    t.assert.strictEqual(request[kFastifyContext].preHandler, null)
+    t.assert.strictEqual(request[kFastifyContext].preParsing, null)
+    t.assert.strictEqual(request[kFastifyContext].preSerialization, null)
+    t.assert.strictEqual(request[kFastifyContext].preValidation, null)
+    done()
+  })
+
+  fastify.get('/', (_req, reply) => {
+    reply.send('ok')
+  })
+
+  await fastify.ready()
+
+  const res = await fastify.inject({
+    method: 'GET',
+    url: '/'
+  })
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 200)
+  t.assert.strictEqual(res.payload, 'ok')
+  const actualHeader = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin']
+  }
+  t.assert.deepStrictEqual(actualHeader, {
+    'access-control-allow-origin': '*'
+  })
+})
+
+test('Should set hook preParsing if hook option is set to preParsing', async (t) => {
+  t.plan(11)
+
+  const fastify = Fastify()
+
+  fastify.register(cors, {
+    hook: 'preParsing'
+  })
+
+  fastify.addHook('onResponse', (request, _reply, done) => {
+    t.assert.strictEqual(request[kFastifyContext].onError, null)
+    t.assert.strictEqual(request[kFastifyContext].onRequest, null)
+    t.assert.strictEqual(request[kFastifyContext].onSend, null)
+    t.assert.strictEqual(request[kFastifyContext].preHandler, null)
+    t.assert.strictEqual(request[kFastifyContext].preParsing.length, 1)
+    t.assert.strictEqual(request[kFastifyContext].preSerialization, null)
+    t.assert.strictEqual(request[kFastifyContext].preValidation, null)
+    done()
+  })
+
+  fastify.get('/', (_req, reply) => {
+    reply.send('ok')
+  })
+
+  await fastify.ready()
+
+  const res = await fastify.inject({
+    method: 'GET',
+    url: '/'
+  })
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 200)
+  t.assert.strictEqual(res.payload, 'ok')
+  const actualHeader = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin']
+  }
+  t.assert.deepStrictEqual(actualHeader, {
+    'access-control-allow-origin': '*'
+  })
+  t.assert.notStrictEqual(res.headers.vary, 'Origin')
+})
+
+test('Should set hook preValidation if hook option is set to preValidation', async (t) => {
+  t.plan(11)
+
+  const fastify = Fastify()
+
+  fastify.register(cors, {
+    hook: 'preValidation'
+  })
+
+  fastify.addHook('onResponse', (request, _reply, done) => {
+    t.assert.strictEqual(request[kFastifyContext].onError, null)
+    t.assert.strictEqual(request[kFastifyContext].onRequest, null)
+    t.assert.strictEqual(request[kFastifyContext].onSend, null)
+    t.assert.strictEqual(request[kFastifyContext].preHandler, null)
+    t.assert.strictEqual(request[kFastifyContext].preParsing, null)
+    t.assert.strictEqual(request[kFastifyContext].preSerialization, null)
+    t.assert.strictEqual(request[kFastifyContext].preValidation.length, 1)
+    done()
+  })
+
+  fastify.get('/', (_req, reply) => {
+    reply.send('ok')
+  })
+
+  await fastify.ready()
+
+  const res = await fastify.inject({
+    method: 'GET',
+    url: '/'
+  })
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 200)
+  t.assert.strictEqual(res.payload, 'ok')
+  const actualHeader = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin']
+  }
+  t.assert.deepStrictEqual(actualHeader, {
+    'access-control-allow-origin': '*'
+  })
+  t.assert.notStrictEqual(res.headers.vary, 'Origin')
+})
+
+test('Should set hook preParsing if hook option is set to preParsing', async (t) => {
+  t.plan(11)
+
+  const fastify = Fastify()
+
+  fastify.register(cors, {
+    hook: 'preParsing'
+  })
+
+  fastify.addHook('onResponse', (request, _reply, done) => {
+    t.assert.strictEqual(request[kFastifyContext].onError, null)
+    t.assert.strictEqual(request[kFastifyContext].onRequest, null)
+    t.assert.strictEqual(request[kFastifyContext].onSend, null)
+    t.assert.strictEqual(request[kFastifyContext].preHandler, null)
+    t.assert.strictEqual(request[kFastifyContext].preParsing.length, 1)
+    t.assert.strictEqual(request[kFastifyContext].preSerialization, null)
+    t.assert.strictEqual(request[kFastifyContext].preValidation, null)
+    done()
+  })
+
+  fastify.get('/', (_req, reply) => {
+    reply.send('ok')
+  })
+
+  await fastify.ready()
+
+  const res = await fastify.inject({
+    method: 'GET',
+    url: '/'
+  })
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 200)
+  t.assert.strictEqual(res.payload, 'ok')
+  const actualHeader = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin']
+  }
+  t.assert.deepStrictEqual(actualHeader, {
+    'access-control-allow-origin': '*'
+  })
+  t.assert.notStrictEqual(res.headers.vary, 'Origin')
+})
+
+test('Should set hook preHandler if hook option is set to preHandler', async (t) => {
+  t.plan(11)
+
+  const fastify = Fastify()
+
+  fastify.register(cors, {
+    hook: 'preHandler'
+  })
+
+  fastify.addHook('onResponse', (request, _reply, done) => {
+    t.assert.strictEqual(request[kFastifyContext].onError, null)
+    t.assert.strictEqual(request[kFastifyContext].onRequest, null)
