2016-04-08 01:16:58 +02:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
2020-10-09 11:07:29 +02:00
|
|
|
"errors"
|
2018-10-14 17:16:58 +02:00
|
|
|
"net/http"
|
2016-09-23 07:53:44 +02:00
|
|
|
"net/http/httptest"
|
2016-04-08 01:16:58 +02:00
|
|
|
"testing"
|
|
|
|
|
2019-01-30 12:56:56 +02:00
|
|
|
"github.com/labstack/echo/v4"
|
2016-04-08 01:16:58 +02:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestCORS(t *testing.T) {
|
|
|
|
e := echo.New()
|
2016-11-13 06:24:53 +02:00
|
|
|
|
2016-11-22 00:42:13 +02:00
|
|
|
// Wildcard origin
|
2018-10-14 17:16:58 +02:00
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
2016-09-23 07:53:44 +02:00
|
|
|
rec := httptest.NewRecorder()
|
2016-04-24 19:21:23 +02:00
|
|
|
c := e.NewContext(req, rec)
|
2016-11-13 06:24:53 +02:00
|
|
|
h := CORS()(echo.NotFoundHandler)
|
2020-11-06 02:15:40 +02:00
|
|
|
req.Header.Set(echo.HeaderOrigin, "localhost")
|
2016-04-08 01:16:58 +02:00
|
|
|
h(c)
|
2016-04-24 19:21:23 +02:00
|
|
|
assert.Equal(t, "*", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
2016-04-08 01:16:58 +02:00
|
|
|
|
2020-11-06 02:15:40 +02:00
|
|
|
// Wildcard AllowedOrigin with no Origin header in request
|
|
|
|
req = httptest.NewRequest(http.MethodGet, "/", nil)
|
|
|
|
rec = httptest.NewRecorder()
|
|
|
|
c = e.NewContext(req, rec)
|
|
|
|
h = CORS()(echo.NotFoundHandler)
|
|
|
|
h(c)
|
|
|
|
assert.NotContains(t, rec.Header(), echo.HeaderAccessControlAllowOrigin)
|
|
|
|
|
2016-11-22 00:42:13 +02:00
|
|
|
// Allow origins
|
2018-10-14 17:16:58 +02:00
|
|
|
req = httptest.NewRequest(http.MethodGet, "/", nil)
|
2016-09-23 07:53:44 +02:00
|
|
|
rec = httptest.NewRecorder()
|
2016-04-24 19:21:23 +02:00
|
|
|
c = e.NewContext(req, rec)
|
2016-11-22 00:42:13 +02:00
|
|
|
h = CORSWithConfig(CORSConfig{
|
2020-11-06 02:15:40 +02:00
|
|
|
AllowOrigins: []string{"localhost"},
|
|
|
|
AllowCredentials: true,
|
|
|
|
MaxAge: 3600,
|
2016-11-22 00:42:13 +02:00
|
|
|
})(echo.NotFoundHandler)
|
2016-09-23 07:53:44 +02:00
|
|
|
req.Header.Set(echo.HeaderOrigin, "localhost")
|
2016-04-08 01:16:58 +02:00
|
|
|
h(c)
|
2016-04-24 19:21:23 +02:00
|
|
|
assert.Equal(t, "localhost", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
2020-11-06 02:15:40 +02:00
|
|
|
assert.Equal(t, "true", rec.Header().Get(echo.HeaderAccessControlAllowCredentials))
|
2016-04-08 01:16:58 +02:00
|
|
|
|
|
|
|
// Preflight request
|
2018-10-14 17:16:58 +02:00
|
|
|
req = httptest.NewRequest(http.MethodOptions, "/", nil)
|
2016-09-23 07:53:44 +02:00
|
|
|
rec = httptest.NewRecorder()
|
2016-04-24 19:21:23 +02:00
|
|
|
c = e.NewContext(req, rec)
|
2016-09-23 07:53:44 +02:00
|
|
|
req.Header.Set(echo.HeaderOrigin, "localhost")
|
|
|
|
req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
|
2016-11-13 06:24:53 +02:00
|
|
|
cors := CORSWithConfig(CORSConfig{
|
|
|
|
AllowOrigins: []string{"localhost"},
|
|
|
|
AllowCredentials: true,
|
|
|
|
MaxAge: 3600,
|
|
|
|
})
|
|
|
|
h = cors(echo.NotFoundHandler)
|
2016-04-08 01:16:58 +02:00
|
|
|
h(c)
|
2016-04-24 19:21:23 +02:00
|
|
|
assert.Equal(t, "localhost", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
|
|
|
assert.NotEmpty(t, rec.Header().Get(echo.HeaderAccessControlAllowMethods))
|
|
|
|
assert.Equal(t, "true", rec.Header().Get(echo.HeaderAccessControlAllowCredentials))
|
|
|
|
assert.Equal(t, "3600", rec.Header().Get(echo.HeaderAccessControlMaxAge))
|
2018-06-19 15:49:23 +02:00
|
|
|
|
|
|
|
// Preflight request with `AllowOrigins` *
|
2018-10-14 17:16:58 +02:00
|
|
|
req = httptest.NewRequest(http.MethodOptions, "/", nil)
|
2018-06-19 15:49:23 +02:00
|
|
|
rec = httptest.NewRecorder()
|
|
|
|
c = e.NewContext(req, rec)
|
|
|
|
req.Header.Set(echo.HeaderOrigin, "localhost")
|
|
|
|
req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
|
2018-07-03 18:51:15 +02:00
|
|
|
