aboutsummaryrefslogtreecommitdiff
path: root/cors_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'cors_test.go')
-rw-r--r--cors_test.go371
1 files changed, 371 insertions, 0 deletions
diff --git a/cors_test.go b/cors_test.go
new file mode 100644
index 0000000..28672a0
--- /dev/null
+++ b/cors_test.go
@@ -0,0 +1,371 @@
+package cors
+
+import (
+ "net/http"
+ "net/http/httptest"
+ "regexp"
+ "strings"
+ "testing"
+)
+
+var testHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ w.Write([]byte("bar"))
+})
+
+func assertHeaders(t *testing.T, resHeaders http.Header, reqHeaders map[string]string) {
+ for name, value := range reqHeaders {
+ if actual := strings.Join(resHeaders[name], ", "); actual != value {
+ t.Errorf("Invalid header `%s', wanted `%s', got `%s'", name, value, actual)
+ }
+ }
+}
+
+func TestNoConfig(t *testing.T) {
+ s := New(Options{
+ // Intentionally left blank.
+ })
+
+ res := httptest.NewRecorder()
+ req, _ := http.NewRequest("GET", "http://example.com/foo", nil)
+
+ s.Handler(testHandler).ServeHTTP(res, req)
+
+ assertHeaders(t, res.Header(), map[string]string{
+ "Vary": "Origin",
+ "Access-Control-Allow-Origin": "",
+ "Access-Control-Allow-Methods": "",
+ "Access-Control-Allow-Headers": "",
+ "Access-Control-Allow-Credentials": "",
+ "Access-Control-Max-Age": "",
+ "Access-Control-Expose-Headers": "",
+ })
+}
+
+func TestMatchAllOrigin(t *testing.T) {
+ s := New(Options{
+ AllowedOrigins: []string{"*"},
+ })
+
+ res := httptest.NewRecorder()
+ req, _ := http.NewRequest("GET", "http://example.com/foo", nil)
+ req.Header.Add("Origin", "http://foobar.com")
+
+ s.Handler(testHandler).ServeHTTP(res, req)
+
+ assertHeaders(t, res.Header(), map[string]string{
+ "Vary": "Origin",
+ "Access-Control-Allow-Origin": "http://foobar.com",
+ "Access-Control-Allow-Methods": "",
+ "Access-Control-Allow-Headers": "",
+ "Access-Control-Allow-Credentials": "",
+ "Access-Control-Max-Age": "",
+ "Access-Control-Expose-Headers": "",
+ })
+}
+
+func TestAllowedOrigin(t *testing.T) {
+ s := New(Options{
+ AllowedOrigins: []string{"http://foobar.com"},
+ })
+
+ res := httptest.NewRecorder()
+ req, _ := http.NewRequest("GET", "http://example.com/foo", nil)
+ req.Header.Add("Origin", "http://foobar.com")
+
+ s.Handler(testHandler).ServeHTTP(res, req)
+
+ assertHeaders(t, res.Header(), map[string]string{
+ "Vary": "Origin",
+ "Access-Control-Allow-Origin": "http://foobar.com",
+ "Access-Control-Allow-Methods": "",
+ "Access-Control-Allow-Headers": "",
+ "Access-Control-Allow-Credentials": "",
+ "Access-Control-Max-Age": "",
+ "Access-Control-Expose-Headers": "",
+ })
+}
+
+func TestWildcardOrigin(t *testing.T) {
+ s := New(Options{
+ AllowedOrigins: []string{"http://*.bar.com"},
+ })
+
+ res := httptest.NewRecorder()
+ req, _ := http.NewRequest("GET", "http://example.com/foo", nil)
+ req.Header.Add("Origin", "http://foo.bar.com")
+
+ s.Handler(testHandler).ServeHTTP(res, req)
+
+ assertHeaders(t, res.Header(), map[string]string{
+ "Vary": "Origin",
+ "Access-Control-Allow-Origin": "http://foo.bar.com",
+ "Access-Control-Allow-Methods": "",
+ "Access-Control-Allow-Headers": "",
+ "Access-Control-Allow-Credentials": "",
+ "Access-Control-Max-Age": "",
+ "Access-Control-Expose-Headers": "",
+ })
+}
+
+func TestDisallowedOrigin(t *testing.T) {
+ s := New(Options{
+ AllowedOrigins: []string{"http://foobar.com"},
+ })
+
+ res := httptest.NewRecorder()
+ req, _ := http.NewRequest("GET", "http://example.com/foo", nil)
+ req.Header.Add("Origin", "http://barbaz.com")
+
+ s.Handler(testHandler).ServeHTTP(res, req)
+
+ assertHeaders(t, res.Header(), map[string]string{
+ "Vary": "Origin",
+ "Access-Control-Allow-Origin": "",
+ "Access-Control-Allow-Methods": "",
+ "Access-Control-Allow-Headers": "",
+ "Access-Control-Allow-Credentials": "",
+ "Access-Control-Max-Age": "",
+ "Access-Control-Expose-Headers": "",
+ })
+}
+
+func TestDisallowedWildcardOrigin(t *testing.T) {