+    t.assert.strictEqual(request[kFastifyContext].onSend, null)
+    t.assert.strictEqual(request[kFastifyContext].preHandler.length, 1)
+    t.assert.strictEqual(request[kFastifyContext].preParsing, null)
+    t.assert.strictEqual(request[kFastifyContext].preSerialization, null)
+    t.assert.strictEqual(request[kFastifyContext].preValidation, null)
+    done()
+  })
+
+  fastify.get('/', (_req, reply) => {
+    reply.send('ok')
+  })
+
+  await fastify.ready()
+
+  const res = await fastify.inject({
+    method: 'GET',
+    url: '/'
+  })
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 200)
+  t.assert.strictEqual(res.payload, 'ok')
+  const actualHeader = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin']
+  }
+  t.assert.deepStrictEqual(actualHeader, {
+    'access-control-allow-origin': '*'
+  })
+  t.assert.notStrictEqual(res.headers.vary, 'Origin')
+})
+
+test('Should set hook onSend if hook option is set to onSend', async (t) => {
+  t.plan(11)
+
+  const fastify = Fastify()
+
+  fastify.register(cors, {
+    hook: 'onSend'
+  })
+
+  fastify.addHook('onResponse', (request, _reply, done) => {
+    t.assert.strictEqual(request[kFastifyContext].onError, null)
+    t.assert.strictEqual(request[kFastifyContext].onRequest, null)
+    t.assert.strictEqual(request[kFastifyContext].onSend.length, 1)
+    t.assert.strictEqual(request[kFastifyContext].preHandler, null)
+    t.assert.strictEqual(request[kFastifyContext].preParsing, null)
+    t.assert.strictEqual(request[kFastifyContext].preSerialization, null)
+    t.assert.strictEqual(request[kFastifyContext].preValidation, null)
+    done()
+  })
+
+  fastify.get('/', (_req, reply) => {
+    reply.send('ok')
+  })
+
+  await fastify.ready()
+
+  const res = await fastify.inject({
+    method: 'GET',
+    url: '/'
+  })
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 200)
+  t.assert.strictEqual(res.payload, 'ok')
+  const actualHeader = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin']
+  }
+  t.assert.deepStrictEqual(actualHeader, {
+    'access-control-allow-origin': '*'
+  })
+  t.assert.notStrictEqual(res.headers.vary, 'Origin')
+})
+
+test('Should set hook preSerialization if hook option is set to preSerialization', async (t) => {
+  t.plan(11)
+
+  const fastify = Fastify()
+
+  fastify.register(cors, {
+    hook: 'preSerialization'
+  })
+
+  fastify.addHook('onResponse', (request, _reply, done) => {
+    t.assert.strictEqual(request[kFastifyContext].onError, null)
+    t.assert.strictEqual(request[kFastifyContext].onRequest, null)
+    t.assert.strictEqual(request[kFastifyContext].onSend, null)
+    t.assert.strictEqual(request[kFastifyContext].preHandler, null)
+    t.assert.strictEqual(request[kFastifyContext].preParsing, null)
+    t.assert.strictEqual(request[kFastifyContext].preSerialization.length, 1)
+    t.assert.strictEqual(request[kFastifyContext].preValidation, null)
+    done()
+  })
+
+  fastify.get('/', (_req, reply) => {
+    reply.send({ nonString: true })
+  })
+
+  await fastify.ready()
+
+  const res = await fastify.inject({
+    method: 'GET',
+    url: '/'
+  })
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 200)
+  t.assert.strictEqual(res.payload, '{"nonString":true}')
+  const actualHeader = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin']
+  }
+  t.assert.deepStrictEqual(actualHeader, {
+    'access-control-allow-origin': '*'
+  })
+  t.assert.notStrictEqual(res.headers.vary, 'Origin')
+})
+
+test('Should support custom hook with dynamic config', async t => {
+  t.plan(16)
+
+  const configs = [{
+    origin: 'example.com',
+    methods: 'GET',
+    credentials: true,
+    exposedHeaders: ['foo', 'bar'],
+    allowedHeaders: ['baz', 'woo'],
+    maxAge: 123
+  }, {
+    origin: 'sample.com',
+    methods: 'GET',
+    credentials: true,
+    exposedHeaders: ['zoo', 'bar'],
+    allowedHeaders: ['baz', 'foo'],
+    maxAge: 321
+  }]
+
+  const fastify = Fastify()
+  let requestId = 0
+  const configDelegation = async function (req) {
+    // request should have id
+    t.assert.ok(req.id)
+    // request should not have send
+    t.assert.ifError(req.send)
+    const config = configs[requestId]
+    requestId++
+    if (config) {
+      return Promise.resolve(config)
+    } else {
+      return Promise.reject(new Error('ouch'))
+    }
+  }
+  await fastify.register(cors, {
+    hook: 'preHandler',
+    delegator: configDelegation
+  })
+
+  fastify.get('/', (_req, reply) => {
+    reply.send('ok')
+  })
+
+  let res = await fastify.inject({
+    method: 'GET',
+    url: '/'
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 200)
+  t.assert.strictEqual(res.payload, 'ok')
+  let actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-credentials': res.headers['access-control-allow-credentials'],
+    'access-control-expose-headers': res.headers['access-control-expose-headers'],
+    'content-length': res.headers['content-length'],
+    vary: res.headers.vary
