summaryrefslogtreecommitdiffstats
path: root/tests/integration/cors_test.go
diff options
context:
space:
mode:
authorDaniel Baumann <daniel@debian.org>2024-10-18 20:33:49 +0200
committerDaniel Baumann <daniel@debian.org>2024-12-12 23:57:56 +0100
commite68b9d00a6e05b3a941f63ffb696f91e554ac5ec (patch)
tree97775d6c13b0f416af55314eb6a89ef792474615 /tests/integration/cors_test.go
parentInitial commit. (diff)
downloadforgejo-e68b9d00a6e05b3a941f63ffb696f91e554ac5ec.tar.xz
forgejo-e68b9d00a6e05b3a941f63ffb696f91e554ac5ec.zip
Adding upstream version 9.0.3.
Signed-off-by: Daniel Baumann <daniel@debian.org>
Diffstat (limited to 'tests/integration/cors_test.go')
-rw-r--r--tests/integration/cors_test.go94
1 files changed, 94 insertions, 0 deletions
diff --git a/tests/integration/cors_test.go b/tests/integration/cors_test.go
new file mode 100644
index 0000000..25dfbab
--- /dev/null
+++ b/tests/integration/cors_test.go
@@ -0,0 +1,94 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+ "net/http"
+ "testing"
+
+ "code.gitea.io/gitea/modules/setting"
+ "code.gitea.io/gitea/modules/test"
+ "code.gitea.io/gitea/routers"
+ "code.gitea.io/gitea/tests"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestCORS(t *testing.T) {
+ defer tests.PrepareTestEnv(t)()
+ t.Run("CORS enabled", func(t *testing.T) {
+ defer test.MockVariableValue(&setting.CORSConfig.Enabled, true)()
+ defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
+
+ t.Run("API with CORS", func(t *testing.T) {
+ // GET api with no CORS header
+ req := NewRequest(t, "GET", "/api/v1/version")
+ resp := MakeRequest(t, req, http.StatusOK)
+ assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+ assert.Contains(t, resp.Header().Values("Vary"), "Origin")
+
+ // OPTIONS api for CORS
+ req = NewRequest(t, "OPTIONS", "/api/v1/version").
+ SetHeader("Origin", "https://example.com").
+ SetHeader("Access-Control-Request-Method", "GET")
+ resp = MakeRequest(t, req, http.StatusOK)
+ assert.NotEmpty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+ assert.Contains(t, resp.Header().Values("Vary"), "Origin")
+ })
+
+ t.Run("Web with CORS", func(t *testing.T) {
+ // GET userinfo with no CORS header
+ req := NewRequest(t, "GET", "/login/oauth/userinfo")
+ resp := MakeRequest(t, req, http.StatusUnauthorized)
+ assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+ assert.Contains(t, resp.Header().Values("Vary"), "Origin")
+
+ // OPTIONS userinfo for CORS
+ req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo").
+ SetHeader("Origin", "https://example.com").
+ SetHeader("Access-Control-Request-Method", "GET")
+ resp = MakeRequest(t, req, http.StatusOK)
+ assert.NotEmpty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+ assert.Contains(t, resp.Header().Values("Vary"), "Origin")
+
+ // OPTIONS userinfo for non-CORS
+ req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo")
+ resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
+ assert.NotContains(t, resp.Header().Values("Vary"), "Origin")
+ })
+ })
+
+ t.Run("CORS disabled", func(t *testing.T) {
+ defer test.MockVariableValue(&setting.CORSConfig.Enabled, false)()
+ defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
+
+ t.Run("API without CORS", func(t *testing.T) {
+ req := NewRequest(t, "GET", "/api/v1/version")
+ resp := MakeRequest(t, req, http.StatusOK)
+ assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+ assert.Empty(t, resp.Header().Values("Vary"))
+
+ req = NewRequest(t, "OPTIONS", "/api/v1/version").
+ SetHeader("Origin", "https://example.com").
+ SetHeader("Access-Control-Request-Method", "GET")
+ resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
+ assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+ assert.Empty(t, resp.Header().Values("Vary"))
+ })
+
+ t.Run("Web without CORS", func(t *testing.T) {
+ req := NewRequest(t, "GET", "/login/oauth/userinfo")
+ resp := MakeRequest(t, req, http.StatusUnauthorized)
+ assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+ assert.NotContains(t, resp.Header().Values("Vary"), "Origin")
+
+ req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo").
+ SetHeader("Origin", "https://example.com").
+ SetHeader("Access-Control-Request-Method", "GET")
+ resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
+ assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+ assert.NotContains(t, resp.Header().Values("Vary"), "Origin")
+ })
+ })
+}