138 lines
4.7 KiB
Go
138 lines
4.7 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
)
|
|
|
|
func TestCORSHandlerAllowsConfiguredOrigin(t *testing.T) {
|
|
mw := NewCORSMiddleware([]string{"https://allowed.example"})
|
|
nextCalled := false
|
|
h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
nextCalled = true
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
req.Header.Set("Origin", "https://allowed.example")
|
|
rr := httptest.NewRecorder()
|
|
h.ServeHTTP(rr, req)
|
|
|
|
if rr.Code != http.StatusOK {
|
|
t.Fatalf("expected 200, got %d", rr.Code)
|
|
}
|
|
if rr.Header().Get("Access-Control-Allow-Origin") != "https://allowed.example" {
|
|
t.Fatalf("unexpected allow-origin header: %q", rr.Header().Get("Access-Control-Allow-Origin"))
|
|
}
|
|
if rr.Header().Get("Access-Control-Allow-Credentials") != "true" {
|
|
t.Fatalf("expected allow-credentials true, got %q", rr.Header().Get("Access-Control-Allow-Credentials"))
|
|
}
|
|
if !nextCalled {
|
|
t.Fatal("expected next handler to be called")
|
|
}
|
|
}
|
|
|
|
func TestCORSHandlerAllowsAnyOriginWhenWildcardConfigured(t *testing.T) {
|
|
mw := NewCORSMiddleware([]string{"*"})
|
|
h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
req.Header.Set("Origin", "https://random.example")
|
|
rr := httptest.NewRecorder()
|
|
h.ServeHTTP(rr, req)
|
|
|
|
if rr.Header().Get("Access-Control-Allow-Origin") != "https://random.example" {
|
|
t.Fatalf("expected wildcard middleware to echo origin, got %q", rr.Header().Get("Access-Control-Allow-Origin"))
|
|
}
|
|
if rr.Header().Get("Access-Control-Allow-Credentials") != "true" {
|
|
t.Fatalf("expected allow-credentials true, got %q", rr.Header().Get("Access-Control-Allow-Credentials"))
|
|
}
|
|
}
|
|
|
|
func TestCORSHandlerAllowsSameHostOrigin(t *testing.T) {
|
|
mw := NewCORSMiddleware(nil)
|
|
h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "http://api.example:8080/path", nil)
|
|
req.Host = "api.example:8080"
|
|
req.Header.Set("Origin", "https://api.example")
|
|
rr := httptest.NewRecorder()
|
|
h.ServeHTTP(rr, req)
|
|
|
|
if rr.Header().Get("Access-Control-Allow-Origin") != "https://api.example" {
|
|
t.Fatalf("expected same-host origin to be allowed, got %q", rr.Header().Get("Access-Control-Allow-Origin"))
|
|
}
|
|
if rr.Header().Get("Access-Control-Allow-Credentials") != "true" {
|
|
t.Fatalf("expected allow-credentials true, got %q", rr.Header().Get("Access-Control-Allow-Credentials"))
|
|
}
|
|
}
|
|
|
|
func TestCORSHandlerDoesNotSetHeadersForDisallowedOrigin(t *testing.T) {
|
|
mw := NewCORSMiddleware([]string{"https://allowed.example"})
|
|
h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
req.Header.Set("Origin", "https://blocked.example")
|
|
rr := httptest.NewRecorder()
|
|
h.ServeHTTP(rr, req)
|
|
|
|
if rr.Header().Get("Access-Control-Allow-Origin") != "" {
|
|
t.Fatalf("expected no allow-origin header, got %q", rr.Header().Get("Access-Control-Allow-Origin"))
|
|
}
|
|
}
|
|
|
|
func TestCORSHandlerOptionsShortCircuits(t *testing.T) {
|
|
mw := NewCORSMiddleware([]string{"https://allowed.example"})
|
|
nextCalled := false
|
|
h := mw.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
nextCalled = true
|
|
w.WriteHeader(http.StatusOK)
|
|
}))
|
|
|
|
req := httptest.NewRequest(http.MethodOptions, "/", nil)
|
|
req.Header.Set("Origin", "https://allowed.example")
|
|
rr := httptest.NewRecorder()
|
|
h.ServeHTTP(rr, req)
|
|
|
|
if rr.Code != http.StatusNoContent {
|
|
t.Fatalf("expected 204, got %d", rr.Code)
|
|
}
|
|
if rr.Header().Get("Access-Control-Allow-Credentials") != "true" {
|
|
t.Fatalf("expected allow-credentials true, got %q", rr.Header().Get("Access-Control-Allow-Credentials"))
|
|
}
|
|
if nextCalled {
|
|
t.Fatal("expected next handler not to be called for OPTIONS")
|
|
}
|
|
}
|
|
|
|
func TestIsSameHost(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
origin string
|
|
requestHost string
|
|
want bool
|
|
}{
|
|
{name: "same host exact", origin: "https://api.example", requestHost: "api.example", want: true},
|
|
{name: "same host with port", origin: "https://api.example", requestHost: "api.example:8080", want: true},
|
|
{name: "case insensitive", origin: "https://API.EXAMPLE", requestHost: "api.example", want: true},
|
|
{name: "different host", origin: "https://api.example", requestHost: "other.example", want: false},
|
|
{name: "invalid origin", origin: "://bad", requestHost: "api.example", want: false},
|
|
}
|
|
|
|
for _, tc := range tests {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
got := isSameHost(tc.origin, tc.requestHost)
|
|
if got != tc.want {
|
|
t.Fatalf("isSameHost(%q, %q) = %v, want %v", tc.origin, tc.requestHost, got, tc.want)
|
|
}
|
|
})
|
|
}
|
|
}
|