RubyGems - spikard - Versions diffs - 0.3.6 → 0.5.0 - Mend

spikard 0.3.6 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (113) hide show

checksums.yaml +4 -4
data/README.md +21 -6
data/ext/spikard_rb/Cargo.toml +2 -2
data/lib/spikard/app.rb +33 -14
data/lib/spikard/testing.rb +47 -12
data/lib/spikard/version.rb +1 -1
data/vendor/crates/spikard-bindings-shared/Cargo.toml +63 -0
data/vendor/crates/spikard-bindings-shared/examples/config_extraction.rs +132 -0
data/vendor/crates/spikard-bindings-shared/src/config_extractor.rs +752 -0
data/vendor/crates/spikard-bindings-shared/src/conversion_traits.rs +194 -0
data/vendor/crates/spikard-bindings-shared/src/di_traits.rs +246 -0
data/vendor/crates/spikard-bindings-shared/src/error_response.rs +401 -0
data/vendor/crates/spikard-bindings-shared/src/handler_base.rs +238 -0
data/vendor/crates/spikard-bindings-shared/src/lib.rs +24 -0
data/vendor/crates/spikard-bindings-shared/src/lifecycle_base.rs +292 -0
data/vendor/crates/spikard-bindings-shared/src/lifecycle_executor.rs +616 -0
data/vendor/crates/spikard-bindings-shared/src/response_builder.rs +305 -0
data/vendor/crates/spikard-bindings-shared/src/test_client_base.rs +248 -0
data/vendor/crates/spikard-bindings-shared/src/validation_helpers.rs +351 -0
data/vendor/crates/spikard-bindings-shared/tests/comprehensive_coverage.rs +454 -0
data/vendor/crates/spikard-bindings-shared/tests/error_response_edge_cases.rs +383 -0
data/vendor/crates/spikard-bindings-shared/tests/handler_base_integration.rs +280 -0
data/vendor/crates/spikard-core/Cargo.toml +4 -4
data/vendor/crates/spikard-core/src/debug.rs +64 -0
data/vendor/crates/spikard-core/src/di/container.rs +3 -27
data/vendor/crates/spikard-core/src/di/factory.rs +1 -5
data/vendor/crates/spikard-core/src/di/graph.rs +8 -47
data/vendor/crates/spikard-core/src/di/mod.rs +1 -1
data/vendor/crates/spikard-core/src/di/resolved.rs +1 -7
data/vendor/crates/spikard-core/src/di/value.rs +2 -4
data/vendor/crates/spikard-core/src/errors.rs +30 -0
data/vendor/crates/spikard-core/src/http.rs +262 -0
data/vendor/crates/spikard-core/src/lib.rs +1 -1
data/vendor/crates/spikard-core/src/lifecycle.rs +764 -0
data/vendor/crates/spikard-core/src/metadata.rs +389 -0
data/vendor/crates/spikard-core/src/parameters.rs +1962 -159
data/vendor/crates/spikard-core/src/problem.rs +34 -0
data/vendor/crates/spikard-core/src/request_data.rs +966 -1
data/vendor/crates/spikard-core/src/router.rs +263 -2
data/vendor/crates/spikard-core/src/validation/error_mapper.rs +688 -0
data/vendor/crates/spikard-core/src/{validation.rs → validation/mod.rs} +26 -268
data/vendor/crates/spikard-http/Cargo.toml +12 -16
data/vendor/crates/spikard-http/examples/sse-notifications.rs +148 -0
data/vendor/crates/spikard-http/examples/websocket-chat.rs +92 -0
data/vendor/crates/spikard-http/src/auth.rs +65 -16
data/vendor/crates/spikard-http/src/background.rs +1614 -3
data/vendor/crates/spikard-http/src/cors.rs +515 -0
data/vendor/crates/spikard-http/src/debug.rs +65 -0
data/vendor/crates/spikard-http/src/di_handler.rs +1322 -77
data/vendor/crates/spikard-http/src/handler_response.rs +711 -0
data/vendor/crates/spikard-http/src/handler_trait.rs +607 -5
data/vendor/crates/spikard-http/src/handler_trait_tests.rs +6 -0
data/vendor/crates/spikard-http/src/lib.rs +33 -28
data/vendor/crates/spikard-http/src/lifecycle/adapter.rs +81 -0
data/vendor/crates/spikard-http/src/lifecycle.rs +765 -0
data/vendor/crates/spikard-http/src/middleware/mod.rs +372 -117
data/vendor/crates/spikard-http/src/middleware/multipart.rs +836 -10
data/vendor/crates/spikard-http/src/middleware/urlencoded.rs +409 -43
data/vendor/crates/spikard-http/src/middleware/validation.rs +513 -65
data/vendor/crates/spikard-http/src/openapi/parameter_extraction.rs +345 -0
data/vendor/crates/spikard-http/src/openapi/schema_conversion.rs +1055 -0
data/vendor/crates/spikard-http/src/openapi/spec_generation.rs +473 -3
data/vendor/crates/spikard-http/src/query_parser.rs +455 -31
data/vendor/crates/spikard-http/src/response.rs +321 -0
data/vendor/crates/spikard-http/src/server/handler.rs +1572 -9
data/vendor/crates/spikard-http/src/server/lifecycle_execution.rs +136 -0
data/vendor/crates/spikard-http/src/server/mod.rs +875 -178
data/vendor/crates/spikard-http/src/server/request_extraction.rs +674 -23
data/vendor/crates/spikard-http/src/server/routing_factory.rs +599 -0
data/vendor/crates/spikard-http/src/sse.rs +983 -21
data/vendor/crates/spikard-http/src/testing/form.rs +38 -0
data/vendor/crates/spikard-http/src/testing/test_client.rs +0 -2
data/vendor/crates/spikard-http/src/testing.rs +7 -7
data/vendor/crates/spikard-http/src/websocket.rs +1055 -4
data/vendor/crates/spikard-http/tests/background_behavior.rs +832 -0
data/vendor/crates/spikard-http/tests/common/handlers.rs +309 -0
data/vendor/crates/spikard-http/tests/common/mod.rs +26 -0
data/vendor/crates/spikard-http/tests/di_integration.rs +192 -0
data/vendor/crates/spikard-http/tests/doc_snippets.rs +5 -0
data/vendor/crates/spikard-http/tests/lifecycle_execution.rs +1093 -0
data/vendor/crates/spikard-http/tests/multipart_behavior.rs +656 -0
data/vendor/crates/spikard-http/tests/server_config_builder.rs +314 -0
data/vendor/crates/spikard-http/tests/sse_behavior.rs +620 -0
data/vendor/crates/spikard-http/tests/websocket_behavior.rs +663 -0
data/vendor/crates/spikard-rb/Cargo.toml +10 -4
data/vendor/crates/spikard-rb/build.rs +196 -5
data/vendor/crates/spikard-rb/src/config/mod.rs +5 -0
data/vendor/crates/spikard-rb/src/{config.rs → config/server_config.rs} +100 -109
data/vendor/crates/spikard-rb/src/conversion.rs +121 -20
data/vendor/crates/spikard-rb/src/di/builder.rs +100 -0
data/vendor/crates/spikard-rb/src/{di.rs → di/mod.rs} +12 -46
data/vendor/crates/spikard-rb/src/handler.rs +100 -107
data/vendor/crates/spikard-rb/src/integration/mod.rs +3 -0
data/vendor/crates/spikard-rb/src/lib.rs +467 -1428
data/vendor/crates/spikard-rb/src/lifecycle.rs +1 -0
data/vendor/crates/spikard-rb/src/metadata/mod.rs +5 -0
data/vendor/crates/spikard-rb/src/metadata/route_extraction.rs +447 -0
data/vendor/crates/spikard-rb/src/runtime/mod.rs +5 -0
data/vendor/crates/spikard-rb/src/runtime/server_runner.rs +324 -0
data/vendor/crates/spikard-rb/src/server.rs +47 -22
data/vendor/crates/spikard-rb/src/{test_client.rs → testing/client.rs} +187 -40
data/vendor/crates/spikard-rb/src/testing/mod.rs +7 -0
data/vendor/crates/spikard-rb/src/testing/websocket.rs +635 -0
data/vendor/crates/spikard-rb/src/websocket.rs +178 -37
metadata +46 -13
data/vendor/crates/spikard-http/src/parameters.rs +0 -1
data/vendor/crates/spikard-http/src/problem.rs +0 -1
data/vendor/crates/spikard-http/src/router.rs +0 -1
data/vendor/crates/spikard-http/src/schema_registry.rs +0 -1
data/vendor/crates/spikard-http/src/type_hints.rs +0 -1
data/vendor/crates/spikard-http/src/validation.rs +0 -1
data/vendor/crates/spikard-rb/src/test_websocket.rs +0 -221
/data/vendor/crates/spikard-rb/src/{test_sse.rs → testing/sse.rs} +0 -0

data/vendor/crates/spikard-http/src/cors.rs CHANGED Viewed

@@ -487,4 +487,519 @@ mod tests {
         let result = validate_cors_request(&headers, &config);
         assert!(result.is_ok());
     }
+    // SECURITY TESTS: CORS Attack Vectors
+    /// SECURITY TEST: Verify credentials=true with wildcard is caught
+    /// This is a critical vulnerability - RFC 6454 forbids this
+    #[test]
+    fn test_credentials_with_wildcard_config_is_security_issue() {
+        let config = CorsConfig {
+            allowed_origins: vec!["*".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: Some(true), // SECURITY BUG: This should not be allowed with wildcard
+        };
+        let mut headers = HeaderMap::new();
+        headers.insert("origin", HeaderValue::from_static("https://evil.com"));
+        headers.insert("access-control-request-method", HeaderValue::from_static("GET"));
+        let result = handle_preflight(&headers, &config);
+        // BUG: This should return 500 or reject the config, but instead succeeds
+        if let Ok(response) = result {
+            let resp_headers = response.headers();
+            let has_credentials = resp_headers
+                .get("access-control-allow-credentials")
+                .map(|v| v == "true")
+                .unwrap_or(false);
+            let origin_header = resp_headers.get("access-control-allow-origin");
+            if has_credentials && origin_header.is_some() {
+                let origin_val = origin_header.unwrap().to_str().unwrap_or("");
+                if origin_val == "*" {
+                    panic!("SECURITY VULNERABILITY: credentials=true with origin=* allowed");
+                }
+            }
+        }
+    }
+    /// SECURITY TEST: Exact origin matching required
+    /// Subdomain like api.evil.example.com must NOT match example.com
+    #[test]
+    fn test_subdomain_bypass_blocked() {
