fix(event_handler): disable allow-credentials header when origin allow_origin is *

[sthulb]

Issue number: #4589

Summary

Ensures CORS behaviour is correct.

Changes

Please provide a summary of what's being changed

Scenario	Old Behaviour	New Behaviour
Default/Empty CORSConfig	Sets Origin header as ACA-Origin regardless	Returns *, disables ACA-Credentials
CORSConfig has allowed_origins	Sets Origin header as ACA-Origin regardless	Returns correct origin for ACA-Origin
CORSConfig is set with domains and * in allowed_origins	Sets Origin header as ACA-Origin regardless	If no matching Origin is found, it will return * and disables ACA-Credentials

The disabling of Access-Control-Allow-Credentials to prevent server-side credentials being returned to non-named origins.

User experience

Please share what the user experience looks like before and after this change

Checklist

If your change doesn't seem to apply, please leave them unchecked.

• Meet tenets criteria
• I have performed a self-review of this change
• Changes have been tested
• Changes are documented
• PR title follows conventional commit semantics

Is this a breaking change?

RFC issue number:

Checklist:

• Migration process documented
• Implement warnings (if it can live side by side)

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Disclaimer: We value your time and bandwidth. As such, any pull requests created on non-triaged issues might not be successful.

[leandrodamascena]

Starting the review.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.42%. Comparing base (46fe028) to head (2756d09).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #4638      +/-   ##
===========================================
- Coverage    96.46%   96.42%   -0.04%     
===========================================
  Files          223      223              
  Lines        10735    10744       +9     
  Branches      1998     2001       +3     
===========================================
+ Hits         10355    10360       +5     
- Misses         268      270       +2     
- Partials       112      114       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[leandrodamascena]

Hi @sthulb! Thanks for working on this.
I'm doing some exploratory tests with different scenarios to see if we're not missing anything. I just left a comment for your review, please see if you agree or not.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[leandrodamascena]

I tested with several scenarios and all the resolvers and everything worked perfectly! Thanks so much for another great work @sthulb!

btw, I don't think we need e2e tests, functional are covering what we need to test.