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': 'example.com',
+    'access-control-allow-credentials': 'true',
+    'access-control-expose-headers': 'foo, bar',
+    'content-length': '2',
+    vary: 'Origin'
+  })
+
+  res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 204)
+  t.assert.strictEqual(res.payload, '')
+  actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-credentials': res.headers['access-control-allow-credentials'],
+    'access-control-expose-headers': res.headers['access-control-expose-headers'],
+    'access-control-allow-methods': res.headers['access-control-allow-methods'],
+    'access-control-allow-headers': res.headers['access-control-allow-headers'],
+    'access-control-max-age': res.headers['access-control-max-age'],
+    'content-length': res.headers['content-length'],
+    vary: res.headers.vary
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': 'sample.com',
+    'access-control-allow-credentials': 'true',
+    'access-control-expose-headers': 'zoo, bar',
+    'access-control-allow-methods': 'GET',
+    'access-control-allow-headers': 'baz, foo',
+    'access-control-max-age': '321',
+    'content-length': '0',
+    vary: 'Origin'
+  })
+
+  res = await fastify.inject({
+    method: 'GET',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  t.assert.strictEqual(res.statusCode, 500)
+})
+
+test('Should support custom hook with dynamic config (callback)', async t => {
+  t.plan(16)
+
+  const configs = [{
+    origin: 'example.com',
+    methods: 'GET',
+    credentials: true,
+    exposedHeaders: ['foo', 'bar'],
+    allowedHeaders: ['baz', 'woo'],
+    maxAge: 123
+  }, {
+    origin: 'sample.com',
+    methods: 'GET',
+    credentials: true,
+    exposedHeaders: ['zoo', 'bar'],
+    allowedHeaders: ['baz', 'foo'],
+    maxAge: 321
+  }]
+
+  const fastify = Fastify()
+  let requestId = 0
+  const configDelegation = function (req, cb) {
+    // request should have id
+    t.assert.ok(req.id)
+    // request should not have send
+    t.assert.ifError(req.send)
+    const config = configs[requestId]
+    requestId++
+    if (config) {
+      cb(null, config)
+    } else {
+      cb(new Error('ouch'))
+    }
+  }
+  fastify.register(cors, {
+    hook: 'preParsing',
+    delegator: configDelegation
+  })
+
+  fastify.get('/', (_req, reply) => {
+    reply.send('ok')
+  })
+
+  fastify.inject({
+    method: 'GET',
+    url: '/'
+  }, (err, res) => {
+    t.assert.ifError(err)
+    delete res.headers.date
+    t.assert.strictEqual(res.statusCode, 200)
+    t.assert.strictEqual(res.payload, 'ok')
+    const actualHeaders = {
+      'access-control-allow-origin': res.headers['access-control-allow-origin'],
+      'access-control-allow-credentials': res.headers['access-control-allow-credentials'],
+      'access-control-expose-headers': res.headers['access-control-expose-headers'],
+      'content-length': res.headers['content-length'],
+      vary: res.headers.vary
+    }
+    t.assert.deepStrictEqual(actualHeaders, {
+      'access-control-allow-origin': 'example.com',
+      'access-control-allow-credentials': 'true',
+      'access-control-expose-headers': 'foo, bar',
+      'content-length': '2',
+      vary: 'Origin'
+    })
+  })
+
+  fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  }, (err, res) => {
+    t.assert.ifError(err)
+    delete res.headers.date
+    t.assert.strictEqual(res.statusCode, 204)
+    t.assert.strictEqual(res.payload, '')
+    const actualHeaders = {
+      'access-control-allow-origin': res.headers['access-control-allow-origin'],
+      'access-control-allow-credentials': res.headers['access-control-allow-credentials'],
+      'access-control-expose-headers': res.headers['access-control-expose-headers'],
+      'access-control-allow-methods': res.headers['access-control-allow-methods'],
+      'access-control-allow-headers': res.headers['access-control-allow-headers'],
+      'access-control-max-age': res.headers['access-control-max-age'],
+      'content-length': res.headers['content-length'],
+      vary: res.headers.vary
+    }
+    t.assert.deepStrictEqual(actualHeaders, {
+      'access-control-allow-origin': 'sample.com',
+      'access-control-allow-credentials': 'true',
+      'access-control-expose-headers': 'zoo, bar',
+      'access-control-allow-methods': 'GET',
+      'access-control-allow-headers': 'baz, foo',
+      'access-control-max-age': '321',
+      'content-length': '0',
+      vary: 'Origin'
+    })
+  })
+
+  fastify.inject({
+    method: 'GET',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  }, (err, res) => {
+    t.assert.ifError(err)
+    t.assert.strictEqual(res.statusCode, 500)
+  })
+  await sleep()
+})
+
+test('Should support custom hook with dynamic config (Promise)', async t => {
+  t.plan(16)
+
+  const configs = [{
+    origin: 'example.com',
+    methods: 'GET',
+    credentials: true,
+    exposedHeaders: ['foo', 'bar'],
+    allowedHeaders: ['baz', 'woo'],
