@dbos-inc/koa-serve 2.11.6-preview.gcb74958171

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,292 @@
1
+ import Koa from 'koa';
2
+ import Router from '@koa/router';
3
+ import cors from '@koa/cors';
4
+
5
+ import { DBOS } from '@dbos-inc/dbos-sdk';
6
+
7
+ import { DBOSKoa } from '../src';
8
+
9
+ import request from 'supertest';
10
+
11
+ const dhttp = new DBOSKoa();
12
+
13
+ describe('http-cors-tests', () => {
14
+ let app: Koa;
15
+ let appRouter: Router;
16
+
17
+ beforeAll(async () => {
18
+ DBOS.setConfig({ name: 'koa-cors' });
19
+ return Promise.resolve();
20
+ });
21
+
22
+ beforeEach(async () => {
23
+ DBOS.registerLifecycleCallback(dhttp);
24
+ await DBOS.launch();
25
+ app = new Koa();
26
+ appRouter = new Router();
27
+ dhttp.registerWithApp(app, appRouter);
28
+ });
29
+
30
+ afterEach(async () => {
31
+ await DBOS.shutdown();
32
+ });
33
+
34
+ // Check get with us as origin
35
+ it('should allow requests without credentials from allowed origins', async () => {
36
+ const response = await request(app.callback())
37
+ .get('/hellod') // Default CORS policy
38
+ .set('Origin', 'https://us.com');
39
+
40
+ expect(response.headers['access-control-allow-origin']).toBe('https://us.com');
41
+ expect(response.status).toBe(200);
42
+ });
43
+ it('should allow requests without credentials from allowed origins', async () => {
44
+ const response = await request(app.callback())
45
+ .get('/hellor') // Regular cors() defaults from Koa
46
+ .set('Origin', 'https://us.com');
47
+
48
+ expect(response.headers['access-control-allow-origin']).toBe('*');
49
+ expect(response.status).toBe(200);
50
+ });
51
+ it('should allow requests without credentials from allowed origins', async () => {
52
+ const response = await request(app.callback())
53
+ .get('/hellos') // Custom whitelist cors() implementation
54
+ .set('Origin', 'https://us.com');
55
+
56
+ expect(response.headers['access-control-allow-origin']).toBe('https://us.com');
57
+ expect(response.status).toBe(200);
58
+ });
59
+
60
+ // Check get with partner as origin
61
+ it('should allow requests without credentials from allowed origins', async () => {
62
+ const response = await request(app.callback())
63
+ .get('/hellod') // Default CORS policy
64
+ .set('Origin', 'https://partner.com');
65
+
66
+ expect(response.headers['access-control-allow-origin']).toBe('https://partner.com');
67
+ expect(response.status).toBe(200);
68
+ });
69
+ it('should allow requests without credentials from allowed origins', async () => {
70
+ const response = await request(app.callback())
71
+ .get('/hellor') // Regular cors() defaults from Koa
72
+ .set('Origin', 'https://partner.com');
73
+
74
+ expect(response.headers['access-control-allow-origin']).toBe('*');
75
+ expect(response.status).toBe(200);
76
+ });
77
+ it('should allow requests without credentials from allowed origins', async () => {
78
+ const response = await request(app.callback())
79
+ .get('/hellos') // Custom whitelist cors() implementation
80
+ .set('Origin', 'https://partner.com');
81
+
82
+ expect(response.headers['access-control-allow-origin']).toBe('https://partner.com');
83
+ expect(response.status).toBe(200);
84
+ });
85
+
86
+ // Check get with another origin
87
+ it('should allow requests without credentials from allowed origins', async () => {
88
+ const response = await request(app.callback())
89
+ .get('/hellod') // Default CORS policy
90
+ .set('Origin', 'https://crimeware.com');
91
+
92
+ expect(response.headers['access-control-allow-origin']).toBe('https://crimeware.com');
93
+ expect(response.status).toBe(200);
94
+ });
95
+ it('should allow requests without credentials from allowed origins', async () => {
96
+ const response = await request(app.callback())
97
+ .get('/hellor') // Regular cors() defaults from Koa
98
+ .set('Origin', 'https://crimeware.com');
99
+
100
+ expect(response.headers['access-control-allow-origin']).toBe('*');
101
+ expect(response.status).toBe(200);
102
+ });
103
+ it('should allow requests without credentials from allowed origins - not this one', async () => {
104
+ const response = await request(app.callback())
105
+ .get('/hellos') // Custom whitelist cors() implementation
106
+ .set('Origin', 'https://crimeware.com');
107
+
108
+ expect(response.headers['access-control-allow-origin']).toBeUndefined();
109
+ expect(response.status).toBe(200); // IRL this response will not be shared by the browser to the caller; POSTs could be preflighted.
