public function testHandlePreflightRequest() { $this->service = new CorsService(); $this->request = new Request(); $this->specify('403 response if origin is not allowed', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type'); $response = $this->service->handlePreflightRequest($this->request); verify($response->getStatusCode())->equals(403); }); $this->service = new CorsService(['allow_origins' => ['http://foo.com']]); $this->specify('405 response if method is not allowed', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type'); $response = $this->service->handlePreflightRequest($this->request); verify($response->getStatusCode())->equals(405); }); $this->service = new CorsService(['allow_origins' => ['http://foo.com'], 'allow_methods' => ['post']]); $this->specify('403 response if header is not allowed', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type'); $response = $this->service->handlePreflightRequest($this->request); }); $this->service = new CorsService(['allow_origins' => ['http://foo.com'], 'allow_methods' => ['post'], 'allow_headers' => ['accept', 'authorization', 'content-type']]); $this->specify('200 response when origin, method and headers are allowed', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type'); $response = $this->service->handlePreflightRequest($this->request); verify($response->getStatusCode())->equals(200); }); $this->service = new CorsService(['allow_origins' => ['*']]); $this->specify('InvalidArgument exception when origin is not set', function () { $this->service->handlePreflightRequest($this->request); }, ['throws' => 'Nord\\Lumen\\Cors\\Exceptions\\InvalidArgument']); $this->service = new CorsService(['allow_origins' => ['http://foo.com'], 'allow_methods' => ['post'], 'allow_headers' => ['accept', 'authorization', 'content-type']]); $this->service = new CorsService(['allow_origins' => ['*'], 'allow_headers' => ['accept']]); $this->specify('InvalidArgument exception when header is not set', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, '); $this->service->handlePreflightRequest($this->request); }, ['throws' => 'Nord\\Lumen\\Cors\\Exceptions\\InvalidArgument']); $this->service = new CorsService(['allow_origins' => ['http://foo.com'], 'allow_methods' => ['post'], 'allow_headers' => ['accept', 'authorization', 'content-type']]); $this->specify('response headers are set', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type'); $response = $this->service->handlePreflightRequest($this->request); verify($response->headers->get('Access-Control-Allow-Origin'))->equals('http://foo.com'); verify($response->headers->get('Access-Control-Allow-Methods'))->equals('POST'); verify($response->headers->get('Access-Control-Allow-Headers'))->equals('accept, authorization, content-type'); verify($response->headers->has('Access-Control-Allow-Credentials'))->false(); verify($response->headers->has('Access-Control-Max-Age'))->false(); }); $this->service = new CorsService(['allow_origins' => ['*'], 'allow_methods' => ['*'], 'allow_headers' => ['*'], 'allow_credentials' => true]); $this->specify('response credentials header is set', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type'); $response = $this->service->handlePreflightRequest($this->request); verify($response->headers->get('Access-Control-Allow-Credentials'))->equals('true'); }); $this->service = new CorsService(['allow_origins' => ['*'], 'allow_methods' => ['*'], 'allow_headers' => ['*'], 'max_age' => 3600]); $this->specify('response max-age header is set', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type'); $response = $this->service->handlePreflightRequest($this->request); verify($response->headers->get('Access-Control-Max-Age'))->equals(3600); }); $this->service = new CorsService(['allow_origins' => ['http://foo.com'], 'origin_not_allowed' => function () { return new Response('INVALID ORIGIN', 403); }]); $this->specify('response origin_not_allowed header is set', function () { $this->request->headers->set('Origin', 'http://bar.com'); $response = $this->service->handlePreflightRequest($this->request); verify($response->getStatusCode())->equals(403); verify($response->getContent())->equals('INVALID ORIGIN'); }); $this->service = new CorsService(['allow_origins' => ['*'], 'allow_methods' => ['GET'], 'method_not_allowed' => function () { return new Response('INVALID METHOD', 403); }]); $this->specify('response method_not_allowed header is set', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $response = $this->service->handlePreflightRequest($this->request); verify($response->getStatusCode())->equals(403); verify($response->getContent())->equals('INVALID METHOD'); }); $this->service = new CorsService(['allow_origins' => ['*'], 'allow_headers' => ['accept'], 'header_not_allowed' => function () { return new Response('INVALID HEADER', 403); }]); $this->specify('response header_not_allowed header is set', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization'); $response = $this->service->handlePreflightRequest($this->request); verify($response->getStatusCode())->equals(403); verify($response->getContent())->equals('INVALID HEADER'); }); }
public function testHandlePreflightRequest() { $this->service = new CorsService(); $this->request = new Request(); $this->specify('403 response if origin is not allowed', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type'); $response = $this->service->handlePreflightRequest($this->request); verify($response->getStatusCode())->equals(403); }); $this->service = new CorsService(['allowOrigins' => ['http://foo.com']]); $this->specify('405 response if method is not allowed', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type'); $response = $this->service->handlePreflightRequest($this->request); verify($response->getStatusCode())->equals(405); }); $this->service = new CorsService(['allowOrigins' => ['http://foo.com'], 'allowMethods' => ['post']]); $this->specify('403 response if header is not allowed', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type'); $response = $this->service->handlePreflightRequest($this->request); verify($response->getStatusCode())->equals(403); }); $this->service = new CorsService(['allowOrigins' => ['http://foo.com'], 'allowMethods' => ['post'], 'allowHeaders' => ['accept', 'authorization', 'content-type']]); $this->specify('200 response when origin, method and headers are allowed', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type'); $response = $this->service->handlePreflightRequest($this->request); verify($response->getStatusCode())->equals(200); }); $this->service = new CorsService(['allowOrigins' => ['http://foo.com'], 'allowMethods' => ['post'], 'allowHeaders' => ['accept', 'authorization', 'content-type']]); $this->specify('response headers are set', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type'); $response = $this->service->handlePreflightRequest($this->request); verify($response->headers->get('Access-Control-Allow-Origin'))->equals('http://foo.com'); verify($response->headers->get('Access-Control-Allow-Methods'))->equals('POST'); verify($response->headers->get('Access-Control-Allow-Headers'))->equals('accept, authorization, content-type'); verify($response->headers->has('Access-Control-Allow-Credentials'))->false(); verify($response->headers->has('Access-Control-Max-Age'))->false(); }); $this->service = new CorsService(['allowOrigins' => ['*'], 'allowMethods' => ['*'], 'allowHeaders' => ['*'], 'allowCredentials' => true]); $this->specify('response credentials header is set', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type'); $response = $this->service->handlePreflightRequest($this->request); verify($response->headers->get('Access-Control-Allow-Credentials'))->equals('true'); }); $this->service = new CorsService(['allowOrigins' => ['*'], 'allowMethods' => ['*'], 'allowHeaders' => ['*'], 'maxAge' => 3600]); $this->specify('response max-age header is set', function () { $this->request->headers->set('Origin', 'http://foo.com'); $this->request->headers->set('Access-Control-Request-Method', 'POST'); $this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type'); $response = $this->service->handlePreflightRequest($this->request); verify($response->headers->get('Access-Control-Max-Age'))->equals(3600); }); }