@dbos-inc/koa-serve 2.11.6-preview.gcb74958171
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -0
- package/dist/src/dboshttp.d.ts +76 -0
- package/dist/src/dboshttp.d.ts.map +1 -0
- package/dist/src/dboshttp.js +122 -0
- package/dist/src/dboshttp.js.map +1 -0
- package/dist/src/dboskoa.d.ts +54 -0
- package/dist/src/dboskoa.d.ts.map +1 -0
- package/dist/src/dboskoa.js +333 -0
- package/dist/src/dboskoa.js.map +1 -0
- package/dist/src/index.d.ts +3 -0
- package/dist/src/index.d.ts.map +1 -0
- package/dist/src/index.js +12 -0
- package/dist/src/index.js.map +1 -0
- package/dist/tsconfig.tsbuildinfo +1 -0
- package/jest.config.js +8 -0
- package/package.json +43 -0
- package/src/dboshttp.ts +185 -0
- package/src/dboskoa.ts +415 -0
- package/src/index.ts +14 -0
- package/tests/argsource.test.ts +153 -0
- package/tests/auth.test.ts +208 -0
- package/tests/basic.test.ts +73 -0
- package/tests/cors.test.ts +292 -0
- package/tests/endpoints.test.ts +517 -0
- package/tests/validation.test.ts +539 -0
- package/tsconfig.json +9 -0
|
@@ -0,0 +1,292 @@
|
|
|
1
|
+
import Koa from 'koa';
|
|
2
|
+
import Router from '@koa/router';
|
|
3
|
+
import cors from '@koa/cors';
|
|
4
|
+
|
|
5
|
+
import { DBOS } from '@dbos-inc/dbos-sdk';
|
|
6
|
+
|
|
7
|
+
import { DBOSKoa } from '../src';
|
|
8
|
+
|
|
9
|
+
import request from 'supertest';
|
|
10
|
+
|
|
11
|
+
const dhttp = new DBOSKoa();
|
|
12
|
+
|
|
13
|
+
describe('http-cors-tests', () => {
|
|
14
|
+
let app: Koa;
|
|
15
|
+
let appRouter: Router;
|
|
16
|
+
|
|
17
|
+
beforeAll(async () => {
|
|
18
|
+
DBOS.setConfig({ name: 'koa-cors' });
|
|
19
|
+
return Promise.resolve();
|
|
20
|
+
});
|
|
21
|
+
|
|
22
|
+
beforeEach(async () => {
|
|
23
|
+
DBOS.registerLifecycleCallback(dhttp);
|
|
24
|
+
await DBOS.launch();
|
|
25
|
+
app = new Koa();
|
|
26
|
+
appRouter = new Router();
|
|
27
|
+
dhttp.registerWithApp(app, appRouter);
|
|
28
|
+
});
|
|
29
|
+
|
|
30
|
+
afterEach(async () => {
|
|
31
|
+
await DBOS.shutdown();
|
|
32
|
+
});
|
|
33
|
+
|
|
34
|
+
// Check get with us as origin
|
|
35
|
+
it('should allow requests without credentials from allowed origins', async () => {
|
|
36
|
+
const response = await request(app.callback())
|
|
37
|
+
.get('/hellod') // Default CORS policy
|
|
38
|
+
.set('Origin', 'https://us.com');
|
|
39
|
+
|
|
40
|
+
expect(response.headers['access-control-allow-origin']).toBe('https://us.com');
|
|
41
|
+
expect(response.status).toBe(200);
|
|
42
|
+
});
|
|
43
|
+
it('should allow requests without credentials from allowed origins', async () => {
|
|
44
|
+
const response = await request(app.callback())
|
|
45
|
+
.get('/hellor') // Regular cors() defaults from Koa
|
|
46
|
+
.set('Origin', 'https://us.com');
|
|
47
|
+
|
|
48
|
+
expect(response.headers['access-control-allow-origin']).toBe('*');
|
|
49
|
+
expect(response.status).toBe(200);
|
|
50
|
+
});
|
|
51
|
+
it('should allow requests without credentials from allowed origins', async () => {
|
|
52
|
+
const response = await request(app.callback())
|
|
53
|
+
.get('/hellos') // Custom whitelist cors() implementation
|
|
54
|
+
.set('Origin', 'https://us.com');
|
|
55
|
+
|
|
56
|
+
expect(response.headers['access-control-allow-origin']).toBe('https://us.com');
|
|
57
|
+
expect(response.status).toBe(200);
|
|
58
|
+
});
|
|
59
|
+
|
|
60
|
+
// Check get with partner as origin
|
|
61
|
+
it('should allow requests without credentials from allowed origins', async () => {
|
|
62
|
+
const response = await request(app.callback())
|
|
63
|
+
.get('/hellod') // Default CORS policy
|
|
64
|
+
.set('Origin', 'https://partner.com');
|
|
65
|
+
|
|
66
|
+
expect(response.headers['access-control-allow-origin']).toBe('https://partner.com');
|
|
67
|
+
expect(response.status).toBe(200);
|
|
68
|
+
});
|
|
69
|
+
it('should allow requests without credentials from allowed origins', async () => {
|
|
70
|
+
const response = await request(app.callback())
|
|
71
|
+
.get('/hellor') // Regular cors() defaults from Koa
|
|
72
|
+
.set('Origin', 'https://partner.com');
|
|
73
|
+
|
|
74
|
+
expect(response.headers['access-control-allow-origin']).toBe('*');
|
|
75
|
+
expect(response.status).toBe(200);
|
|
76
|
+
});
|
|
77
|
+
it('should allow requests without credentials from allowed origins', async () => {
|
|
78
|
+
const response = await request(app.callback())
|
|
79
|
+
.get('/hellos') // Custom whitelist cors() implementation
|
|
80
|
+
