forgejo/tests/integration/cors_test.go

// Copyright 2019 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package integration

import (
	"net/http"
	"testing"

	"code.gitea.io/gitea/modules/setting"
	"code.gitea.io/gitea/modules/test"
	"code.gitea.io/gitea/routers"
	"code.gitea.io/gitea/tests"

	"github.com/stretchr/testify/assert"
)

func TestCORS(t *testing.T) {
	defer tests.PrepareTestEnv(t)()
	t.Run("CORS enabled", func(t *testing.T) {
		defer test.MockVariableValue(&setting.CORSConfig.Enabled, true)()
		defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()

		t.Run("API with CORS", func(t *testing.T) {
			// GET api with no CORS header
			req := NewRequest(t, "GET", "/api/v1/version")
			resp := MakeRequest(t, req, http.StatusOK)
			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.Contains(t, resp.Header().Values("Vary"), "Origin")

			// OPTIONS api for CORS
			req = NewRequest(t, "OPTIONS", "/api/v1/version").
				SetHeader("Origin", "https://example.com").
				SetHeader("Access-Control-Request-Method", "GET")
			resp = MakeRequest(t, req, http.StatusOK)
			assert.NotEmpty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.Contains(t, resp.Header().Values("Vary"), "Origin")
		})

		t.Run("Web with CORS", func(t *testing.T) {
			// GET userinfo with no CORS header
			req := NewRequest(t, "GET", "/login/oauth/userinfo")
			resp := MakeRequest(t, req, http.StatusUnauthorized)
			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.Contains(t, resp.Header().Values("Vary"), "Origin")

			// OPTIONS userinfo for CORS
			req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo").
				SetHeader("Origin", "https://example.com").
				SetHeader("Access-Control-Request-Method", "GET")
			resp = MakeRequest(t, req, http.StatusOK)
			assert.NotEmpty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.Contains(t, resp.Header().Values("Vary"), "Origin")

			// OPTIONS userinfo for non-CORS
			req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo")
			resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
			assert.NotContains(t, resp.Header().Values("Vary"), "Origin")
		})
	})

	t.Run("CORS disabled", func(t *testing.T) {
		defer test.MockVariableValue(&setting.CORSConfig.Enabled, false)()
		defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()

		t.Run("API without CORS", func(t *testing.T) {
			req := NewRequest(t, "GET", "/api/v1/version")
			resp := MakeRequest(t, req, http.StatusOK)
			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.Empty(t, resp.Header().Values("Vary"))

			req = NewRequest(t, "OPTIONS", "/api/v1/version").
				SetHeader("Origin", "https://example.com").
				SetHeader("Access-Control-Request-Method", "GET")
			resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.Empty(t, resp.Header().Values("Vary"))
		})

		t.Run("Web without CORS", func(t *testing.T) {
			req := NewRequest(t, "GET", "/login/oauth/userinfo")
			resp := MakeRequest(t, req, http.StatusUnauthorized)
			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.NotContains(t, resp.Header().Values("Vary"), "Origin")

			req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo").
				SetHeader("Origin", "https://example.com").
				SetHeader("Access-Control-Request-Method", "GET")
			resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
			assert.NotContains(t, resp.Header().Values("Vary"), "Origin")
		})
	})
}
Handle CORS requests (#6289) 2019-05-13 18:38:53 +03:00			`// Copyright 2019 The Gitea Authors. All rights reserved.`
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com> 2022-11-27 21:20:29 +03:00			`// SPDX-License-Identifier: MIT`
Handle CORS requests (#6289) 2019-05-13 18:38:53 +03:00
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs 2022-09-02 22:18:23 +03:00			`package integration`
Handle CORS requests (#6289) 2019-05-13 18:38:53 +03:00
			`import (`
			`"net/http"`
			`"testing"`

Refactor CORS handler (#28587) The CORS code has been unmaintained for long time, and the behavior is not correct. This PR tries to improve it. The key point is written as comment in code. And add more tests. Fix #28515 Fix #27642 Fix #17098 2023-12-25 15:13:18 +03:00			`"code.gitea.io/gitea/modules/setting"`
			`"code.gitea.io/gitea/modules/test"`
			`"code.gitea.io/gitea/routers"`
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs 2022-09-02 22:18:23 +03:00			`"code.gitea.io/gitea/tests"`
Move go-licenses to generate and separate generate into a frontend and backend component (#21061) The `go-licenses` make task introduced in #21034 is being run on make vendor and occasionally causes an empty go-licenses file if the vendors need to change. This should be moved to the generate task as it is a generated file. Now because of this change we also need to split generation into two separate steps: 1. `generate-backend` 2. `generate-frontend` In the future it would probably be useful to make `generate-swagger` part of `generate-frontend` but it's not tolerated with our .drone.yml Ref #21034 Signed-off-by: Andrew Thornton <art27@cantab.net> Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: delvh <dev.lh@web.de> 2022-09-05 09:04:18 +03:00
Handle CORS requests (#6289) 2019-05-13 18:38:53 +03:00			`"github.com/stretchr/testify/assert"`
			`)`