+ s := New(Options{
+ AllowedOrigins: []string{"http://*.bar.com"},
+ })
+
+ res := httptest.NewRecorder()
+ req, _ := http.NewRequest("GET", "http://example.com/foo", nil)
+ req.Header.Add("Origin", "http://foo.baz.com")
+
+ s.Handler(testHandler).ServeHTTP(res, req)
+
+ assertHeaders(t, res.Header(), map[string]string{
+ "Vary": "Origin",
+ "Access-Control-Allow-Origin": "",
+ "Access-Control-Allow-Methods": "",
+ "Access-Control-Allow-Headers": "",
+ "Access-Control-Allow-Credentials": "",
+ "Access-Control-Max-Age": "",
+ "Access-Control-Expose-Headers": "",
+ })
+}
+
+func TestAllowedOriginFunc(t *testing.T) {
+ r, _ := regexp.Compile("^http://foo")
+ s := New(Options{
+ AllowOriginFunc: func(o string) bool {
+ return r.MatchString(o)
+ },
+ })
+
+ req, _ := http.NewRequest("GET", "http://example.com/foo", nil)
+
+ res := httptest.NewRecorder()
+ req.Header.Set("Origin", "http://foobar.com")
+ s.Handler(testHandler).ServeHTTP(res, req)
+ assertHeaders(t, res.Header(), map[string]string{
+ "Access-Control-Allow-Origin": "http://foobar.com",
+ })
+
+ res = httptest.NewRecorder()
+ req.Header.Set("Origin", "http://barfoo.com")
+ s.Handler(testHandler).ServeHTTP(res, req)
+ assertHeaders(t, res.Header(), map[string]string{
+ "Access-Control-Allow-Origin": "",
+ })
+}
+
+func TestAllowedMethod(t *testing.T) {
+ s := New(Options{
+ AllowedOrigins: []string{"http://foobar.com"},
+ AllowedMethods: []string{"PUT", "DELETE"},
+ })
+
+ res := httptest.NewRecorder()
+ req, _ := http.NewRequest("OPTIONS", "http://example.com/foo", nil)
+ req.Header.Add("Origin", "http://foobar.com")
+ req.Header.Add("Access-Control-Request-Method", "PUT")
+
+ s.Handler(testHandler).ServeHTTP(res, req)
+
+ assertHeaders(t, res.Header(), map[string]string{
+ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers",
+ "Access-Control-Allow-Origin": "http://foobar.com",
+ "Access-Control-Allow-Methods": "PUT",
+ "Access-Control-Allow-Headers": "",
+ "Access-Control-Allow-Credentials": "",
+ "Access-Control-Max-Age": "",
+ "Access-Control-Expose-Headers": "",
+ })
+}
+
+func TestDisallowedMethod(t *testing.T) {
+ s := New(Options{
+ AllowedOrigins: []string{"http://foobar.com"},
+ AllowedMethods: []string{"PUT", "DELETE"},
+ })
+
+ res := httptest.NewRecorder()
+ req, _ := http.NewRequest("OPTIONS", "http://example.com/foo", nil)
+ req.Header.Add("Origin", "http://foobar.com")
+ req.Header.Add("Access-Control-Request-Method", "PATCH")
+
+ s.Handler(testHandler).ServeHTTP(res, req)
+
+ assertHeaders(t, res.Header(), map[string]string{
+ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers",
+ "Access-Control-Allow-Origin": "",
+ "Access-Control-Allow-Methods": "",
+ "Access-Control-Allow-Headers": "",
+ "Access-Control-Allow-Credentials": "",
+ "Access-Control-Max-Age": "",
+ "Access-Control-Expose-Headers": "",
+ })
+}
+
+func TestAllowedHeader(t *testing.T) {
+ s := New(Options{
+ AllowedOrigins: []string{"http://foobar.com"},
+ AllowedHeaders: []string{"X-Header-1", "x-header-2"},
+ })
+
+ res := httptest.NewRecorder()
+ req, _ := http.NewRequest("OPTIONS", "http://example.com/foo", nil)
+ req.Header.Add("Origin", "http://foobar.com")
+ req.Header.Add("Access-Control-Request-Method", "GET")
+ req.Header.Add("Access-Control-Request-Headers", "X-Header-2, X-HEADER-1")
+
+ s.Handler(testHandler).ServeHTTP(res, req)
+
+ assertHeaders(t, res.Header(), map[string]string{
+ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers",
+ "Access-Control-Allow-Origin": "http://foobar.com",
+ "Access-Control-Allow-Methods": "GET",
+ "Access-Control-Allow-Headers": "X-Header-2, X-Header-1",
+ "Access-Control-Allow-Credentials": "",
+ "Access-Control-Max-Age": "",
+ "Access-Control-Expose-Headers": "",
+ })
+}
+
+func TestAllowedWildcardHeader(t *testing.T) {
+ s := New(Options{
+ AllowedOrigins: []string{"http://foobar.com"},
+ AllowedHeaders: []string{"*"},
+ })
+
+ res := httptest.NewRecorder()
