mirror of
https://github.com/scratchfoundation/restify-cors-middleware.git
synced 2024-12-18 11:52:26 -05:00
97 lines
3 KiB
JavaScript
97 lines
3 KiB
JavaScript
//
|
|
// Based on the spec at http://www.w3.org/TR/cors/
|
|
// The test numbers correspond to steps in the specification
|
|
//
|
|
/* eslint-env mocha */
|
|
|
|
var request = require('supertest')
|
|
var should = require('should')
|
|
var test = require('./test')
|
|
|
|
describe('CORS: simple / actual requests', function () {
|
|
it('6.1.1 Does not set headers if Origin is missing', function (done) {
|
|
var server = test.corsServer({
|
|
origins: ['http://api.myapp.com', 'http://www.myapp.com']
|
|
})
|
|
request(server)
|
|
.get('/test')
|
|
.expect(test.noHeader('access-control-allow-origin'))
|
|
.expect(200)
|
|
.end(done)
|
|
})
|
|
|
|
it('6.1.2 Does not set headers if Origin does not match', function (done) {
|
|
var server = test.corsServer({
|
|
origins: ['http://api.myapp.com', 'http://www.myapp.com']
|
|
})
|
|
request(server)
|
|
.get('/test')
|
|
.set('Origin', 'http://random-website.com')
|
|
.expect(test.noHeader('access-control-allow-origin'))
|
|
.expect(200)
|
|
.end(done)
|
|
})
|
|
|
|
it('6.1.3 Sets Allow-Origin headers if the Origin matches', function (done) {
|
|
var server = test.corsServer({
|
|
origins: ['http://api.myapp.com', 'http://www.myapp.com']
|
|
})
|
|
request(server)
|
|
.get('/test')
|
|
.set('Origin', 'http://api.myapp.com')
|
|
.expect('access-control-allow-origin', 'http://api.myapp.com')
|
|
.expect(200)
|
|
.end(done)
|
|
})
|
|
|
|
it('6.1.3 Does not set Access-Control-Allow-Credentials header if Origin is *', function (done) {
|
|
should.throws(function () {
|
|
test.corsServer({
|
|
origins: ['*'],
|
|
credentials: true
|
|
})
|
|
})
|
|
done()
|
|
})
|
|
|
|
it('6.1.3 Sets Access-Control-Allow-Credentials header if configured', function (done) {
|
|
var server = test.corsServer({
|
|
origins: ['http://api.myapp.com'],
|
|
credentials: true
|
|
})
|
|
request(server)
|
|
.get('/test')
|
|
.set('Origin', 'http://api.myapp.com')
|
|
.expect('access-control-allow-credentials', 'true')
|
|
.expect(200)
|
|
.end(done)
|
|
})
|
|
|
|
it('6.1.4 Does not set exposed headers if empty', function (done) {
|
|
var server = test.corsServer({
|
|
origins: ['http://api.myapp.com', 'http://www.myapp.com']
|
|
})
|
|
request(server)
|
|
.get('/test')
|
|
.set('Origin', 'http://api.myapp.com')
|
|
.expect('access-control-allow-origin', 'http://api.myapp.com')
|
|
.expect('access-control-expose-headers', /api-version/) // defaults
|
|
.expect(200)
|
|
.end(done)
|
|
})
|
|
|
|
it('6.1.4 Sets exposed headers if configured', function (done) {
|
|
var server = test.corsServer({
|
|
origins: ['http://api.myapp.com', 'http://www.myapp.com'],
|
|
exposeHeaders: ['HeaderA', 'HeaderB']
|
|
})
|
|
request(server)
|
|
.get('/test')
|
|
.set('Origin', 'http://api.myapp.com')
|
|
.expect('access-control-allow-origin', 'http://api.myapp.com')
|
|
.expect('access-control-expose-headers', /HeaderA, HeaderB/) // custom
|
|
.expect('access-control-expose-headers', /api-version/) // defaults
|
|
.expect(200)
|
|
.end(done)
|
|
})
|
|
})
|