From d15a3ce8f59008db9f07fea8147fad7ac1030645 Mon Sep 17 00:00:00 2001
From: Florent Vilmart <364568+flovilmart@users.noreply.github.com>
Date: Tue, 7 Aug 2018 11:13:15 -0400
Subject: [PATCH] Adds exposed headers to avoid issue in JS SDK (#4934)

* Adds exposed headers to avoid issue in JS SDK

* Adds test for headers
---
 spec/Middlewares.spec.js | 12 ++++++++++++
 src/middlewares.js       |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/spec/Middlewares.spec.js b/spec/Middlewares.spec.js
index 0b1ea593..a5ad4bc2 100644
--- a/spec/Middlewares.spec.js
+++ b/spec/Middlewares.spec.js
@@ -290,4 +290,16 @@ describe('middlewares', () => {
     middlewares.handleParseHeaders(fakeReq, fakeRes);
     expect(fakeRes.status).toHaveBeenCalledWith(403);
   });
+
+  it('should properly expose the headers', () => {
+    const headers = {};
+    const res = {
+      header: (key, value) => {
+        headers[key] = value
+      }
+    };
+    middlewares.allowCrossDomain({}, res, () => {});
+    expect(Object.keys(headers).length).toBe(4);
+    expect(headers['Access-Control-Expose-Headers']).toBe('X-Parse-Job-Status-Id, X-Parse-Push-Status-Id');
+  });
 });
diff --git a/src/middlewares.js b/src/middlewares.js
index 0606ab8f..22d0b286 100644
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -247,7 +247,7 @@ export function allowCrossDomain(req, res, next) {
   res.header('Access-Control-Allow-Origin', '*');
   res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
   res.header('Access-Control-Allow-Headers', 'X-Parse-Master-Key, X-Parse-REST-API-Key, X-Parse-Javascript-Key, X-Parse-Application-Id, X-Parse-Client-Version, X-Parse-Session-Token, X-Requested-With, X-Parse-Revocable-Session, Content-Type');
-
+  res.header('Access-Control-Expose-Headers', 'X-Parse-Job-Status-Id, X-Parse-Push-Status-Id');
   // intercept OPTIONS method
   if ('OPTIONS' == req.method) {
     res.sendStatus(200);