-
-
Notifications
You must be signed in to change notification settings - Fork 246
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #948 from acelaya-forks/feature/cors-improvements
Feature/cors improvements
- Loading branch information
Showing
7 changed files
with
107 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
<?php | ||
|
||
declare(strict_types=1); | ||
|
||
return [ | ||
|
||
'cors' => [ | ||
'max_age' => 3600, | ||
], | ||
|
||
]; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
<?php | ||
|
||
declare(strict_types=1); | ||
|
||
namespace ShlinkioApiTest\Shlink\Rest\Middleware; | ||
|
||
use GuzzleHttp\RequestOptions; | ||
use Shlinkio\Shlink\TestUtils\ApiTest\ApiTestCase; | ||
|
||
class CorsTest extends ApiTestCase | ||
{ | ||
/** @test */ | ||
public function responseDoesNotIncludeCorsHeadersWhenOriginIsNotSent(): void | ||
{ | ||
$resp = $this->callApiWithKey(self::METHOD_GET, '/short-urls'); | ||
|
||
self::assertEquals(200, $resp->getStatusCode()); | ||
self::assertFalse($resp->hasHeader('Access-Control-Allow-Origin')); | ||
self::assertFalse($resp->hasHeader('Access-Control-Allow-Methods')); | ||
self::assertFalse($resp->hasHeader('Access-Control-Max-Age')); | ||
self::assertFalse($resp->hasHeader('Access-Control-Allow-Headers')); | ||
} | ||
|
||
/** | ||
* @test | ||
* @dataProvider provideOrigins | ||
*/ | ||
public function responseIncludesCorsHeadersIfOriginIsSent( | ||
string $origin, | ||
string $endpoint, | ||
int $expectedStatusCode | ||
): void { | ||
$resp = $this->callApiWithKey(self::METHOD_GET, $endpoint, [ | ||
RequestOptions::HEADERS => ['Origin' => $origin], | ||
]); | ||
|
||
self::assertEquals($expectedStatusCode, $resp->getStatusCode()); | ||
self::assertEquals($origin, $resp->getHeaderLine('Access-Control-Allow-Origin')); | ||
self::assertFalse($resp->hasHeader('Access-Control-Allow-Methods')); | ||
self::assertFalse($resp->hasHeader('Access-Control-Max-Age')); | ||
self::assertFalse($resp->hasHeader('Access-Control-Allow-Headers')); | ||
} | ||
|
||
public function provideOrigins(): iterable | ||
{ | ||
yield 'foo.com' => ['foo.com', '/short-urls', 200]; | ||
yield 'bar.io' => ['bar.io', '/foo/bar', 404]; | ||
yield 'baz.dev' => ['baz.dev', '/short-urls', 200]; | ||
} | ||
|
||
/** | ||
* @test | ||
* @dataProvider providePreflightEndpoints | ||
*/ | ||
public function preflightRequestsIncludeExtraCorsHeaders(string $endpoint, string $expectedAllowedMethods): void | ||
{ | ||
$allowedHeaders = 'Authorization'; | ||
$resp = $this->callApiWithKey(self::METHOD_OPTIONS, $endpoint, [ | ||
RequestOptions::HEADERS => [ | ||
'Origin' => 'foo.com', | ||
'Access-Control-Request-Headers' => $allowedHeaders, | ||
], | ||
]); | ||
|
||
self::assertEquals(204, $resp->getStatusCode()); | ||
self::assertTrue($resp->hasHeader('Access-Control-Allow-Origin')); | ||
self::assertTrue($resp->hasHeader('Access-Control-Max-Age')); | ||
self::assertEquals($expectedAllowedMethods, $resp->getHeaderLine('Access-Control-Allow-Methods')); | ||
self::assertEquals($allowedHeaders, $resp->getHeaderLine('Access-Control-Allow-Headers')); | ||
} | ||
|
||
public function providePreflightEndpoints(): iterable | ||
{ | ||
yield 'invalid route' => ['/foo/bar', 'GET,POST,PUT,PATCH,DELETE,OPTIONS']; | ||
yield 'short URLs routes' => ['/short-urls', 'GET,POST,PUT,PATCH,DELETE,OPTIONS']; | ||
// yield 'short URLs routes' => ['/short-urls', 'GET,POST']; // TODO This should be the good one | ||
yield 'tags routes' => ['/tags', 'GET,POST,PUT,PATCH,DELETE,OPTIONS']; | ||
// yield 'tags routes' => ['/short-urls', 'GET,POST,PUT,DELETE']; // TODO This should be the good one | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters