rack-cors 0.4.1 → 1.0.5

data/test/cors/test.cors.js

@@ -1,26 +1,34 @@
-// Generated by CoffeeScript 1.7.1
+// Generated by CoffeeScript 2.3.1
 (function() {
   var CORS_SERVER;
 
-  CORS_SERVER = 'cors-server:3000';
+  CORS_SERVER = '127.0.0.1.xip.io:9292';
 
   describe('CORS', function() {
     it('should allow access to dynamic resource', function(done) {
-      return $.get("http://" + CORS_SERVER + "/", function(data, status, xhr) {
+      return $.get(`http://${CORS_SERVER}/`, function(data, status, xhr) {
         expect(data).to.eql('Hello world');
         return done();
       });
     });
     it('should allow PUT access to dynamic resource', function(done) {
-      return $.ajax("http://" + CORS_SERVER + "/", {
+      return $.ajax(`http://${CORS_SERVER}/`, {
         type: 'PUT'
       }).done(function(data, textStatus, jqXHR) {
         expect(data).to.eql('Hello world');
         return done();
       });
     });
+    it('should allow PATCH access to dynamic resource', function(done) {
+      return $.ajax(`http://${CORS_SERVER}/`, {
+        type: 'PATCH'
+      }).done(function(data, textStatus, jqXHR) {
+        expect(data).to.eql('Hello world');
+        return done();
+      });
+    });
     it('should allow HEAD access to dynamic resource', function(done) {
-      return $.ajax("http://" + CORS_SERVER + "/", {
+      return $.ajax(`http://${CORS_SERVER}/`, {
         type: 'HEAD'
       }).done(function(data, textStatus, jqXHR) {
         expect(jqXHR.status).to.eql(200);
@@ -28,7 +36,7 @@
       });
     });
     it('should allow DELETE access to dynamic resource', function(done) {
-      return $.ajax("http://" + CORS_SERVER + "/", {
+      return $.ajax(`http://${CORS_SERVER}/`, {
         type: 'DELETE'
       }).done(function(data, textStatus, jqXHR) {
         expect(data).to.eql('Hello world');
@@ -36,7 +44,7 @@
       });
     });
     it('should allow OPTIONS access to dynamic resource', function(done) {
-      return $.ajax("http://" + CORS_SERVER + "/", {
+      return $.ajax(`http://${CORS_SERVER}/`, {
         type: 'OPTIONS'
       }).done(function(data, textStatus, jqXHR) {
         expect(jqXHR.status).to.eql(200);
@@ -44,7 +52,7 @@
       });
     });
     it('should allow access to static resource', function(done) {
-      return $.get("http://" + CORS_SERVER + "/static.txt", function(data, status, xhr) {
+      return $.get(`http://${CORS_SERVER}/static.txt`, function(data, status, xhr) {
         expect($.trim(data)).to.eql("hello world");
         return done();
       });
@@ -52,7 +60,7 @@
     return it('should allow post resource', function(done) {
       return $.ajax({
         type: 'POST',
-        url: "http://" + CORS_SERVER + "/cors",
+        url: `http://${CORS_SERVER}/cors`,
         beforeSend: function(xhr) {
           return xhr.setRequestHeader('X-Requested-With', 'XMLHTTPRequest');
         },

data/test/unit/cors_test.rb

@@ -17,18 +17,57 @@ Rack::Test::Methods.class_eval do
   def_delegator :current_session, :options
 end
 
+module MiniTest::Assertions
+  def assert_cors_success(response)
+    assert !response.headers['Access-Control-Allow-Origin'].nil?, "Expected a successful CORS response"
+  end
+
+  def assert_not_cors_success(response)
+    assert response.headers['Access-Control-Allow-Origin'].nil?, "Expected a failed CORS response"
+  end
+end
+
+class CaptureResult
+  def initialize(app, options =  {})
+    @app = app
+    @result_holder = options[:holder]
+  end
+
+  def call(env)
+    response = @app.call(env)
+    @result_holder.cors_result = env[Rack::Cors::RACK_CORS]
+    return response
+  end
+end
+
+class FakeProxy
+  def initialize(app, options =  {})
+    @app = app
+  end
+
+  def call(env)
+    status, headers, body = @app.call(env)
+    headers['Vary'] = %w(Origin User-Agent)
+    [status, headers, body]
+  end
+end
+
+Rack::MockResponse.infect_an_assertion :assert_cors_success, :must_render_cors_success, :only_one_argument
+Rack::MockResponse.infect_an_assertion :assert_not_cors_success, :wont_render_cors_success, :only_one_argument
+
 describe Rack::Cors do
   include Rack::Test::Methods
 