+    maxAge: 123
+  }, {
+    origin: 'sample.com',
+    methods: 'GET',
+    credentials: true,
+    exposedHeaders: ['zoo', 'bar'],
+    allowedHeaders: ['baz', 'foo'],
+    maxAge: 321
+  }]
+
+  const fastify = Fastify()
+  let requestId = 0
+  const configDelegation = async function (req) {
+    // request should have id
+    t.assert.ok(req.id)
+    // request should not have send
+    t.assert.ifError(req.send)
+    const config = configs[requestId]
+    requestId++
+    if (config) {
+      return Promise.resolve(config)
+    } else {
+      return Promise.reject(new Error('ouch'))
+    }
+  }
+
+  await fastify.register(cors, {
+    hook: 'preParsing',
+    delegator: configDelegation
+  })
+
+  fastify.get('/', (_req, reply) => {
+    reply.send('ok')
+  })
+
+  let res = await fastify.inject({
+    method: 'GET',
+    url: '/'
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 200)
+  t.assert.strictEqual(res.payload, 'ok')
+  let actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-credentials': res.headers['access-control-allow-credentials'],
+    'access-control-expose-headers': res.headers['access-control-expose-headers'],
+    'content-length': res.headers['content-length'],
+    vary: res.headers.vary
+  }
+
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': 'example.com',
+    'access-control-allow-credentials': 'true',
+    'access-control-expose-headers': 'foo, bar',
+    'content-length': '2',
+    vary: 'Origin'
+  })
+
+  res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 204)
+  t.assert.strictEqual(res.payload, '')
+  actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-credentials': res.headers['access-control-allow-credentials'],
+    'access-control-expose-headers': res.headers['access-control-expose-headers'],
+    'access-control-allow-methods': res.headers['access-control-allow-methods'],
+    'access-control-allow-headers': res.headers['access-control-allow-headers'],
+    'access-control-max-age': res.headers['access-control-max-age'],
+    'content-length': res.headers['content-length'],
+    vary: res.headers.vary
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': 'sample.com',
+    'access-control-allow-credentials': 'true',
+    'access-control-expose-headers': 'zoo, bar',
+    'access-control-allow-methods': 'GET',
+    'access-control-allow-headers': 'baz, foo',
+    'access-control-max-age': '321',
+    'content-length': '0',
+    vary: 'Origin'
+  })
+
+  res = await fastify.inject({
+    method: 'GET',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  t.assert.strictEqual(res.statusCode, 500)
+})
+
+test('Should support custom hook with dynamic config (Promise), but should error /1', async t => {
+  t.plan(6)
+
+  const fastify = Fastify()
+  const configDelegation = function () {
+    return false
+  }
+
+  await fastify.register(cors, {
+    hook: 'preParsing',
+    delegator: configDelegation
+  })
+
+  fastify.get('/', (_req, reply) => {
+    reply.send('ok')
+  })
+
+  let res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 500)
+  t.assert.strictEqual(res.payload, '{"statusCode":500,"error":"Internal Server Error","message":"Invalid CORS origin option"}')
+  const actualHeaders = {
+    'content-length': res.headers['content-length']
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'content-length': '89'
+  })
+
+  res = await fastify.inject({
+    method: 'GET',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  t.assert.strictEqual(res.statusCode, 500)
+})
+
+test('Should support custom hook with dynamic config (Promise), but should error /2', async t => {
+  t.plan(6)
+
+  const fastify = Fastify()
+  const configDelegation = function () {
+    return false
+  }
+
+  await fastify.register(cors, {
+    delegator: configDelegation
+  })
+
+  fastify.get('/', (_req, reply) => {
+    reply.send('ok')
+  })
+
+  let res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 500)
+  t.assert.strictEqual(res.payload, '{"statusCode":500,"error":"Internal Server Error","message":"Invalid CORS origin option"}')
+  const actualHeaders = {
+    'content-length': res.headers['content-length']
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'content-length': '89'
+  })
+
+  res = await fastify.inject({
+    method: 'GET',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  t.assert.strictEqual(res.statusCode, 500)
+})
--- a/node_modules/@fastify/cors/test/preflight.test.js
+++ b/node_modules/@fastify/cors/test/preflight.test.js
@@ -0,0 +1,590 @@
+'use strict'
+
+const { test } = require('node:test')
+const Fastify = require('fastify')
+const cors = require('../')
+
+test('Should reply to preflight requests', async t => {
+  t.plan(4)
+
+  const fastify = Fastify()
+  await fastify.register(cors)
+
+  const res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 204)
+  t.assert.strictEqual(res.payload, '')
+  const actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-methods': res.headers['access-control-allow-methods'],