+        let config = CorsConfig {
+            allowed_origins: vec!["https://example.com".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        assert!(!is_origin_allowed("https://api.example.com", &config.allowed_origins));
+        assert!(!is_origin_allowed("https://evil.example.com", &config.allowed_origins));
+        assert!(!is_origin_allowed(
+            "https://sub.sub.example.com",
+            &config.allowed_origins
+        ));
+        assert!(is_origin_allowed("https://example.com", &config.allowed_origins));
+    }
+    /// SECURITY TEST: Port exact matching required
+    /// localhost:3001 must NOT match localhost:3000
+    #[test]
+    fn test_port_bypass_blocked() {
+        let config = CorsConfig {
+            allowed_origins: vec!["http://localhost:3000".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        assert!(!is_origin_allowed("http://localhost:3001", &config.allowed_origins));
+        assert!(!is_origin_allowed("http://localhost:8080", &config.allowed_origins));
+        assert!(!is_origin_allowed("http://localhost:443", &config.allowed_origins));
+        assert!(is_origin_allowed("http://localhost:3000", &config.allowed_origins));
+    }
+    /// SECURITY TEST: Protocol exact matching required
+    /// http://example.com must NOT match https://example.com
+    #[test]
+    fn test_protocol_downgrade_attack_blocked() {
+        let config = CorsConfig {
+            allowed_origins: vec!["https://example.com".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        assert!(!is_origin_allowed("http://example.com", &config.allowed_origins));
+        assert!(!is_origin_allowed("ws://example.com", &config.allowed_origins));
+        assert!(!is_origin_allowed("wss://example.com", &config.allowed_origins));
+        assert!(is_origin_allowed("https://example.com", &config.allowed_origins));
+    }
+    /// SECURITY TEST: Case sensitivity in origin matching
+    /// Origins should match exactly (including case)
+    #[test]
+    fn test_case_sensitive_origin_matching() {
+        let config = CorsConfig {
+            allowed_origins: vec!["https://Example.Com".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        assert!(!is_origin_allowed("https://example.com", &config.allowed_origins));
+        assert!(!is_origin_allowed("https://EXAMPLE.COM", &config.allowed_origins));
+        assert!(is_origin_allowed("https://Example.Com", &config.allowed_origins));
+    }
+    /// SECURITY TEST: Trailing slash normalization
+    /// https://example.com/ should be treated differently from https://example.com
+    #[test]
+    fn test_trailing_slash_origin_not_normalized() {
+        let config = CorsConfig {
+            allowed_origins: vec!["https://example.com".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        assert!(!is_origin_allowed("https://example.com/", &config.allowed_origins));
+        assert!(is_origin_allowed("https://example.com", &config.allowed_origins));
+    }
+    /// SECURITY TEST: NULL origin and wildcard behavior
+    /// Special "null" origin used by file:// and sandboxed iframes
+    /// The current implementation treats "null" as a regular origin string,
+    /// which means it IS allowed by wildcard (not ideal but documents current behavior)
+    #[test]
+    fn test_null_origin_with_wildcard() {
+        let config = CorsConfig {
+            allowed_origins: vec!["*".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        // SECURITY NOTE: "null" origin is allowed by wildcard in current implementation
+        assert!(is_origin_allowed("null", &config.allowed_origins));
+        let with_explicit_null = CorsConfig {
+            allowed_origins: vec!["null".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        assert!(is_origin_allowed("null", &with_explicit_null.allowed_origins));
+    }
+    /// SECURITY TEST: Empty origin is always rejected
+    #[test]
+    fn test_empty_origin_always_rejected() {
+        let config_with_wildcard = CorsConfig {
+            allowed_origins: vec!["*".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        assert!(!is_origin_allowed("", &config_with_wildcard.allowed_origins));
+        let config_with_explicit = CorsConfig {
+            allowed_origins: vec!["https://example.com".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        assert!(!is_origin_allowed("", &config_with_explicit.allowed_origins));