cors = CORSWithConfig(CORSConfig{
|
2018-06-19 15:49:23 +02:00
|
|
|
AllowOrigins: []string{"*"},
|
|
|
|
AllowCredentials: true,
|
|
|
|
MaxAge: 3600,
|
|
|
|
})
|
|
|
|
h = cors(echo.NotFoundHandler)
|
|
|
|
h(c)
|
|
|
|
assert.Equal(t, "localhost", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
|
|
|
assert.NotEmpty(t, rec.Header().Get(echo.HeaderAccessControlAllowMethods))
|
|
|
|
assert.Equal(t, "true", rec.Header().Get(echo.HeaderAccessControlAllowCredentials))
|
|
|
|
assert.Equal(t, "3600", rec.Header().Get(echo.HeaderAccessControlMaxAge))
|
2019-03-09 20:32:49 +02:00
|
|
|
|
2020-11-06 02:15:40 +02:00
|
|
|
// Preflight request with Access-Control-Request-Headers
|
|
|
|
req = httptest.NewRequest(http.MethodOptions, "/", nil)
|
|
|
|
rec = httptest.NewRecorder()
|
|
|
|
c = e.NewContext(req, rec)
|
|
|
|
req.Header.Set(echo.HeaderOrigin, "localhost")
|
|
|
|
req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
|
|
|
|
req.Header.Set(echo.HeaderAccessControlRequestHeaders, "Special-Request-Header")
|
|
|
|
cors = CORSWithConfig(CORSConfig{
|
|
|
|
AllowOrigins: []string{"*"},
|
|
|
|
})
|
|
|
|
h = cors(echo.NotFoundHandler)
|
|
|
|
h(c)
|
|
|
|
assert.Equal(t, "*", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
|
|
|
assert.Equal(t, "Special-Request-Header", rec.Header().Get(echo.HeaderAccessControlAllowHeaders))
|
|
|
|
assert.NotEmpty(t, rec.Header().Get(echo.HeaderAccessControlAllowMethods))
|
|
|
|
|
2019-03-09 20:32:49 +02:00
|
|
|
// Preflight request with `AllowOrigins` which allow all subdomains with *
|
|
|
|
req = httptest.NewRequest(http.MethodOptions, "/", nil)
|
|
|
|
rec = httptest.NewRecorder()
|
|
|
|
c = e.NewContext(req, rec)
|
|
|
|
req.Header.Set(echo.HeaderOrigin, "http://aaa.example.com")
|
|
|
|
cors = CORSWithConfig(CORSConfig{
|
2020-01-25 19:48:53 +02:00
|
|
|
AllowOrigins: []string{"http://*.example.com"},
|
2019-03-09 20:32:49 +02:00
|
|
|
})
|
|
|
|
h = cors(echo.NotFoundHandler)
|
|
|
|
h(c)
|
|
|
|
assert.Equal(t, "http://aaa.example.com", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
|
|
|
|
|
|
|
req.Header.Set(echo.HeaderOrigin, "http://bbb.example.com")
|
|
|
|
h(c)
|
|
|
|
assert.Equal(t, "http://bbb.example.com", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
2016-04-08 01:16:58 +02:00
|
|
|
}
|
2020-08-18 03:39:54 +02:00
|
|
|
|
|
|
|
func Test_allowOriginScheme(t *testing.T) {
|
|
|
|
tests := []struct {
|
|
|
|
domain, pattern string
|
|
|
|
expected bool
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
domain: "http://example.com",
|
|
|
|
pattern: "http://example.com",
|
|
|
|
expected: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "https://example.com",
|
|
|
|
pattern: "https://example.com",
|
|
|
|
expected: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "http://example.com",
|
|
|
|
pattern: "https://example.com",
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "https://example.com",
|
|
|
|
pattern: "http://example.com",
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
e := echo.New()
|
|
|
|
for _, tt := range tests {
|
|
|
|
req := httptest.NewRequest(http.MethodOptions, "/", nil)
|
|
|
|
rec := httptest.NewRecorder()
|
|
|
|
c := e.NewContext(req, rec)
|
|
|
|
req.Header.Set(echo.HeaderOrigin, tt.domain)
|
|
|
|
cors := CORSWithConfig(CORSConfig{
|
|
|
|
AllowOrigins: []string{tt.pattern},
|
|
|
|
})
|
|
|
|
h := cors(echo.NotFoundHandler)
|
|
|
|
h(c)
|
|
|
|
|
|
|
|
if tt.expected {
|
|
|
|
assert.Equal(t, tt.domain, rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
|
|
|
} else {
|
2020-11-06 02:15:40 +02:00
|
|
|
assert.NotContains(t, rec.Header(), echo.HeaderAccessControlAllowOrigin)
|
2020-08-18 03:39:54 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func Test_allowOriginSubdomain(t *testing.T) {
|
|
|
|
tests := []struct {
|
|
|
|
domain, pattern string