+    vary: res.headers.vary,
+    'content-length': res.headers['content-length']
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': '*',
+    'access-control-allow-methods': 'GET,HEAD,POST',
+    vary: 'Access-Control-Request-Headers',
+    'content-length': '0'
+  })
+})
+
+test('Should add access-control-allow-headers to response if preflight req has access-control-request-headers', async t => {
+  t.plan(4)
+
+  const fastify = Fastify()
+  await fastify.register(cors)
+
+  const res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-headers': 'x-requested-with',
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 204)
+  t.assert.strictEqual(res.payload, '')
+  const actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-methods': res.headers['access-control-allow-methods'],
+    'access-control-allow-headers': res.headers['access-control-allow-headers'],
+    vary: res.headers.vary,
+    'content-length': res.headers['content-length']
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': '*',
+    'access-control-allow-methods': 'GET,HEAD,POST',
+    'access-control-allow-headers': 'x-requested-with',
+    vary: 'Access-Control-Request-Headers',
+    'content-length': '0'
+  })
+})
+
+test('Should reply to preflight requests with custom status code', async t => {
+  t.plan(4)
+
+  const fastify = Fastify()
+  await fastify.register(cors, { optionsSuccessStatus: 200 })
+
+  const res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 200)
+  t.assert.strictEqual(res.payload, '')
+  const actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-methods': res.headers['access-control-allow-methods'],
+    vary: res.headers.vary,
+    'content-length': res.headers['content-length']
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': '*',
+    'access-control-allow-methods': 'GET,HEAD,POST',
+    vary: 'Access-Control-Request-Headers',
+    'content-length': '0'
+  })
+})
+
+test('Should be able to override preflight response with a route', async t => {
+  t.plan(5)
+
+  const fastify = Fastify()
+  await fastify.register(cors, { preflightContinue: true })
+
+  fastify.options('/', (_req, reply) => {
+    reply.send('ok')
+  })
+
+  const res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 200)
+  t.assert.strictEqual(res.payload, 'ok')
+  const actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin']
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    // Only the base cors headers and no preflight headers
+    'access-control-allow-origin': '*'
+  })
+  t.assert.notStrictEqual(res.headers.vary, 'Origin')
+})
+
+test('Should reply to all options requests', async t => {
+  t.plan(4)
+
+  const fastify = Fastify()
+  await fastify.register(cors)
+
+  const res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/hello',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 204)
+  t.assert.strictEqual(res.payload, '')
+  const actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-methods': res.headers['access-control-allow-methods'],
+    vary: res.headers.vary,
+    'content-length': res.headers['content-length']
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': '*',
+    'access-control-allow-methods': 'GET,HEAD,POST',
+    vary: 'Access-Control-Request-Headers',
+    'content-length': '0'
+  })
+})
+
+test('Should support a prefix for preflight requests', async t => {
+  t.plan(6)
+
+  const fastify = Fastify()
+  await fastify.register((instance, _opts, next) => {
+    instance.register(cors)
+    next()
+  }, { prefix: '/subsystem' })
+
+  let res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/hello'
+  })
+  t.assert.ok(res)
+  t.assert.strictEqual(res.statusCode, 404)
+
+  res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/subsystem/hello',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 204)
+  t.assert.strictEqual(res.payload, '')
+  const actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-methods': res.headers['access-control-allow-methods'],
+    vary: res.headers.vary,
+    'content-length': res.headers['content-length']
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': '*',
+    'access-control-allow-methods': 'GET,HEAD,POST',
+    vary: 'Access-Control-Request-Headers',
+    'content-length': '0'
+  })
+})
+
+test('hide options route by default', async t => {
+  t.plan(2)
+
+  const fastify = Fastify()
+
+  fastify.addHook('onRoute', (route) => {
+    if (route.method === 'OPTIONS' && route.url === '*') {
+      t.assert.strictEqual(route.schema.hide, true)
+    }
+  })
+  await fastify.register(cors)
+
+  const ready = await fastify.ready()
+  t.assert.ok(ready)
+})
+
+test('show options route', async t => {
+  t.plan(2)
+
+  const fastify = Fastify()
+
+  fastify.addHook('onRoute', (route) => {
+    if (route.method === 'OPTIONS' && route.url === '*') {
+      t.assert.strictEqual(route.schema.hide, false)
+    }
+  })
+  await fastify.register(cors, { hideOptionsRoute: false })
+