   attr_accessor :cors_result
 
-  def load_app(name)
+  def load_app(name, options = {})
     test = self
     Rack::Builder.new do
+      use CaptureResult, :holder => test
       eval File.read(File.dirname(__FILE__) + "/#{name}.ru")
+      use FakeProxy if options[:proxy]
       map('/') do
         run proc { |env|
-          test.cors_result = env[Rack::Cors::ENV_KEY]
           [200, {'Content-Type' => 'text/html'}, ['success']]
         }
       end
@@ -38,84 +77,108 @@ describe Rack::Cors do
   let(:app) { load_app('test') }
 
   it 'should support simple CORS request' do
-    cors_request
+    successful_cors_request
     cors_result.must_be :hit
   end
 
   it "should not return CORS headers if Origin header isn't present" do
     get '/'
-    should_render_cors_failure
+    last_response.wont_render_cors_success
     cors_result.wont_be :hit
   end
 
   it 'should support OPTIONS CORS request' do
-    cors_request '/options', :method => :options
+    successful_cors_request '/options', :method => :options
   end
 
   it 'should support regex origins configuration' do
-    cors_request :origin => 'http://192.168.0.1:1234'
+    successful_cors_request :origin => 'http://192.168.0.1:1234'
   end
 
   it 'should support subdomain example' do
-    cors_request :origin => 'http://subdomain.example.com'
+    successful_cors_request :origin => 'http://subdomain.example.com'
   end
 
   it 'should support proc origins configuration' do
-    cors_request '/proc-origin', :origin => 'http://10.10.10.10:3000'
+    successful_cors_request '/proc-origin', :origin => 'http://10.10.10.10:3000'
+  end
+
+  it 'should support lambda origin configuration' do
+    successful_cors_request '/lambda-origin', :origin => 'http://10.10.10.10:3000'
+  end
+
+  it 'should support proc origins configuration (inverse)' do
+    cors_request '/proc-origin', :origin => 'http://bad.guy'
+    last_response.wont_render_cors_success
   end
 
   it 'should not mix up path rules across origins' do
     header 'Origin', 'http://10.10.10.10:3000'
     get '/' # / is configured in a separate rule block
-    should_render_cors_failure
+    last_response.wont_render_cors_success
   end
 
   it 'should support alternative X-Origin header' do
     header 'X-Origin', 'http://localhost:3000'
     get '/'
-    should_render_cors_success
+    last_response.must_render_cors_success
   end
 
   it 'should support expose header configuration' do
-    cors_request '/expose_single_header'
+    successful_cors_request '/expose_single_header'
     last_response.headers['Access-Control-Expose-Headers'].must_equal 'expose-test'
   end
 
   it 'should support expose multiple header configuration' do
-    cors_request '/expose_multiple_headers'
+    successful_cors_request '/expose_multiple_headers'
     last_response.headers['Access-Control-Expose-Headers'].must_equal 'expose-test-1, expose-test-2'
   end
 
   # Explanation: http://www.fastly.com/blog/best-practices-for-using-the-vary-header/
   it "should add Vary header if resource matches even if Origin header isn't present" do
     get '/'
-    should_render_cors_failure
+    last_response.wont_render_cors_success
     last_response.headers['Vary'].must_equal 'Origin'
   end
 
   it "should add Vary header based on :vary option" do
-    cors_request '/vary_test'
+    successful_cors_request '/vary_test'
     last_response.headers['Vary'].must_equal 'Origin, Host'
   end
 