|
|
|
|
expected bool
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
domain: "http://aaa.example.com",
|
|
|
|
pattern: "http://*.example.com",
|
|
|
|
expected: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "http://bbb.aaa.example.com",
|
|
|
|
pattern: "http://*.example.com",
|
|
|
|
expected: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "http://bbb.aaa.example.com",
|
|
|
|
pattern: "http://*.aaa.example.com",
|
|
|
|
expected: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "http://aaa.example.com:8080",
|
|
|
|
pattern: "http://*.example.com:8080",
|
|
|
|
expected: true,
|
|
|
|
},
|
|
|
|
|
|
|
|
{
|
|
|
|
domain: "http://fuga.hoge.com",
|
|
|
|
pattern: "http://*.example.com",
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "http://ccc.bbb.example.com",
|
|
|
|
pattern: "http://*.aaa.example.com",
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: `http://1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890\
|
|
|
|
.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890\
|
|
|
|
.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890\
|
|
|
|
.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.example.com`,
|
|
|
|
pattern: "http://*.example.com",
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: `http://1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.1234567890.example.com`,
|
|
|
|
pattern: "http://*.example.com",
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "http://ccc.bbb.example.com",
|
|
|
|
pattern: "http://example.com",
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "https://prod-preview--aaa.bbb.com",
|
|
|
|
pattern: "https://*--aaa.bbb.com",
|
|
|
|
expected: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "http://ccc.bbb.example.com",
|
|
|
|
pattern: "http://*.example.com",
|
|
|
|
expected: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "http://ccc.bbb.example.com",
|
|
|
|
pattern: "http://foo.[a-z]*.example.com",
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
e := echo.New()
|
|
|
|
for _, tt := range tests {
|
|
|
|
req := httptest.NewRequest(http.MethodOptions, "/", nil)
|
|
|
|
rec := httptest.NewRecorder()
|
|
|
|
c := e.NewContext(req, rec)
|
|
|
|
req.Header.Set(echo.HeaderOrigin, tt.domain)
|
|
|
|
cors := CORSWithConfig(CORSConfig{
|
|
|
|
AllowOrigins: []string{tt.pattern},
|
|
|
|
})
|
|
|
|
h := cors(echo.NotFoundHandler)
|
|
|
|
h(c)
|
|
|
|
|
|
|
|
if tt.expected {
|
|
|
|
assert.Equal(t, tt.domain, rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
|
|
|
} else {
|
2020-11-06 02:15:40 +02:00
|
|
|
assert.NotContains(t, rec.Header(), echo.HeaderAccessControlAllowOrigin)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestCorsHeaders(t *testing.T) {
|
|
|
|
tests := []struct {
|
|
|
|
domain, allowedOrigin, method string
|
|
|
|
expected bool
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
domain: "", // Request does not have Origin header
|
|
|
|
allowedOrigin: "*",
|
|
|
|
method: http.MethodGet,
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "http://example.com",
|
|
|
|
allowedOrigin: "*",
|
|
|
|
method: http.MethodGet,
|
|
|
|
expected: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "", // Request does not have Origin header
|
|
|
|
allowedOrigin: "http://example.com",
|
|
|
|
method: http.MethodGet,
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "http://bar.com",
|
|
|
|
allowedOrigin: "http://example.com",
|
|
|
|
method: http.MethodGet,
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "http://example.com",
|
|
|
|
allowedOrigin: "http://example.com",
|
|
|
|
method: http.MethodGet,
|
|
|
|
expected: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "", // Request does not have Origin header
|
|
|
|
allowedOrigin: "*",
|
|
|
|
method: http.MethodOptions,
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "http://example.com",
