-
Notifications
You must be signed in to change notification settings - Fork 7
/
middleware_cors_test.go
227 lines (216 loc) · 9.74 KB
/
middleware_cors_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
package gin
import (
"net/http"
"net/http/httptest"
"testing"
contractshttp "github.com/goravel/framework/contracts/http"
configmocks "github.com/goravel/framework/mocks/config"
"github.com/stretchr/testify/assert"
)
func TestCors(t *testing.T) {
var (
mockConfig *configmocks.Config
resp *httptest.ResponseRecorder
)
beforeEach := func() {
mockConfig = configmocks.NewConfig(t)
}
tests := []struct {
name string
method string
setup func()
assert func()
}{
{
name: "allow all paths",
setup: func() {
mockConfig.On("GetBool", "app.debug").Return(true).Once()
mockConfig.On("GetInt", "http.drivers.gin.body_limit", 4096).Return(4096).Once()
mockConfig.On("Get", "cors.paths").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_methods").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_origins").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_headers").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.exposed_headers").Return([]string{"*"}).Once()
mockConfig.On("GetInt", "cors.max_age").Return(0).Once()
mockConfig.On("GetBool", "cors.supports_credentials").Return(false).Once()
ConfigFacade = mockConfig
},
assert: func() {
assert.Equal(t, http.StatusNoContent, resp.Code)
assert.Equal(t, "POST", resp.Header().Get("Access-Control-Allow-Methods"))
assert.Equal(t, "*", resp.Header().Get("Access-Control-Allow-Origin"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Allow-Headers"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Expose-Headers"))
},
},
{
name: "not allow path",
setup: func() {
mockConfig.On("GetBool", "app.debug").Return(true).Once()
mockConfig.On("GetInt", "http.drivers.gin.body_limit", 4096).Return(4096).Once()
mockConfig.On("Get", "cors.paths").Return([]string{"api"}).Once()
ConfigFacade = mockConfig
},
assert: func() {
assert.Equal(t, http.StatusNotFound, resp.Code)
assert.Equal(t, "", resp.Header().Get("Access-Control-Allow-Methods"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Allow-Origin"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Allow-Headers"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Expose-Headers"))
},
},
{
name: "allow path with *",
setup: func() {
mockConfig.On("GetBool", "app.debug").Return(true).Once()
mockConfig.On("GetInt", "http.drivers.gin.body_limit", 4096).Return(4096).Once()
mockConfig.On("Get", "cors.paths").Return([]string{"any/*"}).Once()
mockConfig.On("Get", "cors.allowed_methods").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_origins").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_headers").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.exposed_headers").Return([]string{"*"}).Once()
mockConfig.On("GetInt", "cors.max_age").Return(0).Once()
mockConfig.On("GetBool", "cors.supports_credentials").Return(false).Once()
ConfigFacade = mockConfig
},
assert: func() {
assert.Equal(t, http.StatusNoContent, resp.Code)
assert.Equal(t, "POST", resp.Header().Get("Access-Control-Allow-Methods"))
assert.Equal(t, "*", resp.Header().Get("Access-Control-Allow-Origin"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Allow-Headers"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Expose-Headers"))
},
},
{
name: "only allow POST",
setup: func() {
mockConfig.On("GetBool", "app.debug").Return(true).Once()
mockConfig.On("GetInt", "http.drivers.gin.body_limit", 4096).Return(4096).Once()
mockConfig.On("Get", "cors.paths").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_methods").Return([]string{"POST"}).Once()
mockConfig.On("Get", "cors.allowed_origins").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_headers").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.exposed_headers").Return([]string{"*"}).Once()
mockConfig.On("GetInt", "cors.max_age").Return(0).Once()
mockConfig.On("GetBool", "cors.supports_credentials").Return(false).Once()
ConfigFacade = mockConfig
},
assert: func() {
assert.Equal(t, http.StatusNoContent, resp.Code)
assert.Equal(t, "POST", resp.Header().Get("Access-Control-Allow-Methods"))
assert.Equal(t, "*", resp.Header().Get("Access-Control-Allow-Origin"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Allow-Headers"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Expose-Headers"))
},
},
{
name: "not allow POST",
setup: func() {
mockConfig.On("GetBool", "app.debug").Return(true).Once()
mockConfig.On("GetInt", "http.drivers.gin.body_limit", 4096).Return(4096).Once()