110
+ });
111
+
112
+ // Check get with us as origin AND credentials
113
+ it('should allow requests with credentials from allowed origins', async () => {
114
+ const response = await request(app.callback())
115
+ .get('/hellod') // Default CORS policy
116
+ .set('Origin', 'https://us.com')
117
+ .set('Cookie', 'sessionId=abc123');
118
+
119
+ expect(response.headers['access-control-allow-origin']).toBe('https://us.com');
120
+ expect(response.headers['access-control-allow-credentials']).toBe('true');
121
+
122
+ expect(response.status).toBe(200);
123
+ });
124
+ it('should allow requests with credentials from allowed origins', async () => {
125
+ const response = await request(app.callback())
126
+ .get('/hellor') // Regular cors() defaults from Koa
127
+ .set('Origin', 'https://us.com')
128
+ .set('Cookie', 'sessionId=abc123');
129
+
130
+ expect(response.headers['access-control-allow-origin']).toBe('*');
131
+ expect(response.headers['access-control-allow-credentials']).toBeUndefined();
132
+ // IRL the browser will hate this result of '*' and refuse to share response w/ client
133
+
134
+ expect(response.status).toBe(200);
135
+ });
136
+ it('should allow requests with credentials from allowed origins', async () => {
137
+ const response = await request(app.callback())
138
+ .get('/hellos') // Custom whitelist cors() implementation
139
+ .set('Origin', 'https://us.com')
140
+ .set('Cookie', 'sessionId=abc123');
141
+
142
+ expect(response.headers['access-control-allow-origin']).toBe('https://us.com');
143
+ expect(response.headers['access-control-allow-credentials']).toBe('true');
144
+
145
+ expect(response.status).toBe(200);
146
+ });
147
+
148
+ // Check get with partner as origin AND credentials
149
+ it('should allow requests with credentials from allowed origins', async () => {
150
+ const response = await request(app.callback())
151
+ .get('/hellod') // Default CORS policy
152
+ .set('Origin', 'https://partner.com')
153
+ .set('Cookie', 'sessionId=abc123');
154
+
155
+ expect(response.headers['access-control-allow-origin']).toBe('https://partner.com');
156
+ expect(response.headers['access-control-allow-credentials']).toBe('true');
157
+
158
+ expect(response.status).toBe(200);
159
+ });
160
+ it('should allow requests with credentials from allowed origins', async () => {
161
+ const response = await request(app.callback())
162
+ .get('/hellor') // Regular cors() defaults from Koa
163
+ .set('Origin', 'https://partner.com')
164
+ .set('Cookie', 'sessionId=abc123');
165
+
166
+ expect(response.headers['access-control-allow-origin']).toBe('*');
167
+ expect(response.headers['access-control-allow-credentials']).toBeUndefined();
168
+ // IRL the browser will hate this result of '*' and refuse to share response w/ client
169
+
170
+ expect(response.status).toBe(200);
171
+ });
172
+ it('should allow requests with credentials from allowed origins', async () => {
173
+ const response = await request(app.callback())
174
+ .get('/hellos') // Custom whitelist cors() implementation
175
+ .set('Origin', 'https://partner.com')
176
+ .set('Cookie', 'sessionId=abc123');
177
+
178
+ expect(response.headers['access-control-allow-origin']).toBe('https://partner.com');
179
+ expect(response.headers['access-control-allow-credentials']).toBe('true');
180
+
181
+ expect(response.status).toBe(200);
182
+ });
183
+
184
+ it('should allow preflight requests with credentials from allowed origins', async () => {
185
+ const response = await request(app.callback())
186
+ .options('/hellos') // Custom whitelist cors() implementation
187
+ .set('Access-Control-Request-Method', 'GET')
188
+ .set('Origin', 'https://partner.com')
189
+ .set('Cookie', 'sessionId=abc123');
190
+
191
+ expect(response.status).toBe(204);
192
+ expect(response.headers['access-control-allow-origin']).toBe('https://partner.com');
193
+ expect(response.headers['access-control-allow-credentials']).toBe('true');
194
+ });
195