+  it "decode URL and resolve paths before resource matching" do
+    header 'Origin', 'http://localhost:3000'
+    get '/public/a/..%2F..%2Fprivate/stuff'
+    last_response.wont_render_cors_success
+  end
+
+  describe 'with array of upstream Vary headers' do
+    let(:app) { load_app('test', { proxy: true }) }
+
+    it 'should add to them' do
+      successful_cors_request '/vary_test'
+      last_response.headers['Vary'].must_equal 'Origin, User-Agent, Host'
+    end
+  end
+
   it 'should add Vary header if Access-Control-Allow-Origin header was added and if it is specific' do
-    cors_request '/', :origin => "http://192.168.0.3:8080"
+    successful_cors_request '/', :origin => "http://192.168.0.3:8080"
     last_response.headers['Access-Control-Allow-Origin'].must_equal 'http://192.168.0.3:8080'
     last_response.headers['Vary'].wont_be_nil
   end
 
   it 'should add Vary header even if Access-Control-Allow-Origin header was added and it is generic (*)' do
-    cors_request '/public_without_credentials', :origin => "http://192.168.1.3:8080"
+    successful_cors_request '/public_without_credentials', :origin => "http://192.168.1.3:8080"
     last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
     last_response.headers['Vary'].must_equal 'Origin'
   end
 
   it 'should support multi allow configurations for the same resource' do
-    cors_request '/multi-allow-config', :origin => "http://mucho-grande.com"
+    successful_cors_request '/multi-allow-config', :origin => "http://mucho-grande.com"
     last_response.headers['Access-Control-Allow-Origin'].must_equal 'http://mucho-grande.com'
     last_response.headers['Vary'].must_equal 'Origin'
 
-    cors_request '/multi-allow-config', :origin => "http://192.168.1.3:8080"
+    successful_cors_request '/multi-allow-config', :origin => "http://192.168.1.3:8080"
     last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
     last_response.headers['Vary'].must_equal 'Origin'
   end
@@ -128,15 +191,25 @@ describe Rack::Cors do
   it "should not apply CORS headers if it does not match conditional on resource" do
     header 'Origin', 'http://192.168.0.1:1234'
     get '/conditional'
-    should_render_cors_failure
+    last_response.wont_render_cors_success
   end
 
   it "should apply CORS headers if it does match conditional on resource" do
     header 'X-OK', '1'
-    cors_request '/conditional', :origin => 'http://192.168.0.1:1234'
+    successful_cors_request '/conditional', :origin => 'http://192.168.0.1:1234'
+  end
+
+  it "should not allow everything if Origin is configured as blank string" do
+    cors_request '/blank-origin', origin: "http://example.net"
+    last_response.wont_render_cors_success
+  end
+
+  it "should not allow credentials for public resources" do
+    successful_cors_request '/public'
+    last_response.headers['Access-Control-Allow-Credentials'].must_be_nil
   end
 
- describe 'logging' do
+  describe 'logging' do
     it 'should not log debug messages if debug option is false' do
       app = mock
       app.stubs(:call).returns(200, {}, [''])
@@ -199,79 +272,127 @@ describe Rack::Cors do
         cors.call({'HTTP_ORIGIN' => 'test.com'})
       end
     end
+
+    it 'should use Logger if none is set' do
+      app = mock
+      app.stubs(:call).returns([200, {}, ['']])
+
+      logger = mock
+      Logger.expects(:new).returns(logger)
+      logger.expects(:tap).returns(logger)
+      logger.expects(:debug)
+
+      cors = Rack::Cors.new(app, :debug => true) {}
+      cors.call({'HTTP_ORIGIN' => 'test.com'})
+    end
   end
 
   describe 'preflight requests' do
     it 'should fail if origin is invalid' do
       preflight_request('http://allyourdataarebelongtous.com', '/')
-      should_render_cors_failure
+      last_response.wont_render_cors_success
       cors_result.wont_be :hit
       cors_result.must_be :preflight
     end
 
     it 'should fail if Access-Control-Request-Method is not allowed' do
       preflight_request('http://localhost:3000', '/get-only', :method => :post)
-      should_render_cors_failure
+      last_response.wont_render_cors_success
+      cors_result.miss_reason.must_equal Rack::Cors::Result::MISS_DENY_METHOD
+      cors_result.wont_be :hit
+      cors_result.must_be :preflight
     end
 
     it 'should fail if header is not allowed' do
       preflight_request('http://localhost:3000', '/single_header', :headers => 'Fooey')
-      should_render_cors_failure
+      last_response.wont_render_cors_success
+      cors_result.miss_reason.must_equal Rack::Cors::Result::MISS_DENY_HEADER
+      cors_result.wont_be :hit
+      cors_result.must_be :preflight
     end
 
     it 'should allow any header if headers = :any' do
       preflight_request('http://localhost:3000', '/', :headers => 'Fooey')
-      should_render_cors_success
+      last_response.must_render_cors_success
     end
 
