code.gitea.io/gitea@v1.21.7/tests/integration/cors_test.go (about) 1 // Copyright 2019 The Gitea Authors. All rights reserved. 2 // SPDX-License-Identifier: MIT 3 4 package integration 5 6 import ( 7 "net/http" 8 "testing" 9 10 "code.gitea.io/gitea/modules/setting" 11 "code.gitea.io/gitea/modules/test" 12 "code.gitea.io/gitea/routers" 13 "code.gitea.io/gitea/tests" 14 15 "github.com/stretchr/testify/assert" 16 ) 17 18 func TestCORS(t *testing.T) { 19 defer tests.PrepareTestEnv(t)() 20 t.Run("CORS enabled", func(t *testing.T) { 21 defer test.MockVariableValue(&setting.CORSConfig.Enabled, true)() 22 defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())() 23 24 t.Run("API with CORS", func(t *testing.T) { 25 // GET api with no CORS header 26 req := NewRequest(t, "GET", "/api/v1/version") 27 resp := MakeRequest(t, req, http.StatusOK) 28 assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin")) 29 assert.Contains(t, resp.Header().Values("Vary"), "Origin") 30 31 // OPTIONS api for CORS 32 req = NewRequest(t, "OPTIONS", "/api/v1/version") 33 req.Header.Set("Origin", "https://example.com") 34 req.Header.Set("Access-Control-Request-Method", "GET") 35 resp = MakeRequest(t, req, http.StatusOK) 36 assert.NotEmpty(t, resp.Header().Get("Access-Control-Allow-Origin")) 37 assert.Contains(t, resp.Header().Values("Vary"), "Origin") 38 }) 39 40 t.Run("Web with CORS", func(t *testing.T) { 41 // GET userinfo with no CORS header 42 req := NewRequest(t, "GET", "/login/oauth/userinfo") 43 resp := MakeRequest(t, req, http.StatusUnauthorized) 44 assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin")) 45 assert.Contains(t, resp.Header().Values("Vary"), "Origin") 46 47 // OPTIONS userinfo for CORS 48 req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo") 49 req.Header.Set("Origin", "https://example.com") 50 req.Header.Set("Access-Control-Request-Method", "GET") 51 resp = MakeRequest(t, req, http.StatusOK) 52 assert.NotEmpty(t, resp.Header().Get("Access-Control-Allow-Origin")) 53 assert.Contains(t, resp.Header().Values("Vary"), "Origin") 54 55 // OPTIONS userinfo for non-CORS 56 req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo") 57 resp = MakeRequest(t, req, http.StatusMethodNotAllowed) 58 assert.NotContains(t, resp.Header().Values("Vary"), "Origin") 59 }) 60 }) 61 62 t.Run("CORS disabled", func(t *testing.T) { 63 defer test.MockVariableValue(&setting.CORSConfig.Enabled, false)() 64 defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())() 65 66 t.Run("API without CORS", func(t *testing.T) { 67 req := NewRequest(t, "GET", "/api/v1/version") 68 resp := MakeRequest(t, req, http.StatusOK) 69 assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin")) 70 assert.Empty(t, resp.Header().Values("Vary")) 71 72 req = NewRequest(t, "OPTIONS", "/api/v1/version") 73 req.Header.Set("Origin", "https://example.com") 74 req.Header.Set("Access-Control-Request-Method", "GET") 75 resp = MakeRequest(t, req, http.StatusMethodNotAllowed) 76 assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin")) 77 assert.Empty(t, resp.Header().Values("Vary")) 78 }) 79 80 t.Run("Web without CORS", func(t *testing.T) { 81 req := NewRequest(t, "GET", "/login/oauth/userinfo") 82 resp := MakeRequest(t, req, http.StatusUnauthorized) 83 assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin")) 84 assert.NotContains(t, resp.Header().Values("Vary"), "Origin") 85 86 req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo") 87 req.Header.Set("Origin", "https://example.com") 88 req.Header.Set("Access-Control-Request-Method", "GET") 89 resp = MakeRequest(t, req, http.StatusMethodNotAllowed) 90 assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin")) 91 assert.NotContains(t, resp.Header().Values("Vary"), "Origin") 92 }) 93 }) 94 }