+ it('should allow preflight requests with credentials from allowed origins', async () => {
196
+ const response = await request(app.callback())
197
+ .options('/hellor') // Regular cors() defaults from Koa
198
+ .set('Access-Control-Request-Method', 'GET')
199
+ .set('Origin', 'https://crimewave.com')
200
+ .set('Cookie', 'sessionId=abc123');
201
+
202
+ expect(response.status).toBe(204);
203
+ expect(response.headers['access-control-allow-origin']).toBe('*');
204
+ expect(response.headers['access-control-allow-credentials']).toBeUndefined();
205
+ });
206
+ it('should allow preflight requests with credentials from allowed origins', async () => {
207
+ const response = await request(app.callback())
208
+ .options('/hellod') // Default CORS policy
209
+ .set('Access-Control-Request-Method', 'GET')
210
+ .set('Origin', 'https://crimewave.com')
211
+ .set('Cookie', 'sessionId=abc123');
212
+
213
+ expect(response.status).toBe(204);
214
+ expect(response.headers['access-control-allow-origin']).toBe('https://crimewave.com');
215
+ expect(response.headers['access-control-allow-credentials']).toBe('true');
216
+ expect(response.headers['access-control-allow-headers']).toBe(
217
+ 'Origin,X-Requested-With,Content-Type,Accept,Authorization',
218
+ );
219
+ });
220
+
221
+ // Check get with another origin AND credentials
222
+ it('should allow requests with credentials from allowed origins', async () => {
223
+ const response = await request(app.callback())
224
+ .get('/hellod') // Default CORS policy
225
+ .set('Origin', 'https://crimewave.com')
226
+ .set('Cookie', 'sessionId=abc123');
227
+
228
+ expect(response.headers['access-control-allow-origin']).toBe('https://crimewave.com');
229
+ expect(response.headers['access-control-allow-credentials']).toBe('true');
230
+
231
+ expect(response.status).toBe(200);
232
+ });
233
+ it('should allow requests with credentials from allowed origins', async () => {
234
+ const response = await request(app.callback())
235
+ .get('/hellor') // Regular cors() defaults from Koa
236
+ .set('Origin', 'https://crimewave.com')
237
+ .set('Cookie', 'sessionId=abc123');
238
+
239
+ expect(response.headers['access-control-allow-origin']).toBe('*');
240
+ expect(response.headers['access-control-allow-credentials']).toBeUndefined();
241
+ // IRL the browser will hate this result of '*' and refuse to share response w/ client
242
+
243
+ expect(response.status).toBe(200);
244
+ });
245
+ it('should allow requests with credentials from allowed origins - not this one', async () => {
246
+ const response = await request(app.callback())
247
+ .get('/hellos') // Custom whitelist cors() implementation
248
+ .set('Origin', 'https://crimewave.com')
249
+ .set('Cookie', 'sessionId=abc123');
250
+
251
+ expect(response.headers['access-control-allow-origin']).toBeUndefined();
252
+ expect(response.headers['access-control-allow-credentials']).toBeUndefined();
253
+
254
+ expect(response.status).toBe(200);
255
+ });
256
+ });
257
+
258
+ export class TestEndpointsDefCORS {
259
+ @dhttp.getApi('/hellod')
260
+ static async hello() {
261
+ return Promise.resolve({ message: 'hello!' });
262
+ }
263
+ }
264
+
265
+ @dhttp.koaCors(cors())
266
+ export class TestEndpointsRegCORS {
267
+ @dhttp.getApi('/hellor')
268
+ static async hello() {
269
+ return Promise.resolve({ message: 'hello!' });
270
+ }
271
+ }
272
+
273
+ @dhttp.koaCors(
274
+ cors({
275
+ credentials: true,
276
+ origin: (o: Koa.Context) => {
277
+ const whitelist = ['https://us.com', 'https://partner.com'];
278
+ const origin = o.request.header.origin ?? '*';
279
+ if (whitelist && whitelist.length > 0) {
280
+ return whitelist.includes(origin) ? origin : '';
281
+ }
282
+ return o.request.header.origin || '*';
283
+ },
284
+ allowMethods: 'GET,OPTIONS', // Need to have options for preflight.
285
+ }),
286
+ )
287
+ export class TestEndpointsSpecCORS {
288
+ @dhttp.getApi('/hellos')
289
+ static async hello() {
290
+ return Promise.resolve({ message: 'hello!' });
291
+ }
292
+ }