+  const ready = await fastify.ready()
+  t.assert.ok(ready)
+})
+
+test('Allow only request from with specific methods', async t => {
+  t.plan(4)
+
+  const fastify = Fastify()
+  await fastify.register(cors, { methods: ['GET', 'POST'] })
+
+  const res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 204)
+  const actualHeaders = {
+    'access-control-allow-methods': res.headers['access-control-allow-methods']
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-methods': 'GET, POST'
+  })
+  t.assert.notStrictEqual(res.headers.vary, 'Origin')
+})
+
+test('Should reply with 400 error to OPTIONS requests missing origin header when default strictPreflight', async t => {
+  t.plan(3)
+
+  const fastify = Fastify()
+  await fastify.register(cors)
+
+  const res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET'
+    }
+  })
+  t.assert.ok(res)
+  t.assert.strictEqual(res.statusCode, 400)
+  t.assert.strictEqual(res.payload, 'Invalid Preflight Request')
+})
+
+test('Should reply with 400 to OPTIONS requests when missing Access-Control-Request-Method header when default strictPreflight', async t => {
+  t.plan(3)
+
+  const fastify = Fastify()
+  await fastify.register(cors, {
+    strictPreflight: true
+  })
+
+  const res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  t.assert.strictEqual(res.statusCode, 400)
+  t.assert.strictEqual(res.payload, 'Invalid Preflight Request')
+})
+
+test('Should reply to all preflight requests when strictPreflight is disabled', async t => {
+  t.plan(4)
+
+  const fastify = Fastify()
+  await fastify.register(cors, { strictPreflight: false })
+
+  const res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/'
+    // No access-control-request-method or origin headers
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 204)
+  t.assert.strictEqual(res.payload, '')
+  const actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-methods': res.headers['access-control-allow-methods'],
+    vary: res.headers.vary,
+    'content-length': res.headers['content-length']
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': '*',
+    'access-control-allow-methods': 'GET,HEAD,POST',
+    vary: 'Access-Control-Request-Headers',
+    'content-length': '0'
+  })
+})
+
+test('Default empty 200 response with preflightContinue on OPTIONS routes', async t => {
+  t.plan(4)
+
+  const fastify = Fastify()
+  await fastify.register(cors, { preflightContinue: true })
+
+  const res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/doesnotexist',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 200)
+  t.assert.strictEqual(res.payload, '')
+  const actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-methods': res.headers['access-control-allow-methods'],
+    vary: res.headers.vary
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': '*',
+    'access-control-allow-methods': 'GET,HEAD,POST',
+    vary: 'Access-Control-Request-Headers'
+  })
+})
+
+test('Can override preflight response with preflightContinue', async t => {
+  t.plan(4)
+
+  const fastify = Fastify()
+  await fastify.register(cors, { preflightContinue: true })
+
+  fastify.options('/', (_req, reply) => {
+    reply.send('ok')
+  })
+
+  const res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 200)
+  t.assert.strictEqual(res.payload, 'ok')
+  const actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-methods': res.headers['access-control-allow-methods'],
+    vary: res.headers.vary
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': '*',
+    'access-control-allow-methods': 'GET,HEAD,POST',
+    vary: 'Access-Control-Request-Headers'
+  })
+})
+
+test('Should support ongoing prefix ', async t => {
+  t.plan(12)
+
+  const fastify = Fastify()
+
+  await fastify.register(async (instance) => {
+    instance.register(cors)
+  }, { prefix: '/prefix' })
+
+  // support prefixed route
+  let res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/prefix',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 204)
+  t.assert.strictEqual(res.payload, '')
+  let actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-methods': res.headers['access-control-allow-methods'],
+    vary: res.headers.vary,
+    'content-length': res.headers['content-length']
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': '*',
+    'access-control-allow-methods': 'GET,HEAD,POST',
+    vary: 'Access-Control-Request-Headers',
+    'content-length': '0'
+  })
+
+  // support prefixed route without / continue
+  res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/prefixfoo',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 204)
+  t.assert.strictEqual(res.payload, '')
+  actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-methods': res.headers['access-control-allow-methods'],
+    vary: res.headers.vary,
+    'content-length': res.headers['content-length']
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': '*',
+    'access-control-allow-methods': 'GET,HEAD,POST',
