Skip to content

Commit 4dcfc6d

Browse files
torcolvinadamcfraser
torcolvin
and
adamcfraser
committed
CBG-2877 allow options to contain db-scoped CORS (#6205)
* CBG-2877 allow options to contain db-scoped CORS * Use pathVars from router.Match to determine keyspace --------- Co-authored-by: adamcfraser <[email protected]>
1 parent 7b8b5d5 commit 4dcfc6d

File tree

3 files changed

+296
-128
lines changed

3 files changed

+296
-128
lines changed

rest/api_test.go

Lines changed: 47 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -255,26 +255,50 @@ func TestCORSOrigin(t *testing.T) {
255255
reqHeaders := map[string]string{
256256
"Origin": tc.origin,
257257
}
258-
response := rt.SendRequestWithHeaders("GET", "/{{.keyspace}}/", "", reqHeaders)
259-
assert.Equal(t, tc.headerOutput, response.Header().Get("Access-Control-Allow-Origin"))
260-
RequireStatus(t, response, http.StatusBadRequest)
261-
require.Contains(t, response.Body.String(), invalidDatabaseName)
262-
263-
response = rt.SendRequestWithHeaders("GET", "/{{.db}}/", "", reqHeaders)
264-
assert.Equal(t, tc.headerOutput, response.Header().Get("Access-Control-Allow-Origin"))
265-
RequireStatus(t, response, http.StatusUnauthorized)
266-
require.Contains(t, response.Body.String(), ErrLoginRequired.Message)
267-
268-
response = rt.SendRequestWithHeaders("GET", "/notadb/", "", reqHeaders)
269-
assert.Equal(t, tc.headerOutput, response.Header().Get("Access-Control-Allow-Origin"))
270-
RequireStatus(t, response, http.StatusUnauthorized)
271-
require.Contains(t, response.Body.String(), ErrLoginRequired.Message)
272-
273-
// admin port doesn't have CORS
274-
response = rt.SendAdminRequestWithHeaders("GET", "/{{.keyspace}}/_all_docs", "", reqHeaders)
275-
assert.Equal(t, "", response.Header().Get("Access-Control-Allow-Origin"))
276-
RequireStatus(t, response, http.StatusOK)
258+
for _, method := range []string{http.MethodGet, http.MethodOptions} {
259+
response := rt.SendRequestWithHeaders(method, "/{{.keyspace}}/", "", reqHeaders)
260+
assert.Equal(t, tc.headerOutput, response.Header().Get("Access-Control-Allow-Origin"))
261+
if method == http.MethodGet {
262+
RequireStatus(t, response, http.StatusBadRequest)
263+
require.Contains(t, response.Body.String(), invalidDatabaseName)
264+
} else {
265+
RequireStatus(t, response, http.StatusNoContent)
266+
267+
}
268+
}
269+
for _, method := range []string{http.MethodGet, http.MethodOptions} {
270+
response := rt.SendRequestWithHeaders(method, "/{{.db}}/", "", reqHeaders)
271+
assert.Equal(t, tc.headerOutput, response.Header().Get("Access-Control-Allow-Origin"))
272+
if method == http.MethodGet {
273+
RequireStatus(t, response, http.StatusUnauthorized)
274+
require.Contains(t, response.Body.String(), ErrLoginRequired.Message)
275+
} else {
276+
RequireStatus(t, response, http.StatusNoContent)
277277

278+
}
279+
}
280+
for _, method := range []string{http.MethodGet, http.MethodOptions} {
281+
response := rt.SendRequestWithHeaders(method, "/notadb/", "", reqHeaders)
282+
assert.Equal(t, tc.headerOutput, response.Header().Get("Access-Control-Allow-Origin"))
283+
if method == http.MethodGet {
284+
RequireStatus(t, response, http.StatusUnauthorized)
285+
require.Contains(t, response.Body.String(), ErrLoginRequired.Message)
286+
} else {
287+
RequireStatus(t, response, http.StatusNoContent)
288+
289+
}
290+
}
291+
292+
for _, method := range []string{http.MethodGet, http.MethodOptions} {
293+
// admin port doesn't have CORS
294+
response := rt.SendAdminRequestWithHeaders(method, "/{{.keyspace}}/_all_docs", "", reqHeaders)
295+
assert.Equal(t, "", response.Header().Get("Access-Control-Allow-Origin"))
296+
if method == http.MethodGet {
297+
RequireStatus(t, response, http.StatusOK)
298+
} else {
299+
RequireStatus(t, response, http.StatusNoContent)
300+
}
301+
}
278302
// test with a config without * should reject non-matches
279303
sc := rt.ServerContext()
280304
defer func() {
@@ -283,8 +307,10 @@ func TestCORSOrigin(t *testing.T) {
283307

284308
sc.Config.API.CORS.Origin = []string{"http://example.com", "http://staging.example.com"}
285309
if !base.StringSliceContains(sc.Config.API.CORS.Origin, tc.origin) {
286-
response = rt.SendRequestWithHeaders("GET", "/{{.keyspace}}/", "", reqHeaders)
287-
assert.Equal(t, "", response.Header().Get("Access-Control-Allow-Origin"))
310+
for _, method := range []string{http.MethodGet, http.MethodOptions} {
311+
response := rt.SendRequestWithHeaders(method, "/{{.keyspace}}/", "", reqHeaders)
312+
assert.Equal(t, "", response.Header().Get("Access-Control-Allow-Origin"))
313+
}
288314
}
289315
})
290316
}

0 commit comments

Comments
 (0)