|
|
|
|
allowedOrigin: "*",
|
|
|
|
method: http.MethodOptions,
|
|
|
|
expected: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "", // Request does not have Origin header
|
|
|
|
allowedOrigin: "http://example.com",
|
|
|
|
method: http.MethodOptions,
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "http://bar.com",
|
|
|
|
allowedOrigin: "http://example.com",
|
|
|
|
method: http.MethodGet,
|
|
|
|
expected: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
domain: "http://example.com",
|
|
|
|
allowedOrigin: "http://example.com",
|
|
|
|
method: http.MethodOptions,
|
|
|
|
expected: true,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
e := echo.New()
|
|
|
|
for _, tt := range tests {
|
|
|
|
req := httptest.NewRequest(tt.method, "/", nil)
|
|
|
|
rec := httptest.NewRecorder()
|
|
|
|
c := e.NewContext(req, rec)
|
|
|
|
if tt.domain != "" {
|
|
|
|
req.Header.Set(echo.HeaderOrigin, tt.domain)
|
|
|
|
}
|
|
|
|
cors := CORSWithConfig(CORSConfig{
|
|
|
|
AllowOrigins: []string{tt.allowedOrigin},
|
|
|
|
//AllowCredentials: true,
|
|
|
|
//MaxAge: 3600,
|
|
|
|
})
|
|
|
|
h := cors(echo.NotFoundHandler)
|
|
|
|
h(c)
|
|
|
|
|
|
|
|
assert.Equal(t, echo.HeaderOrigin, rec.Header().Get(echo.HeaderVary))
|
|
|
|
|
|
|
|
expectedAllowOrigin := ""
|
|
|
|
if tt.allowedOrigin == "*" {
|
|
|
|
expectedAllowOrigin = "*"
|
|
|
|
} else {
|
|
|
|
expectedAllowOrigin = tt.domain
|
|
|
|
}
|
|
|
|
|
|
|
|
switch {
|
|
|
|
case tt.expected && tt.method == http.MethodOptions:
|
|
|
|
assert.Contains(t, rec.Header(), echo.HeaderAccessControlAllowMethods)
|
|
|
|
assert.Equal(t, expectedAllowOrigin, rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
|
|
|
assert.Equal(t, 3, len(rec.Header()[echo.HeaderVary]))
|
|
|
|
case tt.expected && tt.method == http.MethodGet:
|
|
|
|
assert.Equal(t, expectedAllowOrigin, rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
|
|
|
assert.Equal(t, 1, len(rec.Header()[echo.HeaderVary])) // Vary: Origin
|
|
|
|
default:
|
|
|
|
assert.NotContains(t, rec.Header(), echo.HeaderAccessControlAllowOrigin)
|
|
|
|
assert.Equal(t, 1, len(rec.Header()[echo.HeaderVary])) // Vary: Origin
|
|
|
|
}
|
|
|
|
|
|
|
|
if tt.method == http.MethodOptions {
|
|
|
|
assert.Equal(t, http.StatusNoContent, rec.Code)
|
2020-08-18 03:39:54 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2020-10-09 11:07:29 +02:00
|
|
|
|
|
|
|
func Test_allowOriginFunc(t *testing.T) {
|
|
|
|
returnTrue := func(origin string) (bool, error) {
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
returnFalse := func(origin string) (bool, error) {
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
returnError := func(origin string) (bool, error) {
|
|
|
|
return true, errors.New("this is a test error")
|
|
|
|
}
|
|
|
|
|
|
|
|
allowOriginFuncs := []func(origin string) (bool, error){
|
|
|
|
returnTrue,
|
|
|
|
returnFalse,
|
|
|
|
returnError,
|
|
|
|
}
|
|
|
|
|
|
|
|
const origin = "http://example.com"
|
|
|
|
|
|
|
|
e := echo.New()
|
|
|
|
for _, allowOriginFunc := range allowOriginFuncs {
|
|
|
|
req := httptest.NewRequest(http.MethodOptions, "/", nil)
|
|
|
|
rec := httptest.NewRecorder()
|
|
|
|
c := e.NewContext(req, rec)
|
|
|
|
req.Header.Set(echo.HeaderOrigin, origin)
|
|
|
|
cors := CORSWithConfig(CORSConfig{
|
|
|
|
AllowOriginFunc: allowOriginFunc,
|
|
|
|
})
|
|
|
|
h := cors(echo.NotFoundHandler)
|
|
|
|
err := h(c)
|
|
|
|
|
|
|
|
expected, expectedErr := allowOriginFunc(origin)
|
|
|
|
if expectedErr != nil {
|
|
|
|
assert.Equal(t, expectedErr, err)
|
|
|
|
assert.Equal(t, "", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if expected {
|
|
|
|
assert.Equal(t, origin, rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
|
|
|
} else {
|
|
|
|
assert.Equal(t, "", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|