     it 'should allow any method if methods = :any' do
       preflight_request('http://localhost:3000', '/', :methods => :any)
-      should_render_cors_success
+      last_response.must_render_cors_success
+    end
+
+    it 'allows PATCH method' do
+      preflight_request('http://localhost:3000', '/', :methods => [ :patch ])
+      last_response.must_render_cors_success
     end
 
     it 'should allow header case insensitive match' do
       preflight_request('http://localhost:3000', '/single_header', :headers => 'X-Domain-Token')
-      should_render_cors_success
+      last_response.must_render_cors_success
     end
 
     it 'should allow multiple headers match' do
       # Webkit style
       preflight_request('http://localhost:3000', '/two_headers', :headers => 'X-Requested-With, X-Domain-Token')
-      should_render_cors_success
+      last_response.must_render_cors_success
 
       # Gecko style
       preflight_request('http://localhost:3000', '/two_headers', :headers => 'x-requested-with,x-domain-token')
-      should_render_cors_success
+      last_response.must_render_cors_success
     end
 
     it 'should * origin should allow any origin' do
       preflight_request('http://locohost:3000', '/public')
-      should_render_cors_success
-      last_response.headers['Access-Control-Allow-Origin'].must_equal 'http://locohost:3000'
+      last_response.must_render_cors_success
+      last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
     end
 
     it 'should * origin should allow any origin, and set * if no credentials required' do
       preflight_request('http://locohost:3000', '/public_without_credentials')
-      should_render_cors_success
+      last_response.must_render_cors_success
       last_response.headers['Access-Control-Allow-Origin'].must_equal '*'
     end
 
-    it 'should "null" origin, allowed as "file://", returned as "null" in header' do
-      preflight_request('null', '/')
-      should_render_cors_success
-      last_response.headers['Access-Control-Allow-Origin'].must_equal 'null'
-    end
-
     it 'should return "file://" as header with "file://" as origin' do
       preflight_request('file://', '/')
-      should_render_cors_success
+      last_response.must_render_cors_success
       last_response.headers['Access-Control-Allow-Origin'].must_equal 'file://'
     end
 
-    it 'should return a Content-Type' do
-      preflight_request('http://localhost:3000', '/')
-      should_render_cors_success
-      last_response.headers['Content-Type'].wont_be_nil
+    describe '' do
+
+      let(:app) do
+        test = self
+        Rack::Builder.new do
+          use CaptureResult, holder: test
+          use Rack::Cors, debug: true, logger: Logger.new(StringIO.new) do
+            allow do
+              origins '*'
+              resource '/', :methods => :post
+            end
+          end
+          map('/') do
+            run ->(env) { [500, {}, ['FAIL!']] }
+          end
+        end
+      end
+
+      it "should not send failed preflight requests thru the app" do
+        preflight_request('http://localhost', '/', :method => :unsupported)
+        last_response.wont_render_cors_success
+        last_response.status.must_equal 200
+        cors_result.must_be :preflight
+        cors_result.wont_be :hit
+        cors_result.miss_reason.must_equal Rack::Cors::Result::MISS_DENY_METHOD
+      end
+    end
+  end
+
+  describe "with insecure configuration" do
+    let(:app) { load_app('insecure') }
+
+    it "should raise an error" do
+      proc { cors_request '/public' }.must_raise Rack::Cors::Resource::CorsMisconfigurationError
     end
   end
 
@@ -279,7 +400,7 @@ describe Rack::Cors do
     let(:app) { load_app("non_http") }
 
     it 'should support non http/https origins' do
-      cors_request '/public', origin: 'content://com.company.app'
+      successful_cors_request '/public', origin: 'content://com.company.app'
     end
   end
 
@@ -308,19 +429,67 @@ describe Rack::Cors do
           end
         end
         map('/') do
-          run ->(env) { [200, {'Content-Type' => 'text/plain', 'Access-Control-Allow-Origin' => 'http://foo.net'}, ['success']] }
+          run ->(env) { [200, {'Access-Control-Allow-Origin' => 'http://foo.net'}, ['success']] }
         end
       end
     end
 
     it "should return app header" do
-      cors_request origin: "http://example.net"
+      successful_cors_request origin: "http://example.net"
       last_response.headers['Access-Control-Allow-Origin'].must_equal "http://foo.net"
     end
 
