Skip to content

Remove connector-level CORS configuration (breaking change)#9

Merged
macielti merged 3 commits into
mainfrom
breaking/remove-default-interceptors
May 1, 2026
Merged

Remove connector-level CORS configuration (breaking change)#9
macielti merged 3 commits into
mainfrom
breaking/remove-default-interceptors

Conversation

@macielti

@macielti macielti commented May 1, 2026

Copy link
Copy Markdown
Owner

Summary

Removes the :allowed-origins configuration option and the with-default-interceptors call that configured CORS at the service component level. CORS and other default request interceptors must now be configured per-route in the consuming application using Pedestal's built-in mechanisms.

Motivation

This change decouples CORS policy and interceptor configuration from the service component, moving these concerns to the consuming application where they belong. Each application should decide which routes require CORS, authentication, rate limiting, or other interceptors.

Breaking Changes

  • Removed: :allowed-origins configuration option is no longer supported
  • Removed: Connector-level CORS setup via with-default-interceptors
  • Migration Path: Consuming applications must now configure CORS per-route using:
    1. io.pedestal.connector/with-default-interceptors in route setup, or
    2. Per-route interceptor configuration in Pedestal route definitions

Changes

  • src/service/component.clj

    • Remove allow-all-origins var
    • Remove allowed-origins private function
    • Remove allowed-origins' binding and with-default-interceptors call
    • Add comment explaining CORS configuration approach
  • README.md

    • Remove :allowed-origins from configuration table
    • Remove :allowed-origins example and note
    • Add new "Interceptors" section with migration guidance
  • Version bump: 0.3.80.4.0

    • Updated project.clj and pom.xml
    • Added breaking change entry to CHANGELOG.md
  • Tests

    • Removed test/integration/cors_test.clj (tested removed functionality)

Test Plan

Existing tests pass (pre-existing failures in other test suites are unrelated to these changes). The CORS-related tests were removed as they tested functionality no longer provided by this component.

To verify: consuming applications using this component must migrate to per-route CORS configuration.

🤖 Generated with Claude Code

macielti and others added 3 commits May 1, 2026 18:58
Removes the :allowed-origins configuration option and the with-default-interceptors
call that configured CORS at the service component level. CORS and other default
request interceptors must now be configured per-route in the consuming application.

Changes:
- Remove allow-all-origins var and allowed-origins function
- Remove with-default-interceptors call from service initialization
- Update README with new Interceptors section explaining options
- Remove CORS integration tests that test removed functionality
- Version bump: 0.3.8 → 0.4.0 (breaking change)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@macielti macielti merged commit de2957a into main May 1, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant