-
Notifications
You must be signed in to change notification settings - Fork 1
/
cors_test.clj
139 lines (126 loc) · 7.43 KB
/
cors_test.clj
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
(ns jumblerg.middleware.cors-test
(:require
[clojure.test :refer :all]
[jumblerg.middleware.cors :refer :all]))
;;; utils ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
(defn get-header [res hdr] (-> res :headers (get hdr)))
(defn contains-header? [res hdr] (-> res :headers (contains? hdr)))
(def not-contain-header? (complement contains-header?))
;;; tests ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
(deftest test-wrap-cors
(testing
"if the origin header is not present terminate."
(let [req {:headers {}
:request-method :get
:uri "/"}
res {:status 204}
ret ((wrap-cors (fn [_] res) #"http://authorizedorigin.com") req)]
(is (not (get-header ret "Access-Control-Allow-Origin")))))
(testing
"if the value of the origin header is not a case-sensitive match for any of
the values in list of origins do not set any additional headers and
terminate."
(let [req-hdrs {"origin" "http://uauthorizedorigin.com"}
req {:headers req-hdrs
:request-method :get
:uri "/"}
res {:status 204}
ret ((wrap-cors (fn [_] ) #"http://authorizedorigin.com") req)]
(is (not (get-header ret "Access-Control-Allow-Origin")))))
(testing
"if the resource supports credentials add a single Access-Control-Allow-Origin
header with the value of the Origin header as value and add a single
Access-Control-Allow-Credentials header with the case-sensitive string
\"true\" as value. (in this case, the resource supports credentials only
when the client requests them either by the presence of the authorization
header)"
(let [req-hdrs {"origin" "http://authorizedorigin.com"
"authorization" "Basic Y2hyaXNAZXhhbXBsZS5jb206YmVlcno="}
req {:headers req-hdrs
:request-method :get
:uri "/"}
res {:status 204}
ret ((wrap-cors (fn [_] res) #"http://authorizedorigin.com") req)]
(is (= "http://authorizedorigin.com" (get-header ret "Access-Control-Allow-Origin")))
(is (= "true" (get-header ret "Access-Control-Allow-Credentials")))))
(testing
"multiple wildcard origins"
(let [req-hdrs {"origin" "http://authorizedorigin.com"}
req {:headers req-hdrs
:request-method :get
:uri "/"}
res {:status 204}
ret ((wrap-cors (fn [_] res) #".*authorizedorigin.com" #".*example.com") req)]
(is (= "http://authorizedorigin.com" (get-header ret "Access-Control-Allow-Origin")))
(is (= "true" (get-header ret "Access-Control-Allow-Credentials")))))
(testing
"if the list of exposed headers is not empty add one or more Access-Control-Expose-Headers
with the header field names given in the list of exposed headers as values."
(let [req-hdrs {"origin" "http://authorizedorigin.com"
"authorization" "Basic Y2hyaXNAZXhhbXBsZS5jb206YmVlcno="}
req {:headers req-hdrs
:request-method :get
:uri "/"}
res-hdrs {"Content-Type" "application/json"
"Set-Cookie" "Example=Zm9vYmFyYmF6;Max-Age=3600;Path=/"
"WWW-Authenticate" "Basic realm=\"example\""}
res {:headers res-hdrs
:status 204}
ret ((wrap-cors (fn [_] res) #"http://authorizedorigin.com") req)]
(is (= "http://authorizedorigin.com" (get-header ret "Access-Control-Allow-Origin")))
(is (= "true" (get-header ret "Access-Control-Allow-Credentials")))
(is (= "Set-Cookie, WWW-Authenticate" (get-header ret "Access-Control-Expose-Headers")))))
(testing
"if the origin header is not present terminate the preflight."
(let [req-hdrs {"access-control-request-method" "GET"
"access-control-request-headers" "accept, remember"}
req {:headers req-hdrs
:request-method :options
:uri "/"}
res {:status 204}
ret ((wrap-cors (fn [_] res) #"http://authorizedorigin.com") req)]
(is (not (get-header ret "Access-Control-Allow-Origin")))))
(testing
"if the value of the origin header is not a case-sensitive match for any of
the values in list of origins do not set any additional headers and terminate"
(let [req-hdrs {"origin" "http://uauthorizedorigin.com"
"access-control-request-method" "GET"
"access-control-request-headers" "accept, remember"}
req {:headers req-hdrs
:request-method :options
:uri "/"}
res {:status 204}
ret ((wrap-cors (fn [_] ) #"http://authorizedorigin.com") req)]
(is (not (get-header ret "Access-Control-Allow-Origin"))) ))
(testing
"if there is no Access-Control-Request-Method header or if parsing failed,
do not set any additional headers and terminate this set of steps."
(let [req-hdrs {"origin" "http://uauthorizedorigin.com"}
req {:headers req-hdrs
:request-method :options
:uri "/"}
res {:status 204}
ret ((wrap-cors (fn [_] ) #"http://authorizedorigin.com") req)]
(is (not (get-header ret "Access-Control-Allow-Origin")))))
(testing
"if the resource supports credentials add a single Access-Control-Allow-Origin
header, with the value of the Origin header as value, and add a single
Access-Control-Allow-Credentials header with the case-sensitive string
\"true\" as value. (in this case, the resource supports credentials only
when the client requests them by the presence of authorization in the access
control request headers)"
(let [req-hdrs {"origin" "http://authorizedorigin.com"
"access-control-request-method" "GET"
"access-control-request-headers" "accept, remember, authorization"}
req {:headers req-hdrs
:request-method :options
:uri "/"}
res {:status 204}
ret ((wrap-cors (fn [_] res) identity) req)]
(is (= 204 (ret :status) ))
(is (= "http://authorizedorigin.com" (get-header ret "Access-Control-Allow-Origin")))
(is (= "true" (get-header ret "Access-Control-Allow-Credentials")))
(is (= "GET" (get-header ret "Access-Control-Allow-Methods")))
(is (= "accept, remember, authorization" (get-header ret "Access-Control-Allow-Headers")))
(is (= "86400" (get-header ret "Access-Control-Max-Age")))
(is (not-contain-header? ret "Access-Control-Expose-Headers")))))