     it "should return original headers if in debug" do
-      cors_request origin: "http://example.net"
-      last_response.headers['X-Rack-CORS-Original-Access-Control-Allow-Origin'].must_equal "http://example.net"
+      successful_cors_request origin: "http://example.net"
+      last_response.headers['X-Rack-CORS-Original-Access-Control-Allow-Origin'].must_equal "*"
+    end
+  end
+
+  describe 'with headers set to nil' do
+    let(:app) do
+      Rack::Builder.new do
+        use Rack::Cors do
+          allow do
+            origins '*'
+            resource '/', headers: nil
+          end
+        end
+        map('/') do
+          run ->(env) { [200, {'Content-Type' => 'text/html'}, ['hello']] }
+        end
+      end
+    end
+
+    it 'should succeed with CORS simple headers' do
+      preflight_request('http://localhost:3000', '/', :headers => 'Accept')
+      last_response.must_render_cors_success
+    end
+  end
+
+  describe 'with custom allowed headers' do
+    let(:app) do
+      Rack::Builder.new do
+        use Rack::Cors do
+          allow do
+            origins '*'
+            resource '/', headers: []
+          end
+        end
+        map('/') do
+          run ->(env) { [200, {'Content-Type' => 'text/html'}, ['hello']] }
+        end
+      end
+    end
+
+    it 'should succeed with CORS simple headers' do
+      preflight_request('http://localhost:3000', '/', :headers => 'Accept')
+      last_response.must_render_cors_success
+      preflight_request('http://localhost:3000', '/', :headers => 'Accept-Language')
+      last_response.must_render_cors_success
+      preflight_request('http://localhost:3000', '/', :headers => 'Content-Type')
+      last_response.must_render_cors_success
+      preflight_request('http://localhost:3000', '/', :headers => 'Content-Language')
+      last_response.must_render_cors_success
     end
   end
 
@@ -333,7 +502,11 @@ describe Rack::Cors do
 
       header 'Origin', opts[:origin]
       current_session.__send__ opts[:method], path, {}, test: self
-      should_render_cors_success
+    end
+
+    def successful_cors_request(*args)
+      cors_request(*args)
+      last_response.must_render_cors_success
     end
 
     def preflight_request(origin, path, opts = {})
@@ -346,12 +519,4 @@ describe Rack::Cors do
       end
       options path
     end
-
-    def should_render_cors_success
-      last_response.headers['Access-Control-Allow-Origin'].wont_be_nil
-    end
-
-    def should_render_cors_failure
-      last_response.headers['Access-Control-Allow-Origin'].must_be_nil
-    end
 end

data/test/unit/dsl_test.rb

@@ -55,4 +55,15 @@ describe Rack::Cors, 'DSL' do
 
     resources.first.allow_origin?('file://').must_equal true
   end
+
+  it 'should default credentials option to false' do
+    cors = Rack::Cors.new(Proc.new {}) do
+      allow do
+        origins 'example.net'
+        resource '/', :headers => :any
+      end
+    end
+    resources = cors.send :all_resources
+    resources.first.resources.first.credentials.must_equal false
+  end
 end

data/test/unit/insecure.ru

@@ -0,0 +1,8 @@
+require 'rack/cors'
+
+use Rack::Cors do
+  allow do
+    origins '*'
+    resource '/public', credentials: true
+  end
+end

data/test/unit/test.ru

@@ -19,6 +19,7 @@ use Rack::Cors do
     resource '/expose_multiple_headers', :expose => %w{expose-test-1 expose-test-2}
     resource '/conditional', :methods => :get, :if => proc { |env| !!env['HTTP_X_OK'] }
     resource '/vary_test', :methods => :get, :vary => %w{ Origin Host }
+    resource '/patch_test', :methods => :patch
     # resource '/file/at/*',
     #     :methods => [:get, :post, :put, :delete],
     #     :headers => :any,
@@ -32,9 +33,15 @@ use Rack::Cors do
     resource '/proc-origin'
   end
 
+  allow do
+    origins -> (source, env) { source.end_with?("10.10.10.10:3000") }
+    resource '/lambda-origin'
+  end
+
   allow do
     origins '*'
     resource '/public'
+    resource '/public/*'
     resource '/public_without_credentials', :credentials => false
   end
 
@@ -47,4 +54,9 @@ use Rack::Cors do
     origins '*'
     resource '/multi-allow-config', :max_age => 300, :credentials => false
   end
+
+  allow do
+    origins ''
+    resource '/blank-origin'
+  end
 end