2020-12-31 15:28:06 +03:00
|
|
|
<?php
|
|
|
|
|
|
|
|
declare(strict_types=1);
|
|
|
|
|
|
|
|
namespace ShlinkioApiTest\Shlink\Rest\Middleware;
|
|
|
|
|
|
|
|
use GuzzleHttp\RequestOptions;
|
2023-02-09 22:42:18 +03:00
|
|
|
use PHPUnit\Framework\Attributes\DataProvider;
|
|
|
|
use PHPUnit\Framework\Attributes\Test;
|
2020-12-31 15:28:06 +03:00
|
|
|
use Shlinkio\Shlink\TestUtils\ApiTest\ApiTestCase;
|
|
|
|
|
|
|
|
class CorsTest extends ApiTestCase
|
|
|
|
{
|
2023-02-09 22:42:18 +03:00
|
|
|
#[Test]
|
2020-12-31 15:28:06 +03:00
|
|
|
public function responseDoesNotIncludeCorsHeadersWhenOriginIsNotSent(): void
|
|
|
|
{
|
|
|
|
$resp = $this->callApiWithKey(self::METHOD_GET, '/short-urls');
|
|
|
|
|
|
|
|
self::assertEquals(200, $resp->getStatusCode());
|
|
|
|
self::assertFalse($resp->hasHeader('Access-Control-Allow-Origin'));
|
|
|
|
self::assertFalse($resp->hasHeader('Access-Control-Allow-Methods'));
|
|
|
|
self::assertFalse($resp->hasHeader('Access-Control-Max-Age'));
|
|
|
|
self::assertFalse($resp->hasHeader('Access-Control-Allow-Headers'));
|
|
|
|
}
|
|
|
|
|
2023-02-09 22:42:18 +03:00
|
|
|
#[Test, DataProvider('provideOrigins')]
|
2020-12-31 15:28:06 +03:00
|
|
|
public function responseIncludesCorsHeadersIfOriginIsSent(
|
|
|
|
string $origin,
|
|
|
|
string $endpoint,
|
2021-05-23 13:31:10 +03:00
|
|
|
int $expectedStatusCode,
|
2020-12-31 15:28:06 +03:00
|
|
|
): void {
|
|
|
|
$resp = $this->callApiWithKey(self::METHOD_GET, $endpoint, [
|
|
|
|
RequestOptions::HEADERS => ['Origin' => $origin],
|
|
|
|
]);
|
|
|
|
|
|
|
|
self::assertEquals($expectedStatusCode, $resp->getStatusCode());
|
2021-01-24 11:22:46 +03:00
|
|
|
self::assertEquals('*', $resp->getHeaderLine('Access-Control-Allow-Origin'));
|
2020-12-31 15:28:06 +03:00
|
|
|
self::assertFalse($resp->hasHeader('Access-Control-Allow-Methods'));
|
|
|
|
self::assertFalse($resp->hasHeader('Access-Control-Max-Age'));
|
|
|
|
self::assertFalse($resp->hasHeader('Access-Control-Allow-Headers'));
|
|
|
|
}
|
|
|
|
|
2023-02-09 11:32:38 +03:00
|
|
|
public static function provideOrigins(): iterable
|
2020-12-31 15:28:06 +03:00
|
|
|
{
|
|
|
|
yield 'foo.com' => ['foo.com', '/short-urls', 200];
|
|
|
|
yield 'bar.io' => ['bar.io', '/foo/bar', 404];
|
|
|
|
yield 'baz.dev' => ['baz.dev', '/short-urls', 200];
|
|
|
|
}
|
|
|
|
|
2023-02-09 22:42:18 +03:00
|
|
|
#[Test, DataProvider('providePreflightEndpoints')]
|
2020-12-31 15:28:06 +03:00
|
|
|
public function preflightRequestsIncludeExtraCorsHeaders(string $endpoint, string $expectedAllowedMethods): void
|
|
|
|
{
|
|
|
|
$allowedHeaders = 'Authorization';
|
|
|
|
$resp = $this->callApiWithKey(self::METHOD_OPTIONS, $endpoint, [
|
|
|
|
RequestOptions::HEADERS => [
|
|
|
|
'Origin' => 'foo.com',
|
|
|
|
'Access-Control-Request-Headers' => $allowedHeaders,
|
|
|
|
],
|
|
|
|
]);
|
|
|
|
|
|
|
|
self::assertEquals(204, $resp->getStatusCode());
|
|
|
|
self::assertTrue($resp->hasHeader('Access-Control-Allow-Origin'));
|
|
|
|
self::assertTrue($resp->hasHeader('Access-Control-Max-Age'));
|
|
|
|
self::assertEquals($expectedAllowedMethods, $resp->getHeaderLine('Access-Control-Allow-Methods'));
|
|
|
|
self::assertEquals($allowedHeaders, $resp->getHeaderLine('Access-Control-Allow-Headers'));
|
|
|
|
}
|
|
|
|
|
2023-02-09 11:32:38 +03:00
|
|
|
public static function providePreflightEndpoints(): iterable
|
2020-12-31 15:28:06 +03:00
|
|
|
{
|
2022-08-04 12:49:33 +03:00
|
|
|
yield 'invalid route' => ['/foo/bar', 'GET,POST,PUT,PATCH,DELETE']; // TODO This won't work with multi-segment
|
2021-01-24 15:49:57 +03:00
|
|
|
yield 'short URLs route' => ['/short-urls', 'GET,POST'];
|
2022-08-04 12:14:26 +03:00
|
|
|
yield 'tags route' => ['/tags', 'GET,DELETE,PUT'];
|
2021-01-24 15:49:57 +03:00
|
|
|
yield 'health route' => ['/health', 'GET'];
|
2020-12-31 15:28:06 +03:00
|
|
|
}
|
|
|
|
}
|