Refactor CORS handler (#28587) The CORS code has been unmaintained for long time, and the behavior is not correct. This PR tries to improve it. The key point is written as comment in code. And add more tests. Fix #28515 Fix #27642 Fix #17098 2023-12-25 15:13:18 +03:00			`func TestCORS(t *testing.T) {`
Kd/ci playwright go test (#20123) * Add initial playwright config * Simplify Makefile * Simplify Makefile * Use correct config files * Update playwright settings * Fix package-lock file * Don't use test logger for e2e tests * fix frontend lint * Allow passing TEST_LOGGER variable * Init postgres database * use standard gitea env variables * Update playwright * update drone * Move empty env var to commands * Cleanup * Move integrations to subfolder * tests integrations to tests integraton * Run e2e tests with go test * Fix linting * install CI deps * Add files to ESlint * Fix drone typo * Don't log to console in CI * Use go test http server * Add build step before tests * Move shared init function to common package * fix drone * Clean up tests * Fix linting * Better mocking for page + version string * Cleanup test generation * Remove dependency on gitea binary * Fix linting * add initial support for running specific tests * Add ACCEPT_VISUAL variable * don't require git-lfs * Add initial documentation * Review feedback * Add logged in session test * Attempt fixing drone race * Cleanup and bump version * Bump deps * Review feedback * simplify installation * Fix ci * Update install docs 2022-09-02 22:18:23 +03:00			`defer tests.PrepareTestEnv(t)()`
Refactor CORS handler (#28587) The CORS code has been unmaintained for long time, and the behavior is not correct. This PR tries to improve it. The key point is written as comment in code. And add more tests. Fix #28515 Fix #27642 Fix #17098 2023-12-25 15:13:18 +03:00			`t.Run("CORS enabled", func(t *testing.T) {`
			`defer test.MockVariableValue(&setting.CORSConfig.Enabled, true)()`
			`defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()`

			`t.Run("API with CORS", func(t *testing.T) {`
			`// GET api with no CORS header`
			`req := NewRequest(t, "GET", "/api/v1/version")`
			`resp := MakeRequest(t, req, http.StatusOK)`
			`assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))`
			`assert.Contains(t, resp.Header().Values("Vary"), "Origin")`

			`// OPTIONS api for CORS`
			`req = NewRequest(t, "OPTIONS", "/api/v1/version").`
			`SetHeader("Origin", "https://example.com").`
			`SetHeader("Access-Control-Request-Method", "GET")`
			`resp = MakeRequest(t, req, http.StatusOK)`
			`assert.NotEmpty(t, resp.Header().Get("Access-Control-Allow-Origin"))`
			`assert.Contains(t, resp.Header().Values("Vary"), "Origin")`
			`})`

			`t.Run("Web with CORS", func(t *testing.T) {`
			`// GET userinfo with no CORS header`
			`req := NewRequest(t, "GET", "/login/oauth/userinfo")`
			`resp := MakeRequest(t, req, http.StatusUnauthorized)`
			`assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))`
			`assert.Contains(t, resp.Header().Values("Vary"), "Origin")`

			`// OPTIONS userinfo for CORS`
			`req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo").`
			`SetHeader("Origin", "https://example.com").`
			`SetHeader("Access-Control-Request-Method", "GET")`
			`resp = MakeRequest(t, req, http.StatusOK)`
			`assert.NotEmpty(t, resp.Header().Get("Access-Control-Allow-Origin"))`
			`assert.Contains(t, resp.Header().Values("Vary"), "Origin")`

			`// OPTIONS userinfo for non-CORS`
			`req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo")`
			`resp = MakeRequest(t, req, http.StatusMethodNotAllowed)`
			`assert.NotContains(t, resp.Header().Values("Vary"), "Origin")`
			`})`
			`})`

			`t.Run("CORS disabled", func(t *testing.T) {`
			`defer test.MockVariableValue(&setting.CORSConfig.Enabled, false)()`
			`defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()`

			`t.Run("API without CORS", func(t *testing.T) {`
			`req := NewRequest(t, "GET", "/api/v1/version")`
			`resp := MakeRequest(t, req, http.StatusOK)`
			`assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))`
			`assert.Empty(t, resp.Header().Values("Vary"))`

			`req = NewRequest(t, "OPTIONS", "/api/v1/version").`
			`SetHeader("Origin", "https://example.com").`
			`SetHeader("Access-Control-Request-Method", "GET")`
			`resp = MakeRequest(t, req, http.StatusMethodNotAllowed)`
			`assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))`
			`assert.Empty(t, resp.Header().Values("Vary"))`
			`})`

			`t.Run("Web without CORS", func(t *testing.T) {`
			`req := NewRequest(t, "GET", "/login/oauth/userinfo")`
			`resp := MakeRequest(t, req, http.StatusUnauthorized)`
			`assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))`
			`assert.NotContains(t, resp.Header().Values("Vary"), "Origin")`

			`req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo").`
			`SetHeader("Origin", "https://example.com").`
			`SetHeader("Access-Control-Request-Method", "GET")`
			`resp = MakeRequest(t, req, http.StatusMethodNotAllowed)`
			`assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))`
			`assert.NotContains(t, resp.Header().Values("Vary"), "Origin")`
			`})`
			`})`
Handle CORS requests (#6289) 2019-05-13 18:38:53 +03:00			`}`