+    vary: 'Access-Control-Request-Headers',
+    'content-length': '0'
+  })
+
+  // support prefixed route with / continue
+  res = await fastify.inject({
+    method: 'OPTIONS',
+    url: '/prefix/foo',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'example.com'
+    }
+  })
+  t.assert.ok(res)
+  delete res.headers.date
+  t.assert.strictEqual(res.statusCode, 204)
+  t.assert.strictEqual(res.payload, '')
+  actualHeaders = {
+    'access-control-allow-origin': res.headers['access-control-allow-origin'],
+    'access-control-allow-methods': res.headers['access-control-allow-methods'],
+    vary: res.headers.vary,
+    'content-length': res.headers['content-length']
+  }
+  t.assert.deepStrictEqual(actualHeaders, {
+    'access-control-allow-origin': '*',
+    'access-control-allow-methods': 'GET,HEAD,POST',
+    vary: 'Access-Control-Request-Headers',
+    'content-length': '0'
+  })
+})
+
+test('Silences preflight logs when logLevel is "silent"', async t => {
+  const logs = []
+  const fastify = Fastify({
+    logger: {
+      level: 'info',
+      stream: {
+        write (line) {
+          try {
+            logs.push(JSON.parse(line))
+          } catch {
+          }
+        }
+      }
+    }
+  })
+
+  await fastify.register(cors, { logLevel: 'silent' })
+
+  fastify.get('/', async () => ({ ok: true }))
+
+  await fastify.ready()
+  t.assert.ok(fastify)
+
+  await fastify.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'https://example.com'
+    }
+  })
+
+  await fastify.inject({ method: 'GET', url: '/' })
+
+  const hasOptionsLog = logs.some(l => l.req && l.req.method === 'OPTIONS')
+  const hasGetLog = logs.some(l => l.req && l.req.method === 'GET')
+
+  t.assert.strictEqual(hasOptionsLog, false)
+  t.assert.strictEqual(hasGetLog, true)
+
+  await fastify.close()
+})
+test('delegator + logLevel:"silent" → OPTIONS logs are suppressed', async t => {
+  t.plan(3)
+
+  const logs = []
+  const app = Fastify({
+    logger: {
+      level: 'info',
+      stream: { write: l => { try { logs.push(JSON.parse(l)) } catch {} } }
+    }
+  })
+
+  await app.register(cors, {
+    delegator: () => ({ origin: '*' }),
+    logLevel: 'silent'
+  })
+
+  app.get('/', () => ({ ok: true }))
+  await app.ready()
+  t.assert.ok(app)
+
+  await app.inject({
+    method: 'OPTIONS',
+    url: '/',
+    headers: {
+      'access-control-request-method': 'GET',
+      origin: 'https://example.com'
+    }
+  })
+
+  await app.inject({ method: 'GET', url: '/' })
+
+  const hasOptionsLog = logs.some(l => l.req?.method === 'OPTIONS')
+  const hasGetLog = logs.some(l => l.req?.method === 'GET')
+
+  t.assert.strictEqual(hasOptionsLog, false)
+  t.assert.strictEqual(hasGetLog, true)
+
+  await app.close()
+})
+test('delegator + hideOptionsRoute:false → OPTIONS route is visible', async t => {
+  t.plan(2)
+
+  const app = Fastify()
+
+  app.addHook('onRoute', route => {
+    if (route.method === 'OPTIONS' && route.url === '*') {
+      t.assert.strictEqual(route.schema.hide, false)
+    }
+  })
+
+  await app.register(cors, {
+    delegator: () => ({ origin: '*' }),
+    hideOptionsRoute: false
+  })
+
+  await app.ready()
+  t.assert.ok(app)
+  await app.close()
+})
--- a/node_modules/@fastify/cors/test/vary.test.js
+++ b/node_modules/@fastify/cors/test/vary.test.js
@@ -0,0 +1,237 @@
+'use strict'
+
+const { test } = require('node:test')
+const { createAddFieldnameToVary } = require('../vary')
+const { parse } = require('../vary')
+
+test('Should set * even if we set a specific field', async t => {
+  t.plan(1)
+
+  const addOriginToVary = createAddFieldnameToVary('Origin')
+  const replyMock = {
+    getHeader () {
+      return '*'
+    },
+    header () {
+      t.fail('Should not be here')
+    }
+  }
+
+  addOriginToVary(replyMock)
+  t.assert.ok(true) // equalivant to tap t.pass()
+})
+
+test('Should set * even if we set a specific field', t => {
+  t.plan(2)
+
+  const addWildcardToVary = createAddFieldnameToVary('*')
+  const replyMock = {
+    getHeader () {
+      return 'Origin'
+    },
+    header (name, value) {
+      t.assert.deepStrictEqual(name, 'Vary')
+      t.assert.deepStrictEqual(value, '*')
+    }
+  }
+
+  addWildcardToVary(replyMock)
+})
+
+test('Should set * when field contains a *', t => {
+  t.plan(3)
+
+  const addOriginToVary = createAddFieldnameToVary('Origin')
+  const replyMock = {
+    getHeader () {
+      return ['Origin', '*', 'Access-Control-Request-Headers']
+    },
+    header (name, value) {
+      t.assert.deepStrictEqual(name, 'Vary')
+      t.assert.deepStrictEqual(value, '*')
+    }
+  }
+
+  addOriginToVary(replyMock)
+  t.assert.ok(true) // equalivant to tap t.pass()
+})
+
+test('Should concat vary values', t => {
+  t.plan(3)
+
+  const addOriginToVary = createAddFieldnameToVary('Origin')
+  const replyMock = {
+    getHeader () {
+      return 'Access-Control-Request-Headers'
+    },
+    header (name, value) {
+      t.assert.deepStrictEqual(name, 'Vary')
+      t.assert.deepStrictEqual(value, 'Access-Control-Request-Headers, Origin')
+    }
+  }
+
+  addOriginToVary(replyMock)
+  t.assert.ok(true) // equalivant to tap t.pass()
+})
+
+test('Should concat vary values ignoring consecutive commas', t => {
+  t.plan(3)
+
+  const addOriginToVary = createAddFieldnameToVary('Origin')
+  const replyMock = {
+    getHeader () {
+      return ' Access-Control-Request-Headers,Access-Control-Request-Method'
+    },
+    header (name, value) {
+      t.assert.deepStrictEqual(name, 'Vary')
+      t.assert.deepStrictEqual(value, ' Access-Control-Request-Headers,Access-Control-Request-Method, Origin')
+    }
+  }
+
+  addOriginToVary(replyMock)
+  t.assert.ok(true) // equalivant to tap t.pass()
+})
+
+test('Should concat vary values ignoring whitespace', t => {
+  t.plan(3)
+
+  const addOriginToVary = createAddFieldnameToVary('Origin')
+  const replyMock = {
+    getHeader () {
+      return ' Access-Control-Request-Headers ,Access-Control-Request-Method'
+    },
+    header (name, value) {
+      t.assert.deepStrictEqual(name, 'Vary')
+      t.assert.deepStrictEqual(value, ' Access-Control-Request-Headers ,Access-Control-Request-Method, Origin')
+    }
+  }
+
+  addOriginToVary(replyMock)
+  t.assert.ok(true) // equalivant to tap t.pass()
+})
+
+test('Should set the field as value for vary if no vary is defined', t => {
+  t.plan(2)
+
+  const addOriginToVary = createAddFieldnameToVary('Origin')
+  const replyMock = {
+    getHeader () {
+      return undefined
+    },
+    header (name, value) {
+      t.assert.deepStrictEqual(name, 'Vary')
+      t.assert.deepStrictEqual(value, 'Origin')
+    }
+  }
+
+  addOriginToVary(replyMock)
+})
+
+test('Should set * as value for vary if vary contains *', t => {
+  t.plan(2)
+
+  const addOriginToVary = createAddFieldnameToVary('Origin')
+  const replyMock = {
+    getHeader () {
+      return 'Accept,*'
+    },
+    header (name, value) {
+      t.assert.deepStrictEqual(name, 'Vary')
+      t.assert.deepStrictEqual(value, '*')
+    }
+  }
+
+  addOriginToVary(replyMock)
+})
+
+test('Should set Accept-Encoding as value for vary if vary is empty string', t => {
+  t.plan(2)
+
+  const addAcceptEncodingToVary = createAddFieldnameToVary('Accept-Encoding')
+  const replyMock = {
+    getHeader () {
+      return ''
+    },
+    header (name, value) {
+      t.assert.deepStrictEqual(name, 'Vary')
+      t.assert.deepStrictEqual(value, 'Accept-Encoding')
+    }
+  }
+
+  addAcceptEncodingToVary(replyMock)
+})
+
+test('Should have no issues with values containing dashes', t => {
+  t.plan(2)
+
+  const addXFooToVary = createAddFieldnameToVary('X-Foo')
+  const replyMock = {
+    value: 'Accept-Encoding',
+    getHeader () {
+      return this.value
+    },
+    header (name, value) {
+      t.assert.deepStrictEqual(name, 'Vary')
+      t.assert.deepStrictEqual(value, 'Accept-Encoding, X-Foo')
+      this.value = value
+    }
+  }
+
+  addXFooToVary(replyMock)
+  addXFooToVary(replyMock)
+})
+
+test('Should ignore the header as value for vary if it is already in vary', t => {
+  t.plan(1)
+
+  const addOriginToVary = createAddFieldnameToVary('Origin')
+  const replyMock = {
+    getHeader () {
+      return 'Origin'
+    },
+    header () {
+      t.fail('Should not be here')
+    }
+  }
+  addOriginToVary(replyMock)
+  addOriginToVary(replyMock)
+
+  t.assert.ok(true) // equalivant to tap t.pass()
+})
+
+test('parse', t => {
+  t.plan(18)
+  t.assert.deepStrictEqual(parse(''), [])
+  t.assert.deepStrictEqual(parse('a'), ['a'])
+  t.assert.deepStrictEqual(parse('a,b'), ['a', 'b'])
+  t.assert.deepStrictEqual(parse('  a,b'), ['a', 'b'])
+  t.assert.deepStrictEqual(parse('a,b  '), ['a', 'b'])
+  t.assert.deepStrictEqual(parse('a,b,c'), ['a', 'b', 'c'])
+  t.assert.deepStrictEqual(parse('A,b,c'), ['a', 'b', 'c'])
+  t.assert.deepStrictEqual(parse('a,b,c,'), ['a', 'b', 'c'])
+  t.assert.deepStrictEqual(parse('a,b,c, '), ['a', 'b', 'c'])
+  t.assert.deepStrictEqual(parse(',a,b,c'), ['a', 'b', 'c'])
+  t.assert.deepStrictEqual(parse(' ,a,b,c'), ['a', 'b', 'c'])
+  t.assert.deepStrictEqual(parse('a,,b,c'), ['a', 'b', 'c'])
+  t.assert.deepStrictEqual(parse('a,,,b,,c'), ['a', 'b', 'c'])
+  t.assert.deepStrictEqual(parse('a, b,c'), ['a', 'b', 'c'])
+  t.assert.deepStrictEqual(parse('a,   b,c'), ['a', 'b', 'c'])
+  t.assert.deepStrictEqual(parse('a, , b,c'), ['a', 'b', 'c'])
+  t.assert.deepStrictEqual(parse('a,  , b,c'), ['a', 'b', 'c'])
+
+  // one for the cache
+  t.assert.deepStrictEqual(parse('A,b,c'), ['a', 'b', 'c'])
+})
+
+test('createAddFieldnameToVary', async t => {
+  t.plan(4)
+  t.assert.strictEqual(typeof createAddFieldnameToVary('valid-header'), 'function')
+  await t.assert.rejects(
+    async () => createAddFieldnameToVary('invalid:header'),
+    (err) => {
+      t.assert.strictEqual(err.name, 'TypeError')
+      t.assert.strictEqual(err.message, 'Fieldname contains invalid characters.')
+      return true
+    }
+  )
+})