+    }
+    /// SECURITY TEST: Preflight with invalid origin should reject
+    #[test]
+    fn test_preflight_rejects_invalid_origin() {
+        let config = make_cors_config();
+        let mut headers = HeaderMap::new();
+        headers.insert("origin", HeaderValue::from_static("https://untrusted.com"));
+        headers.insert("access-control-request-method", HeaderValue::from_static("POST"));
+        let result = handle_preflight(&headers, &config);
+        assert!(result.is_err());
+        let response = *result.unwrap_err();
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
+    }
+    /// SECURITY TEST: Multiple origins - each must be exact match
+    #[test]
+    fn test_multiple_origins_exact_matching() {
+        let config = CorsConfig {
+            allowed_origins: vec!["https://trusted1.com".to_string(), "https://trusted2.com".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        assert!(is_origin_allowed("https://trusted1.com", &config.allowed_origins));
+        assert!(is_origin_allowed("https://trusted2.com", &config.allowed_origins));
+        assert!(!is_origin_allowed(
+            "https://trusted1.com.evil.com",
+            &config.allowed_origins
+        ));
+        assert!(!is_origin_allowed("https://trusted3.com", &config.allowed_origins));
+        assert!(!is_origin_allowed("https://trusted.com", &config.allowed_origins));
+    }
+    /// SECURITY TEST: Wildcard origin should allow any origin (but check config)
+    #[test]
+    fn test_wildcard_allows_all_but_check_credentials() {
+        let config = CorsConfig {
+            allowed_origins: vec!["*".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        assert!(is_origin_allowed("https://example.com", &config.allowed_origins));
+        assert!(is_origin_allowed("https://evil.com", &config.allowed_origins));
+        assert!(is_origin_allowed("http://localhost:3000", &config.allowed_origins));
+        assert!(!is_origin_allowed("", &config.allowed_origins));
+    }
+    /// SECURITY TEST: Preflight response headers must match config exactly
+    #[test]
+    fn test_preflight_response_has_correct_allowed_origins() {
+        let config = CorsConfig {
+            allowed_origins: vec!["https://trusted.com".to_string()],
+            allowed_methods: vec!["GET".to_string(), "POST".to_string()],
+            allowed_headers: vec!["content-type".to_string()],
+            expose_headers: None,
+            max_age: Some(3600),
+            allow_credentials: Some(false),
+        };
+        let mut headers = HeaderMap::new();
+        headers.insert("origin", HeaderValue::from_static("https://trusted.com"));
+        headers.insert("access-control-request-method", HeaderValue::from_static("POST"));
+        headers.insert(
+            "access-control-request-headers",
+            HeaderValue::from_static("content-type"),
+        );
+        let result = handle_preflight(&headers, &config);
+        assert!(result.is_ok());
+        let response = result.unwrap();
+        let resp_headers = response.headers();
+        assert_eq!(
+            resp_headers.get("access-control-allow-origin").unwrap(),
+            "https://trusted.com"
+        );
+        assert!(
+            resp_headers
+                .get("access-control-allow-methods")
+                .unwrap()
+                .to_str()
+                .unwrap()
+                .contains("GET")
+        );
+        assert!(
+            resp_headers
+                .get("access-control-allow-methods")
+                .unwrap()
+                .to_str()
+                .unwrap()
+                .contains("POST")
+        );
+        assert!(resp_headers.get("access-control-allow-credentials").is_none());
+    }
+    /// SECURITY TEST: Origin not in allowed list must be rejected in preflight
+    #[test]
+    fn test_preflight_all_origins_require_validation() {
+        let config = CorsConfig {
+            allowed_origins: vec!["https://trusted.com".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        let test_cases = vec![
+            "https://trusted.com",
+            "https://evil.com",
+            "https://trusted.com.evil",
+            "http://trusted.com",
+            "",
+        ];
+        for origin in test_cases {
+            let mut headers = HeaderMap::new();
+            headers.insert(
+                "origin",