+ req, _ := http.NewRequest("OPTIONS", "http://example.com/foo", nil)
+ req.Header.Add("Origin", "http://foobar.com")
+ req.Header.Add("Access-Control-Request-Method", "GET")
+ req.Header.Add("Access-Control-Request-Headers", "X-Header-2, X-HEADER-1")
+
+ s.Handler(testHandler).ServeHTTP(res, req)
+
+ assertHeaders(t, res.Header(), map[string]string{
+ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers",
+ "Access-Control-Allow-Origin": "http://foobar.com",
+ "Access-Control-Allow-Methods": "GET",
+ "Access-Control-Allow-Headers": "X-Header-2, X-Header-1",
+ "Access-Control-Allow-Credentials": "",
+ "Access-Control-Max-Age": "",
+ "Access-Control-Expose-Headers": "",
+ })
+}
+
+func TestDisallowedHeader(t *testing.T) {
+ s := New(Options{
+ AllowedOrigins: []string{"http://foobar.com"},
+ AllowedHeaders: []string{"X-Header-1", "x-header-2"},
+ })
+
+ res := httptest.NewRecorder()
+ req, _ := http.NewRequest("OPTIONS", "http://example.com/foo", nil)
+ req.Header.Add("Origin", "http://foobar.com")
+ req.Header.Add("Access-Control-Request-Method", "GET")
+ req.Header.Add("Access-Control-Request-Headers", "X-Header-3, X-Header-1")
+
+ s.Handler(testHandler).ServeHTTP(res, req)
+
+ assertHeaders(t, res.Header(), map[string]string{
+ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers",
+ "Access-Control-Allow-Origin": "",
+ "Access-Control-Allow-Methods": "",
+ "Access-Control-Allow-Headers": "",
+ "Access-Control-Allow-Credentials": "",
+ "Access-Control-Max-Age": "",
+ "Access-Control-Expose-Headers": "",
+ })
+}
+
+func TestOriginHeader(t *testing.T) {
+ s := New(Options{
+ AllowedOrigins: []string{"http://foobar.com"},
+ })
+
+ res := httptest.NewRecorder()
+ req, _ := http.NewRequest("OPTIONS", "http://example.com/foo", nil)
+ req.Header.Add("Origin", "http://foobar.com")
+ req.Header.Add("Access-Control-Request-Method", "GET")
+ req.Header.Add("Access-Control-Request-Headers", "origin")
+
+ s.Handler(testHandler).ServeHTTP(res, req)
+
+ assertHeaders(t, res.Header(), map[string]string{
+ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers",
+ "Access-Control-Allow-Origin": "http://foobar.com",
+ "Access-Control-Allow-Methods": "GET",
+ "Access-Control-Allow-Headers": "Origin",
+ "Access-Control-Allow-Credentials": "",
+ "Access-Control-Max-Age": "",
+ "Access-Control-Expose-Headers": "",
+ })
+}
+
+func TestExposedHeader(t *testing.T) {
+ s := New(Options{
+ AllowedOrigins: []string{"http://foobar.com"},
+ ExposedHeaders: []string{"X-Header-1", "x-header-2"},
+ })
+
+ res := httptest.NewRecorder()
+ req, _ := http.NewRequest("GET", "http://example.com/foo", nil)
+ req.Header.Add("Origin", "http://foobar.com")
+
+ s.Handler(testHandler).ServeHTTP(res, req)
+
+ assertHeaders(t, res.Header(), map[string]string{
+ "Vary": "Origin",
+ "Access-Control-Allow-Origin": "http://foobar.com",
+ "Access-Control-Allow-Methods": "",
+ "Access-Control-Allow-Headers": "",
+ "Access-Control-Allow-Credentials": "",
+ "Access-Control-Max-Age": "",
+ "Access-Control-Expose-Headers": "X-Header-1, X-Header-2",
+ })
+}
+
+func TestAllowedCredentials(t *testing.T) {
+ s := New(Options{
+ AllowedOrigins: []string{"http://foobar.com"},
+ AllowCredentials: true,
+ })
+
+ res := httptest.NewRecorder()
+ req, _ := http.NewRequest("OPTIONS", "http://example.com/foo", nil)
+ req.Header.Add("Origin", "http://foobar.com")
+ req.Header.Add("Access-Control-Request-Method", "GET")
+
+ s.Handler(testHandler).ServeHTTP(res, req)
+
+ assertHeaders(t, res.Header(), map[string]string{
+ "Vary": "Origin, Access-Control-Request-Method, Access-Control-Request-Headers",
+ "Access-Control-Allow-Origin": "http://foobar.com",
+ "Access-Control-Allow-Methods": "GET",
+ "Access-Control-Allow-Headers": "",
+ "Access-Control-Allow-Credentials": "true",
+ "Access-Control-Max-Age": "",
+ "Access-Control-Expose-Headers": "",
+ })
+}
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-10 19:14:17 +0000