2019-05-13 09:38:53 -06:00
|
|
|
// Copyright 2019 The Gitea Authors. All rights reserved.
|
2022-11-27 11:20:29 -07:00
|
|
|
// SPDX-License-Identifier: MIT
|
2019-05-13 09:38:53 -06:00
|
|
|
|
2022-09-02 13:18:23 -06:00
|
|
|
package integration
|
2019-05-13 09:38:53 -06:00
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
"testing"
|
|
|
|
|
2023-12-25 06:01:24 -07:00
|
|
|
"code.gitea.io/gitea/modules/setting"
|
|
|
|
"code.gitea.io/gitea/modules/test"
|
|
|
|
"code.gitea.io/gitea/routers"
|
2022-09-02 13:18:23 -06:00
|
|
|
"code.gitea.io/gitea/tests"
|
2022-09-05 00:04:18 -06:00
|
|
|
|
2019-05-13 09:38:53 -06:00
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
)
|
|
|
|
|
2023-12-25 06:01:24 -07:00
|
|
|
func TestCORS(t *testing.T) {
|
2022-09-02 13:18:23 -06:00
|
|
|
defer tests.PrepareTestEnv(t)()
|
2023-12-25 06:01:24 -07:00
|
|
|
t.Run("CORS enabled", func(t *testing.T) {
|
|
|
|
defer test.MockVariableValue(&setting.CORSConfig.Enabled, true)()
|
|
|
|
defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
|
|
|
|
|
|
|
|
t.Run("API with CORS", func(t *testing.T) {
|
|
|
|
// GET api with no CORS header
|
|
|
|
req := NewRequest(t, "GET", "/api/v1/version")
|
|
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
|
|
assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
|
|
|
|
assert.Contains(t, resp.Header().Values("Vary"), "Origin")
|
|
|
|
|
|
|
|
// OPTIONS api for CORS
|
|
|
|
req = NewRequest(t, "OPTIONS", "/api/v1/version")
|
|
|
|
req.Header.Set("Origin", "https://example.com")
|
|
|
|
req.Header.Set("Access-Control-Request-Method", "GET")
|
|
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
|
|
assert.NotEmpty(t, resp.Header().Get("Access-Control-Allow-Origin"))
|
|
|
|
assert.Contains(t, resp.Header().Values("Vary"), "Origin")
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("Web with CORS", func(t *testing.T) {
|
|
|
|
// GET userinfo with no CORS header
|
|
|
|
req := NewRequest(t, "GET", "/login/oauth/userinfo")
|
|
|
|
resp := MakeRequest(t, req, http.StatusUnauthorized)
|
|
|
|
assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
|
|
|
|
assert.Contains(t, resp.Header().Values("Vary"), "Origin")
|
|
|
|
|
|
|
|
// OPTIONS userinfo for CORS
|
|
|
|
req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo")
|
|
|
|
req.Header.Set("Origin", "https://example.com")
|
|
|
|
req.Header.Set("Access-Control-Request-Method", "GET")
|
|
|
|
resp = MakeRequest(t, req, http.StatusOK)
|
|
|
|
assert.NotEmpty(t, resp.Header().Get("Access-Control-Allow-Origin"))
|
|
|
|
assert.Contains(t, resp.Header().Values("Vary"), "Origin")
|
|
|
|
|
|
|
|
// OPTIONS userinfo for non-CORS
|
|
|
|
req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo")
|
|
|
|
resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
|
|
|
|
assert.NotContains(t, resp.Header().Values("Vary"), "Origin")
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("CORS disabled", func(t *testing.T) {
|
|
|
|
defer test.MockVariableValue(&setting.CORSConfig.Enabled, false)()
|
|
|
|
defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
|
|
|
|
|
|
|
|
t.Run("API without CORS", func(t *testing.T) {
|
|
|
|
req := NewRequest(t, "GET", "/api/v1/version")
|
|
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
|
|
assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
|
|
|
|
assert.Empty(t, resp.Header().Values("Vary"))
|
|
|
|
|
|
|
|
req = NewRequest(t, "OPTIONS", "/api/v1/version")
|
|
|
|
req.Header.Set("Origin", "https://example.com")
|
|
|
|
req.Header.Set("Access-Control-Request-Method", "GET")
|
|
|
|
resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
|
|
|
|
assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
|
|
|
|
assert.Empty(t, resp.Header().Values("Vary"))
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("Web without CORS", func(t *testing.T) {
|
|
|
|
req := NewRequest(t, "GET", "/login/oauth/userinfo")
|
|
|
|
resp := MakeRequest(t, req, http.StatusUnauthorized)
|
|
|
|
assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
|
|
|
|
assert.NotContains(t, resp.Header().Values("Vary"), "Origin")
|
|
|
|
|
|
|
|
req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo")
|
|
|
|
req.Header.Set("Origin", "https://example.com")
|
|
|
|
req.Header.Set("Access-Control-Request-Method", "GET")
|
|
|
|
resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
|
|
|
|
assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
|
|
|
|
assert.NotContains(t, resp.Header().Values("Vary"), "Origin")
|
|
|
|
})
|
|
|
|
})
|
2019-05-13 09:38:53 -06:00
|
|
|
}
|