+                HeaderValue::from_str(origin).unwrap_or_else(|_| HeaderValue::from_static("")),
+            );
+            headers.insert("access-control-request-method", HeaderValue::from_static("GET"));
+            let result = handle_preflight(&headers, &config);
+            if origin == "https://trusted.com" {
+                assert!(result.is_ok(), "Valid origin {} should be allowed", origin);
+            } else {
+                assert!(result.is_err(), "Invalid origin {} should be rejected", origin);
+            }
+        }
+    }
+    /// SECURITY TEST: Requested headers must be in allowed list
+    #[test]
+    fn test_preflight_validates_all_requested_headers() {
+        let config = CorsConfig {
+            allowed_origins: vec!["https://trusted.com".to_string()],
+            allowed_methods: vec!["POST".to_string()],
+            allowed_headers: vec!["content-type".to_string(), "authorization".to_string()],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        let test_cases = vec![
+            ("content-type", true),
+            ("authorization", true),
+            ("content-type, authorization", true),
+            ("x-custom-header", false),
+            ("content-type, x-custom", false),
+        ];
+        for (headers_str, should_pass) in test_cases {
+            let mut headers = HeaderMap::new();
+            headers.insert("origin", HeaderValue::from_static("https://trusted.com"));
+            headers.insert("access-control-request-method", HeaderValue::from_static("POST"));
+            headers.insert(
+                "access-control-request-headers",
+                HeaderValue::from_str(headers_str).unwrap(),
+            );
+            let result = handle_preflight(&headers, &config);
+            if should_pass {
+                assert!(
+                    result.is_ok(),
+                    "Preflight with valid headers '{}' should pass",
+                    headers_str
+                );
+            } else {
+                assert!(
+                    result.is_err(),
+                    "Preflight with invalid headers '{}' should fail",
+                    headers_str
+                );
+            }
+        }
+    }
+    /// SECURITY TEST: add_cors_headers should respect origin validation
+    #[test]
+    fn test_add_cors_headers_respects_origin() {
+        let config = CorsConfig {
+            allowed_origins: vec!["https://trusted.com".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: Some(vec!["x-custom".to_string()]),
+            max_age: None,
+            allow_credentials: Some(true),
+        };
+        let mut response = Response::new(Body::empty());
+        add_cors_headers(&mut response, "https://trusted.com", &config);
+        let headers = response.headers();
+        assert_eq!(
+            headers.get("access-control-allow-origin").unwrap(),
+            "https://trusted.com"
+        );
+        assert_eq!(headers.get("access-control-expose-headers").unwrap(), "x-custom");
+        assert_eq!(headers.get("access-control-allow-credentials").unwrap(), "true");
+    }
+    /// SECURITY TEST: validate_cors_request respects allowed origins
+    #[test]
+    fn test_validate_cors_request_origin_must_match() {
+        let config = CorsConfig {
+            allowed_origins: vec!["https://trusted.com".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        let mut headers = HeaderMap::new();
+        headers.insert("origin", HeaderValue::from_static("https://trusted.com"));
+        assert!(validate_cors_request(&headers, &config).is_ok());
+        let mut headers = HeaderMap::new();
+        headers.insert("origin", HeaderValue::from_static("https://evil.com"));
+        assert!(validate_cors_request(&headers, &config).is_err());
+        let headers = HeaderMap::new();
+        assert!(validate_cors_request(&headers, &config).is_ok());
+    }
+    /// SECURITY TEST: Preflight without requested method should fail
+    #[test]
+    fn test_preflight_requires_access_control_request_method() {
+        let config = make_cors_config();
+        let mut headers = HeaderMap::new();
+        headers.insert("origin", HeaderValue::from_static("https://example.com"));
+        let result = handle_preflight(&headers, &config);
+        assert!(result.is_ok());
+    }
+    /// SECURITY TEST: Case-insensitive method matching
+    #[test]
+    fn test_preflight_method_case_insensitive() {
+        let config = CorsConfig {
