-
Notifications
You must be signed in to change notification settings - Fork 91
/
Copy pathcors_test.go
83 lines (70 loc) · 3.11 KB
/
cors_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
package cors_test
import (
"testing"
"time"
"github.com/iris-contrib/middleware/cors"
"github.com/kataras/iris/v12"
"github.com/kataras/iris/v12/httptest"
)
func TestCorsAllowOrigins(t *testing.T) {
origin := "https://iris-go.com"
opts := cors.Options{
AllowedOrigins: []string{origin},
AllowedHeaders: []string{"Content-Type"},
AllowedMethods: []string{"GET", "POST", "PUT", "HEAD"},
ExposedHeaders: []string{"X-Header"},
MaxAge: int((24 * time.Hour).Seconds()),
// Debug: true,
}
app := iris.New()
app.UseRouter(cors.New(opts))
// OR per group of routes:
// v1 := app.Party("/v1")
// v1.AllowMethods(iris.MethodOptions)
// v1.Use(cors.New(opts))
h := func(ctx iris.Context) {
ctx.Writef("%s: %s", ctx.Method(), ctx.Path())
}
app.Get("/", h)
app.Post("/", h)
app.Patch("/", h)
e := httptest.New(t, app) //, httptest.LogLevel("debug")) //, httptest.Debug(true))
// test origin empty.
r := e.GET("/").Expect().Status(httptest.StatusOK)
r.Body().IsEqual("GET: /")
r.Headers().NotContainsKey("Access-Control-Allow-Origin").
NotContainsKey("Access-Control-Allow-Credentials").NotContainsKey("Access-Control-Expose-Headers")
// test allow.
r = e.GET("/").WithHeader("Origin", origin).Expect().Status(httptest.StatusOK)
r.Body().IsEqual("GET: /")
r.Header("Access-Control-Allow-Origin").IsEqual(origin)
r.Headers().NotContainsKey("Access-Control-Allow-Credentials")
r.Header("Access-Control-Expose-Headers").IsEqual("X-Header")
// test disallow, note the "http" instead of "https".
r = e.GET("/").WithHeader("Origin", "http://iris-go.com").Expect().Status(httptest.StatusForbidden)
r.Headers().NotContainsKey("Access-Control-Allow-Origin").
NotContainsKey("Access-Control-Allow-Credentials").NotContainsKey("Access-Control-Expose-Headers")
// test allow prefligh.
r = e.OPTIONS("/").WithHeader("Origin", origin).
WithHeader("Access-Control-Request-Method", "GET").
WithHeader("Access-Control-Request-Headers", "Content-Type").
Expect().Status(httptest.StatusOK)
r.Header("Vary").IsEqual("Origin, Access-Control-Request-Method, Access-Control-Request-Headers")
r.Header("Access-Control-Allow-Origin").IsEqual(origin)
r.Header("Access-Control-Allow-Credentials").IsEmpty()
// Spec says: Since the list of methods can be unbounded, simply returning the method indicated
// by Access-Control-Request-Method (if supported) can be enough
r.Header("Access-Control-Allow-Methods").IsEqual("GET")
// Spec says: Since the list of headers can be unbounded, simply returning supported headers
// from Access-Control-Request-Headers can be enough
r.Header("Access-Control-Allow-Headers").IsEqual("Content-Type")
r.Header("Access-Control-Max-Age").IsEqual("86400")
// test no prefligh.
r = e.OPTIONS("/").WithHeader("Origin", "http://github.com").
WithHeader("Access-Control-Request-Method", "GET").Expect().Status(httptest.StatusForbidden)
r.Header("Access-Control-Allow-Origin").IsEmpty()
r.Header("Access-Control-Allow-Credentials").IsEmpty()
r.Header("Access-Control-Allow-Methods").IsEmpty()
r.Header("Access-Control-Allow-Headers").IsEmpty()
r.Header("Access-Control-Max-Age").IsEmpty()
}