npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@gulibs/tegg-cors

v0.0.1

Published

CORS plugin for Egg.js 4.x

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

gujiwengujiwen

Keywords

eggegg-plugineggPluginteggtegg-corscorscross-origin

Readme

@gulibs/tegg-cors

npm version Node.js Version License

CORS (Cross-Origin Resource Sharing) plugin for Egg.js 4.x, powered by @koa/cors.

Features

  • ✅ Full CORS support with customizable options
  • ✅ Integration with egg-security's safe domain check
  • ✅ TypeScript support with full type definitions
  • ✅ Dynamic origin validation with function support
  • ✅ Preflight request handling
  • ✅ Private Network Access support

Requirements

  • Node.js >= 22.18.0
  • Egg.js >= 4.1.0-beta.35

Install

Install Latest Version

npm i @gulibs/tegg-cors
# or
npm i @gulibs/tegg-cors@latest

Install Beta Version

To install the beta version, you must explicitly specify the @beta tag:

npm i @gulibs/tegg-cors@beta

Note: Using @latest or no tag will install the latest stable version, not the beta version.

Usage

1. Enable Plugin

// config/plugin.ts
import corsPlugin from '@gulibs/tegg-cors';

export default {
  ...corsPlugin(),
};

2. Configure CORS Options

// config/config.default.ts
export default {
  teggCors: {
    // Allow all origins (not recommended for production)
    origin: '*',

    // Or specify allowed origins
    origin: 'https://example.com',

    // Or use a function for dynamic origin validation
    origin: async (ctx) => {
      const origin = ctx.get('origin');
      // Your custom validation logic
      return origin;
    },

    // Allowed HTTP methods
    allowMethods: 'GET,HEAD,PUT,POST,DELETE,PATCH',

    // Expose custom headers to the client
    exposeHeaders: ['X-Custom-Header'],

    // Allow custom headers in requests
    allowHeaders: ['Content-Type', 'Authorization'],

    // Preflight cache duration (in seconds)
    maxAge: 600,

    // Allow credentials (cookies, authorization headers)
    credentials: true,

    // Keep headers on error responses
    keepHeadersOnError: false,

    // Private Network Access
    privateNetworkAccess: false,
  },
};

Configuration Options

Basic Options

origin

Type: string | ((ctx: Context) => string | Promise<string>)

Default: Uses egg-security's isSafeDomain check if available

Set the Access-Control-Allow-Origin header.

Examples:

// Allow all origins (not recommended for production)
origin: '*'

// Allow specific origin
origin: 'https://example.com'

// Allow multiple origins
origin: (ctx) => {
  const allowedOrigins = ['https://example.com', 'https://app.example.com'];
  const origin = ctx.get('origin');
  return allowedOrigins.includes(origin) ? origin : '';
}

// Use egg-security integration (default behavior)
// No need to configure if egg-security is enabled
// It will automatically check against domainWhiteList

allowMethods

Type: string | string[]

Default: 'GET,HEAD,PUT,POST,DELETE,PATCH'

Set the Access-Control-Allow-Methods header.

allowMethods: 'GET,POST,PUT'
// or
allowMethods: ['GET', 'POST', 'PUT']

exposeHeaders

Type: string | string[]

Default: undefined

Set the Access-Control-Expose-Headers header.

exposeHeaders: ['X-Custom-Header', 'X-Request-Id']

allowHeaders

Type: string | string[]

Default: undefined (reflects the request's Access-Control-Request-Headers)

Set the Access-Control-Allow-Headers header.

allowHeaders: ['Content-Type', 'Authorization', 'X-Custom-Header']

maxAge

Type: string | number

Default: undefined

Set the Access-Control-Max-Age header (preflight cache duration in seconds).

maxAge: 600 // 10 minutes

credentials

Type: boolean

Default: false

Set the Access-Control-Allow-Credentials header.

credentials: true

Note: When credentials: true, origin cannot be '*'. You must specify exact origins.

keepHeadersOnError

Type: boolean

Default: false

Add CORS headers to error responses.

keepHeadersOnError: true

privateNetworkAccess

Type: boolean

Default: false

Set the Access-Control-Allow-Private-Network header for Private Network Access.

privateNetworkAccess: true

Integration with egg-security

If you have egg-security plugin enabled and don't configure a custom origin handler, tegg-cors will automatically use the domainWhiteList from egg-security:

// config/config.default.ts
export default {
  // egg-security configuration
  security: {
    domainWhiteList: ['https://example.com', 'https://app.example.com'],
  },

  // tegg-cors will automatically use domainWhiteList for origin validation
  teggCors: {
    credentials: true,
  },
};

Common Use Cases

Allow specific domains

export default {
  teggCors: {
    origin: (ctx) => {
      const allowedOrigins = [
        'https://example.com',
        'https://app.example.com',
        'https://admin.example.com',
      ];
      const origin = ctx.get('origin');
      return allowedOrigins.includes(origin) ? origin : '';
    },
    credentials: true,
  },
};

Allow all subdomains

export default {
  teggCors: {
    origin: (ctx) => {
      const origin = ctx.get('origin');
      if (origin && /^https:\/\/[\w-]+\.example\.com$/.test(origin)) {
        return origin;
      }
      return '';
    },
    credentials: true,
  },
};

Development vs Production

// config/config.default.ts
export default {
  teggCors: {
    origin: '*', // Allow all in development
  },
};

// config/config.prod.ts
export default {
  teggCors: {
    origin: 'https://example.com', // Restrict in production
    credentials: true,
  },
};

TypeScript Support

Full TypeScript support with type definitions:

import type { CorsConfig } from '@gulibs/tegg-cors';

const corsConfig: CorsConfig = {
  origin: 'https://example.com',
  credentials: true,
  allowMethods: ['GET', 'POST'],
};

Testing

# Run tests
pnpm test

# Type check
pnpm run typecheck

# Lint
pnpm run lint

Build

pnpm run build

License

MIT

Related

  • @koa/cors - Underlying CORS middleware
  • egg-security - Security plugin for Egg.js
  • Egg.js - Born to build better enterprise frameworks and apps

Contributing

Contributions are welcome! Please read our contributing guidelines first.