echo/middleware/cors_test.go

package middleware

import (
	"net/http"
	"net/http/httptest"
	"testing"

	"github.com/labstack/echo/v4"
	"github.com/stretchr/testify/assert"
)

func TestCORS(t *testing.T) {
	e := echo.New()

	// Wildcard origin
	req := httptest.NewRequest(http.MethodGet, "/", nil)
	rec := httptest.NewRecorder()
	c := e.NewContext(req, rec)
	h := CORS()(echo.NotFoundHandler)
	h(c)
	assert.Equal(t, "*", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))

	// Allow origins
	req = httptest.NewRequest(http.MethodGet, "/", nil)
	rec = httptest.NewRecorder()
	c = e.NewContext(req, rec)
	h = CORSWithConfig(CORSConfig{
		AllowOrigins: []string{"localhost"},
	})(echo.NotFoundHandler)
	req.Header.Set(echo.HeaderOrigin, "localhost")
	h(c)
	assert.Equal(t, "localhost", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))

	// Preflight request
	req = httptest.NewRequest(http.MethodOptions, "/", nil)
	rec = httptest.NewRecorder()
	c = e.NewContext(req, rec)
	req.Header.Set(echo.HeaderOrigin, "localhost")
	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
	cors := CORSWithConfig(CORSConfig{
		AllowOrigins:     []string{"localhost"},
		AllowCredentials: true,
		MaxAge:           3600,
	})
	h = cors(echo.NotFoundHandler)
	h(c)
	assert.Equal(t, "localhost", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
	assert.NotEmpty(t, rec.Header().Get(echo.HeaderAccessControlAllowMethods))
	assert.Equal(t, "true", rec.Header().Get(echo.HeaderAccessControlAllowCredentials))
	assert.Equal(t, "3600", rec.Header().Get(echo.HeaderAccessControlMaxAge))

	// Preflight request with `AllowOrigins` *
	req = httptest.NewRequest(http.MethodOptions, "/", nil)
	rec = httptest.NewRecorder()
	c = e.NewContext(req, rec)
	req.Header.Set(echo.HeaderOrigin, "localhost")
	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
	cors = CORSWithConfig(CORSConfig{
		AllowOrigins:     []string{"*"},
		AllowCredentials: true,
		MaxAge:           3600,
	})
	h = cors(echo.NotFoundHandler)
	h(c)
	assert.Equal(t, "localhost", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
	assert.NotEmpty(t, rec.Header().Get(echo.HeaderAccessControlAllowMethods))
	assert.Equal(t, "true", rec.Header().Get(echo.HeaderAccessControlAllowCredentials))
	assert.Equal(t, "3600", rec.Header().Get(echo.HeaderAccessControlMaxAge))

	// Preflight request with `AllowOrigins` which allow all subdomains with *
	req = httptest.NewRequest(http.MethodOptions, "/", nil)
	rec = httptest.NewRecorder()
	c = e.NewContext(req, rec)
	req.Header.Set(echo.HeaderOrigin, "http://aaa.example.com")
	cors = CORSWithConfig(CORSConfig{
		AllowOrigins:     []string{"http://*.example.com"},
	})
	h = cors(echo.NotFoundHandler)
	h(c)
	assert.Equal(t, "http://aaa.example.com", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))

	req.Header.Set(echo.HeaderOrigin, "http://bbb.example.com")
	h(c)
	assert.Equal(t, "http://bbb.example.com", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
}
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`package middleware`

			`import (`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`"net/http"`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`"net/http/httptest"`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`"testing"`

Introduced Go module support as v4, removed obsolete CloseNotifier() mechanism This reintroduces support for Go modules, as v4. CloseNotifier() is removed as it has been obsoleted, see https://golang.org/doc/go1.11#net/http It was already NOT working (not sending signals) as of 1.11 the functionality was gone, we merely deleted the functions that exposed it. If anyone still relies on it they should migrate to using `c.Request().Context().Done()` instead. Closes #1268, #1255 2019-01-30 12:56:56 +02:00			`"github.com/labstack/echo/v4"`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`"github.com/stretchr/testify/assert"`
			`)`

