bug: cors should be at header_filter phase

[JanLi-air]

Issue description

the cors headers can be overridden by upstreams if it's put at rewrite phase.

Environment

• apisix version (cmd: apisix version): 1.4
• OS: Linux

Minimal test code / Steps to reproduce the issue

1. Create a backend which override the cors headers, such as Access-Control-Allow-Origin
2. Configure cors plugin to proxy to the upstream setup in step 1
3. Request the uri configured

What's the actual result? (including assertion message & call stack if applicable)

the cors header will be determined by the upstream

What's the expected result?

the cors header should be determined by the cors plugin.

This is related to antoher issue: #1528

I don't think it's good practice to change the phase of cors plugin to make sure it works with the auth plugins.
The cors plugin worked in header_filter phase since it needs to rewrite those headers after apisix gets response from upstream. If we change it to be at the rewrite phase, it's possible the header got overridden by upstream or the header is discarded somewhere.

[membphis]

@ShiningRush do you have time to look at this issue?

[membphis]

@JanLi-air many thx for your report this bug

[ShiningRush]

It related with #1704, I will fix it in this week.
I think user should not concern at which phase cors plugin work, they just care whether the cors plugin overwrite upstream's header.
BTW: make sure cors plugin work fine with auth plugins is a better way, because the Browser just report the cors error when authenticated failed.
It is unfriendly to front-end engineer

[JanLi-air]

if cors plugin needs to work with auth plugins, i think we can set header both at header_filter phase and after auth failure.
But since auth plugin will return before cors plugin, and we need to keep plugins independent with each other, we'd better write cors headers at both rewrite phase and header_filter phase.

[ShiningRush]

Yes, you are right : )
The cors plugin will write header in rewrite phase or both rewrite and header_filter phase, it depend on is_overwrite_upstream.
But now here is a strange problem that it seems if we write header in rewrite phase and upstream also write header , client will get a duplicate headers, it confuse me.

[JanLi-air]

it depends on how we write the header. because in http you can have multiple headers with identical name, so if you want to override you need to first delete the existing one.