summaryrefslogtreecommitdiffstats
path: root/tests/integration/cors_test.go
blob: 25dfbabf41e1b105405ef4d0a480ca68110028e3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
// Copyright 2019 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package integration

import (
	"net/http"
	"testing"

	"code.gitea.io/gitea/modules/setting"
	"code.gitea.io/gitea/modules/test"
	"code.gitea.io/gitea/routers"
	"code.gitea.io/gitea/tests"

	"github.com/stretchr/testify/assert"
)

func TestCORS(t *testing.T) {
	defer tests.PrepareTestEnv(t)()
	t.Run("CORS enabled", func(t *testing.T) {
		defer test.MockVariableValue(&setting.CORSConfig.Enabled, true)()
		defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()

		t.Run("API with CORS", func(t *testing.T) {
			// GET api with no CORS header
			req := NewRequest(t, "GET", "/api/v1/version")
			resp := MakeRequest(t, req, http.StatusOK)
			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.Contains(t, resp.Header().Values("Vary"), "Origin")

			// OPTIONS api for CORS
			req = NewRequest(t, "OPTIONS", "/api/v1/version").
				SetHeader("Origin", "https://example.com").
				SetHeader("Access-Control-Request-Method", "GET")
			resp = MakeRequest(t, req, http.StatusOK)
			assert.NotEmpty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.Contains(t, resp.Header().Values("Vary"), "Origin")
		})

		t.Run("Web with CORS", func(t *testing.T) {
			// GET userinfo with no CORS header
			req := NewRequest(t, "GET", "/login/oauth/userinfo")
			resp := MakeRequest(t, req, http.StatusUnauthorized)
			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.Contains(t, resp.Header().Values("Vary"), "Origin")

			// OPTIONS userinfo for CORS
			req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo").
				SetHeader("Origin", "https://example.com").
				SetHeader("Access-Control-Request-Method", "GET")
			resp = MakeRequest(t, req, http.StatusOK)
			assert.NotEmpty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.Contains(t, resp.Header().Values("Vary"), "Origin")

			// OPTIONS userinfo for non-CORS
			req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo")
			resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
			assert.NotContains(t, resp.Header().Values("Vary"), "Origin")
		})
	})

	t.Run("CORS disabled", func(t *testing.T) {
		defer test.MockVariableValue(&setting.CORSConfig.Enabled, false)()
		defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()

		t.Run("API without CORS", func(t *testing.T) {
			req := NewRequest(t, "GET", "/api/v1/version")
			resp := MakeRequest(t, req, http.StatusOK)
			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.Empty(t, resp.Header().Values("Vary"))

			req = NewRequest(t, "OPTIONS", "/api/v1/version").
				SetHeader("Origin", "https://example.com").
				SetHeader("Access-Control-Request-Method", "GET")
			resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.Empty(t, resp.Header().Values("Vary"))
		})

		t.Run("Web without CORS", func(t *testing.T) {
			req := NewRequest(t, "GET", "/login/oauth/userinfo")
			resp := MakeRequest(t, req, http.StatusUnauthorized)
			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.NotContains(t, resp.Header().Values("Vary"), "Origin")

			req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo").
				SetHeader("Origin", "https://example.com").
				SetHeader("Access-Control-Request-Method", "GET")
			resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.NotContains(t, resp.Header().Values("Vary"), "Origin")
		})
	})
}