Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
ff1e059
commit c3dd2f0
Showing
17 changed files
with
528 additions
and
239 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,12 @@ | ||
import { HttpResponseHeader } from '@dandi/http' | ||
|
||
import { CorsAllowOriginFn } from './cors' | ||
import { CorsHeaderValues } from './cors-headers' | ||
import { CorsOriginWhitelist } from './cors-origin-whitelist' | ||
|
||
export interface CorsConfig { | ||
allowCredentials?: true | ||
allowHeaders?: CorsHeaderValues | ||
allowHeaders?: HttpResponseHeader[] | ||
allowOrigin?: CorsOriginWhitelist | CorsAllowOriginFn | ||
exposeHeaders?: CorsHeaderValues | ||
exposeHeaders?: HttpResponseHeader[] | ||
maxAge?: number | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
126 changes: 126 additions & 0 deletions
126
packages/dandi/http-pipeline/src/cors/cors-util.spec.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,126 @@ | ||
import { corsRequestAllowed, CorsResponseHeaders, isCorsRequest } from '@dandi/http-pipeline' | ||
import { | ||
HttpHeader, | ||
HttpMethod, | ||
HttpRequest, | ||
HttpRequestHeadersAccessor, | ||
HttpRequestHeadersHashAccessor, | ||
} from '@dandi/http' | ||
import { createStubInstance, stub } from '@dandi/core/testing' | ||
|
||
import { expect } from 'chai' | ||
import { SinonStubbedInstance } from 'sinon' | ||
|
||
describe('corsRequestAllowed', () => { | ||
|
||
let headersStub: SinonStubbedInstance<HttpRequestHeadersAccessor> | ||
let headers: HttpRequestHeadersAccessor | ||
|
||
beforeEach(() => { | ||
headersStub = createStubInstance(HttpRequestHeadersHashAccessor) | ||
headers = headersStub as HttpRequestHeadersAccessor | ||
}) | ||
afterEach(() => { | ||
headersStub = undefined | ||
headers = undefined | ||
}) | ||
|
||
it('returns false if the Access-Control-Allow-Origin response header is empty', () => { | ||
expect(corsRequestAllowed({ [HttpHeader.accessControlAllowMethods]: 'GET' }, headers)).to.be.false | ||
}) | ||
|
||
it('returns false if the Access-Control-Allow-Methods response header is empty', () => { | ||
expect(corsRequestAllowed({ [HttpHeader.accessControlAllowOrigin]: 'foo.com' }, headers)).to.be.false | ||
}) | ||
|
||
it('returns false if not all of the headers in the Access-Control-Request-Headers request header are included in the' + | ||
'Access-Control-Allow-Headers response header', () => { | ||
|
||
headersStub.get.withArgs(HttpHeader.accessControlRequestHeaders).returns([HttpHeader.contentType]) | ||
const corsHeaders: Partial<CorsResponseHeaders> = { | ||
[HttpHeader.accessControlAllowHeaders]: `${HttpHeader.contentLanguage} ${HttpHeader.cacheControl}`, | ||
} | ||
headersStub.get.withArgs(HttpHeader.accessControlRequestHeaders).returns([HttpHeader.contentType]) | ||
|
||
expect(corsRequestAllowed(corsHeaders, headers)).to.be.false | ||
}) | ||
|
||
it('returns true if the Access-Control-Allow-Origin and Access-Control-Allow-Methods response headers both have' + | ||
'values, and the Access-Control-Request-Headers request header is not specified', () => { | ||
|
||
const corsHeaders: Partial<CorsResponseHeaders> = { | ||
[HttpHeader.accessControlAllowOrigin]: 'foo.com', | ||
[HttpHeader.accessControlAllowMethods]: HttpMethod.get, | ||
} | ||
|
||
expect(corsRequestAllowed(corsHeaders, headers)).to.be.true | ||
}) | ||
|
||
it('returns true if the Access-Control-Allow-Origin and Access-Control-Allow-Methods response headers both have' + | ||
'values, and the Access-Control-Allow-Headers response header includes all requested headers from the ' + | ||
'Access-Control-Request-Headers request header', () => { | ||
|
||
const corsHeaders: Partial<CorsResponseHeaders> = { | ||
[HttpHeader.accessControlAllowOrigin]: 'foo.com', | ||
[HttpHeader.accessControlAllowMethods]: HttpMethod.get, | ||
[HttpHeader.accessControlAllowHeaders]: `${HttpHeader.contentType} ${HttpHeader.cacheControl}`, | ||
} | ||
headersStub.get.withArgs(HttpHeader.accessControlRequestHeaders).returns([HttpHeader.contentType, HttpHeader.cacheControl]) | ||
|
||
expect(corsRequestAllowed(corsHeaders, headers)).to.be.true | ||
}) | ||
|
||
it('returns false if the Access-Control-Allow-Origin and Access-Control-Allow-Methods response headers both have' + | ||
'values, but the Access-Control-Allow-Headers response header does not include all requested headers from the ' + | ||
'Access-Control-Request-Headers request header', () => { | ||
|
||
const corsHeaders: Partial<CorsResponseHeaders> = { | ||
[HttpHeader.accessControlAllowOrigin]: 'foo.com', | ||
[HttpHeader.accessControlAllowMethods]: HttpMethod.get, | ||
[HttpHeader.accessControlAllowHeaders]: `${HttpHeader.contentType}`, | ||
} | ||
headersStub.get.withArgs(HttpHeader.accessControlRequestHeaders).returns([HttpHeader.contentType, HttpHeader.cacheControl]) | ||
|
||
expect(corsRequestAllowed(corsHeaders, headers)).to.be.false | ||
}) | ||
|
||
}) | ||
|
||
describe('isCorsRequest', () => { | ||
|
||
let req: SinonStubbedInstance<HttpRequest> | ||
|
||
beforeEach(() => { | ||
req = { | ||
get: stub(), | ||
} as SinonStubbedInstance<HttpRequest> | ||
}) | ||
afterEach(() => { | ||
req = undefined | ||
}) | ||
|
||
it('returns false if there is no origin request header', () => { | ||
expect(isCorsRequest(req)).to.be.false | ||
}) | ||
|
||
it('returns false if the origin matches the host', () => { | ||
req.get | ||
.withArgs(HttpHeader.origin) | ||
.returns('foo.com') | ||
.withArgs(HttpHeader.host) | ||
.returns('foo.com') | ||
|
||
expect(isCorsRequest(req)).to.be.false | ||
}) | ||
|
||
it('returns false if the origin does not match the host', () => { | ||
req.get | ||
.withArgs(HttpHeader.origin) | ||
.returns('foo.com') | ||
.withArgs(HttpHeader.host) | ||
.returns('bar.com') | ||
|
||
expect(isCorsRequest(req)).to.be.true | ||
}) | ||
|
||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.