			`func TestCORS(t *testing.T) {`
			`e := echo.New()`
fixed #712 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-13 06:24:53 +02:00
fixed ##743 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-22 00:42:13 +02:00			`// Wildcard origin`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`req := httptest.NewRequest(http.MethodGet, "/", nil)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`rec := httptest.NewRecorder()`
Refactored variable names Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-24 19:21:23 +02:00			`c := e.NewContext(req, rec)`
fixed #712 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-13 06:24:53 +02:00			`h := CORS()(echo.NotFoundHandler)`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`h(c)`
Refactored variable names Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-24 19:21:23 +02:00			`assert.Equal(t, "*", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00
fixed ##743 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-22 00:42:13 +02:00			`// Allow origins`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`req = httptest.NewRequest(http.MethodGet, "/", nil)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`rec = httptest.NewRecorder()`
Refactored variable names Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-24 19:21:23 +02:00			`c = e.NewContext(req, rec)`
fixed ##743 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-22 00:42:13 +02:00			`h = CORSWithConfig(CORSConfig{`
			`AllowOrigins: []string{"localhost"},`
			`})(echo.NotFoundHandler)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`req.Header.Set(echo.HeaderOrigin, "localhost")`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`h(c)`
Refactored variable names Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-24 19:21:23 +02:00			`assert.Equal(t, "localhost", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00
			`// Preflight request`
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`req = httptest.NewRequest(http.MethodOptions, "/", nil)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`rec = httptest.NewRecorder()`
Refactored variable names Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-24 19:21:23 +02:00			`c = e.NewContext(req, rec)`
First commit to v3, #665 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-09-23 07:53:44 +02:00			`req.Header.Set(echo.HeaderOrigin, "localhost")`
			`req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)`
fixed #712 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-11-13 06:24:53 +02:00			`cors := CORSWithConfig(CORSConfig{`
			`AllowOrigins: []string{"localhost"},`
			`AllowCredentials: true,`
			`MaxAge: 3600,`
			`})`
			`h = cors(echo.NotFoundHandler)`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`h(c)`
Refactored variable names Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-24 19:21:23 +02:00			`assert.Equal(t, "localhost", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))`
			`assert.NotEmpty(t, rec.Header().Get(echo.HeaderAccessControlAllowMethods))`
			`assert.Equal(t, "true", rec.Header().Get(echo.HeaderAccessControlAllowCredentials))`
			`assert.Equal(t, "3600", rec.Header().Get(echo.HeaderAccessControlMaxAge))`
add a few tests 2018-06-19 15:49:23 +02:00
			// Preflight request with `AllowOrigins` *
Replace http constants with stdlib ones, i.e.: http.MethodGet instead of echo.GET (#1205) 2018-10-14 17:16:58 +02:00			`req = httptest.NewRequest(http.MethodOptions, "/", nil)`
add a few tests 2018-06-19 15:49:23 +02:00			`rec = httptest.NewRecorder()`
			`c = e.NewContext(req, rec)`
			`req.Header.Set(echo.HeaderOrigin, "localhost")`
			`req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)`
Fixed cors test Signed-off-by: Vishal Rana <vr@labstack.com> 2018-07-03 18:51:15 +02:00			`cors = CORSWithConfig(CORSConfig{`
add a few tests 2018-06-19 15:49:23 +02:00			`AllowOrigins: []string{"*"},`
			`AllowCredentials: true,`
			`MaxAge: 3600,`
			`})`
			`h = cors(echo.NotFoundHandler)`
			`h(c)`
			`assert.Equal(t, "localhost", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))`
			`assert.NotEmpty(t, rec.Header().Get(echo.HeaderAccessControlAllowMethods))`
			`assert.Equal(t, "true", rec.Header().Get(echo.HeaderAccessControlAllowCredentials))`
			`assert.Equal(t, "3600", rec.Header().Get(echo.HeaderAccessControlMaxAge))`
Set subdomains to AllowOrigins with wildcard (#1301) * Set subdomains to AllowOrigins with wildcard * Create IsSubDomain * Avoid panic when pattern length smaller than domain length * Change names, improve formula 2019-03-09 20:32:49 +02:00
			// Preflight request with `AllowOrigins` which allow all subdomains with *
			`req = httptest.NewRequest(http.MethodOptions, "/", nil)`
			`rec = httptest.NewRecorder()`
			`c = e.NewContext(req, rec)`
			`req.Header.Set(echo.HeaderOrigin, "http://aaa.example.com")`
			`cors = CORSWithConfig(CORSConfig{`
			`AllowOrigins: []string{"http://*.example.com"},`
			`})`
			`h = cors(echo.NotFoundHandler)`
			`h(c)`
			`assert.Equal(t, "http://aaa.example.com", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))`

			`req.Header.Set(echo.HeaderOrigin, "http://bbb.example.com")`
			`h(c)`
			`assert.Equal(t, "http://bbb.example.com", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))`
Fixed #454, Fixed #274 Signed-off-by: Vishal Rana <vr@labstack.com> 2016-04-08 01:16:58 +02:00			`}`