mockConfig.On("Get", "cors.paths").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_methods").Return([]string{"GET"}).Once()
mockConfig.On("Get", "cors.allowed_origins").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_headers").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.exposed_headers").Return([]string{"*"}).Once()
mockConfig.On("GetInt", "cors.max_age").Return(0).Once()
mockConfig.On("GetBool", "cors.supports_credentials").Return(false).Once()
ConfigFacade = mockConfig
},
assert: func() {
assert.Equal(t, http.StatusNoContent, resp.Code)
assert.Equal(t, "", resp.Header().Get("Access-Control-Allow-Methods"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Allow-Origin"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Allow-Headers"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Expose-Headers"))
},
},
{
name: "not allow origin",
setup: func() {
mockConfig.On("GetBool", "app.debug").Return(true).Once()
mockConfig.On("GetInt", "http.drivers.gin.body_limit", 4096).Return(4096).Once()
mockConfig.On("Get", "cors.paths").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_methods").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_origins").Return([]string{"https://goravel.com"}).Once()
mockConfig.On("Get", "cors.allowed_headers").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.exposed_headers").Return([]string{"*"}).Once()
mockConfig.On("GetInt", "cors.max_age").Return(0).Once()
mockConfig.On("GetBool", "cors.supports_credentials").Return(false).Once()
ConfigFacade = mockConfig
},
assert: func() {
assert.Equal(t, http.StatusNoContent, resp.Code)
assert.Equal(t, "", resp.Header().Get("Access-Control-Allow-Methods"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Allow-Origin"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Allow-Headers"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Expose-Headers"))
},
},
{
name: "allow specific origin",
setup: func() {
mockConfig.On("GetBool", "app.debug").Return(true).Once()
mockConfig.On("GetInt", "http.drivers.gin.body_limit", 4096).Return(4096).Once()
mockConfig.On("Get", "cors.paths").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_methods").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_origins").Return([]string{"https://goravel.dev"}).Once()
mockConfig.On("Get", "cors.allowed_headers").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.exposed_headers").Return([]string{"*"}).Once()
mockConfig.On("GetInt", "cors.max_age").Return(0).Once()
mockConfig.On("GetBool", "cors.supports_credentials").Return(false).Once()
ConfigFacade = mockConfig
},
assert: func() {
assert.Equal(t, http.StatusNoContent, resp.Code)
assert.Equal(t, "POST", resp.Header().Get("Access-Control-Allow-Methods"))
assert.Equal(t, "https://goravel.dev", resp.Header().Get("Access-Control-Allow-Origin"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Allow-Headers"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Expose-Headers"))
},
},
{
name: "not allow exposed headers",
setup: func() {
mockConfig.On("GetBool", "app.debug").Return(true).Once()
mockConfig.On("GetInt", "http.drivers.gin.body_limit", 4096).Return(4096).Once()
mockConfig.On("Get", "cors.paths").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_methods").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_origins").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.allowed_headers").Return([]string{"*"}).Once()
mockConfig.On("Get", "cors.exposed_headers").Return([]string{"Goravel"}).Once()
mockConfig.On("GetInt", "cors.max_age").Return(0).Once()
mockConfig.On("GetBool", "cors.supports_credentials").Return(false).Once()
ConfigFacade = mockConfig
},
assert: func() {
assert.Equal(t, http.StatusNoContent, resp.Code)
assert.Equal(t, "POST", resp.Header().Get("Access-Control-Allow-Methods"))
assert.Equal(t, "*", resp.Header().Get("Access-Control-Allow-Origin"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Allow-Headers"))
assert.Equal(t, "", resp.Header().Get("Access-Control-Expose-Headers"))
},
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
beforeEach()
test.setup()
route, err := NewRoute(mockConfig, nil)
assert.Nil(t, err)
route.setMiddlewares([]contractshttp.Middleware{Cors()})
route.Post("/any/{id}", func(ctx contractshttp.Context) contractshttp.Response {
return ctx.Response().Success().Json(contractshttp.Json{
"id": ctx.Request().Input("id"),
})
})
resp = httptest.NewRecorder()
req, err := http.NewRequest("OPTIONS", "/any/1", nil)
assert.Nil(t, err)
req.Header.Set("Origin", "https://goravel.dev")
req.Header.Set("Access-Control-Request-Method", "POST")
route.ServeHTTP(resp, req)
test.assert()
})
}
}