+            allowed_origins: vec!["https://example.com".to_string()],
+            allowed_methods: vec!["GET".to_string(), "POST".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        let test_cases = vec!["GET", "get", "Get", "POST", "post"];
+        for method in test_cases {
+            let mut headers = HeaderMap::new();
+            headers.insert("origin", HeaderValue::from_static("https://example.com"));
+            headers.insert("access-control-request-method", HeaderValue::from_str(method).unwrap());
+            let result = handle_preflight(&headers, &config);
+            assert!(
+                result.is_ok(),
+                "Method '{}' should be allowed (case-insensitive)",
+                method
+            );
+        }
+    }
+    /// SECURITY TEST: Ensure preflight max-age is set correctly
+    #[test]
+    fn test_preflight_max_age_header() {
+        let config = CorsConfig {
+            allowed_origins: vec!["https://example.com".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: Some(7200),
+            allow_credentials: None,
+        };
+        let mut headers = HeaderMap::new();
+        headers.insert("origin", HeaderValue::from_static("https://example.com"));
+        headers.insert("access-control-request-method", HeaderValue::from_static("GET"));
+        let result = handle_preflight(&headers, &config);
+        assert!(result.is_ok());
+        let response = result.unwrap();
+        assert_eq!(response.headers().get("access-control-max-age").unwrap(), "7200");
+    }
+    /// SECURITY TEST: Wildcard partial patterns should not work
+    /// *.example.com style patterns are not supported (good!)
+    #[test]
+    fn test_wildcard_patterns_not_supported() {
+        let config = CorsConfig {
+            allowed_origins: vec!["*.example.com".to_string()],
+            allowed_methods: vec!["GET".to_string()],
+            allowed_headers: vec![],
+            expose_headers: None,
+            max_age: None,
+            allow_credentials: None,
+        };
+        assert!(!is_origin_allowed("https://api.example.com", &config.allowed_origins));
+        assert!(!is_origin_allowed("https://example.com", &config.allowed_origins));
+        assert!(is_origin_allowed("*.example.com", &config.allowed_origins));
+    }
 }

data/vendor/crates/spikard-http/src/debug.rs CHANGED Viewed

@@ -61,3 +61,68 @@ macro_rules! debug_log_value {
         }
     };
 }
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::sync::Mutex;
+    use std::sync::atomic::Ordering;
+    static FLAG_LOCK: Mutex<()> = Mutex::new(());
+    struct DebugFlagGuard {
+        previous_flag: bool,
+        previous_env: Option<String>,
+    }
+    impl Drop for DebugFlagGuard {
+        fn drop(&mut self) {
+            DEBUG_ENABLED.store(self.previous_flag, Ordering::Relaxed);
+            if let Some(prev) = &self.previous_env {
+                unsafe { std::env::set_var("SPIKARD_DEBUG", prev) };
+            } else {
+                unsafe { std::env::remove_var("SPIKARD_DEBUG") };
+            }
+        }
+    }
+    #[test]
+    fn init_enables_debug_when_requested() {
+        let _lock = FLAG_LOCK.lock().unwrap();
+        let previous = DEBUG_ENABLED.load(Ordering::Relaxed);
+        let previous_env = std::env::var("SPIKARD_DEBUG").ok();
+        let _guard = DebugFlagGuard {
+            previous_flag: previous,
+            previous_env,
+        };
+        unsafe { std::env::set_var("SPIKARD_DEBUG", "1") };
+        init();
+        assert!(is_enabled(), "init should enable debug in test builds");
+    }
+    #[test]
+    fn macros_respect_debug_flag() {
+        let _lock = FLAG_LOCK.lock().unwrap();
+        let previous = DEBUG_ENABLED.load(Ordering::Relaxed);
+        let previous_env = std::env::var("SPIKARD_DEBUG").ok();
+        let _guard = DebugFlagGuard {
+            previous_flag: previous,
+            previous_env,
+        };
+        DEBUG_ENABLED.store(false, Ordering::Relaxed);
+        debug_log!("should not print while disabled");
+        debug_log_module!("middleware", "disabled branch");
+        debug_log_value!("key", 1_u8);
+        assert!(!is_enabled());
+        DEBUG_ENABLED.store(true, Ordering::Relaxed);
+        debug_log!("now printing {}", 2);
+        debug_log_module!("router", "enabled branch");
+        debug_log_value!("value", 3_i32);
+        assert!(is_enabled());
+    }
+}