.set('Origin', 'https://partner.com');
|
|
81
|
+
|
|
82
|
+
expect(response.headers['access-control-allow-origin']).toBe('https://partner.com');
|
|
83
|
+
expect(response.status).toBe(200);
|
|
84
|
+
});
|
|
85
|
+
|
|
86
|
+
// Check get with another origin
|
|
87
|
+
it('should allow requests without credentials from allowed origins', async () => {
|
|
88
|
+
const response = await request(app.callback())
|
|
89
|
+
.get('/hellod') // Default CORS policy
|
|
90
|
+
.set('Origin', 'https://crimeware.com');
|
|
91
|
+
|
|
92
|
+
expect(response.headers['access-control-allow-origin']).toBe('https://crimeware.com');
|
|
93
|
+
expect(response.status).toBe(200);
|
|
94
|
+
});
|
|
95
|
+
it('should allow requests without credentials from allowed origins', async () => {
|
|
96
|
+
const response = await request(app.callback())
|
|
97
|
+
.get('/hellor') // Regular cors() defaults from Koa
|
|
98
|
+
.set('Origin', 'https://crimeware.com');
|
|
99
|
+
|
|
100
|
+
expect(response.headers['access-control-allow-origin']).toBe('*');
|
|
101
|
+
expect(response.status).toBe(200);
|
|
102
|
+
});
|
|
103
|
+
it('should allow requests without credentials from allowed origins - not this one', async () => {
|
|
104
|
+
const response = await request(app.callback())
|
|
105
|
+
.get('/hellos') // Custom whitelist cors() implementation
|
|
106
|
+
.set('Origin', 'https://crimeware.com');
|
|
107
|
+
|
|
108
|
+
expect(response.headers['access-control-allow-origin']).toBeUndefined();
|
|
109
|
+
expect(response.status).toBe(200); // IRL this response will not be shared by the browser to the caller; POSTs could be preflighted.
|
|
110
|
+
});
|
|
111
|
+
|
|
112
|
+
// Check get with us as origin AND credentials
|
|
113
|
+
it('should allow requests with credentials from allowed origins', async () => {
|
|
114
|
+
const response = await request(app.callback())
|
|
115
|
+
.get('/hellod') // Default CORS policy
|
|
116
|
+
.set('Origin', 'https://us.com')
|
|
117
|
+
.set('Cookie', 'sessionId=abc123');
|
|
118
|
+
|
|
119
|
+
expect(response.headers['access-control-allow-origin']).toBe('https://us.com');
|
|
120
|
+
expect(response.headers['access-control-allow-credentials']).toBe('true');
|
|
121
|
+
|
|
122
|
+
expect(response.status).toBe(200);
|
|
123
|
+
});
|
|
124
|
+
it('should allow requests with credentials from allowed origins', async () => {
|
|
125
|
+
const response = await request(app.callback())
|
|
126
|
+
.get('/hellor') // Regular cors() defaults from Koa
|
|
127
|
+
.set('Origin', 'https://us.com')
|
|
128
|
+
.set('Cookie', 'sessionId=abc123');
|
|
129
|
+
|
|
130
|
+
expect(response.headers['access-control-allow-origin']).toBe('*');
|
|
131
|
+
expect(response.headers['access-control-allow-credentials']).toBeUndefined();
|
|
132
|
+
// IRL the browser will hate this result of '*' and refuse to share response w/ client
|
|
133
|
+
|
|
134
|
+
expect(response.status).toBe(200);
|
|
135
|
+
});
|
|
136
|
+
it('should allow requests with credentials from allowed origins', async () => {
|
|
137
|
+
const response = await request(app.callback())
|
|
138
|
+
.get('/hellos') // Custom whitelist cors() implementation
|
|
139
|
+
.set('Origin', 'https://us.com')
|
|
140
|
+
.set('Cookie', 'sessionId=abc123');
|
|
141
|
+
|
|
142
|
+
expect(response.headers['access-control-allow-origin']).toBe('https://us.com');
|
|
143
|
+
expect(response.headers['access-control-allow-credentials']).toBe('true');
|
|
144
|
+
|
|
145
|
+
expect(response.status).toBe(200);
|
|
146
|
+
});
|
|
147
|
+
|
|
148
|
+
// Check get with partner as origin AND credentials
|
|
149
|
+
it('should allow requests with credentials from allowed origins', async () => {
|
|
150
|
+
const response = await request(app.callback())
|
|
151
|
+
.get('/hellod') // Default CORS policy
|
|
152
|
+
.set('Origin', 'https://partner.com')
|
|
153
|
+
.set('Cookie', 'sessionId=abc123');
|
|
154
|
+
|
|
155
|
+
expect(response.headers['access-control-allow-origin']).toBe('https://partner.com');
|
|
156
|
+
expect(response.headers['access-control-allow-credentials']).toBe('true');
|
|
157
|
+
|
|
158
|
+
expect(response.status).toBe(200);
|
|
159
|
+
});
|
|
160
|
+
it('should allow requests with credentials from allowed origins', async () => {
|
|
161
|
+
const response = await request(app.callback())
|
|
162
|
+
.get('/hellor') // Regular cors() defaults from Koa
|
|
163
|
+
.set('Origin', 'https://partner.com')
|
|
164
|
+
.set('Cookie', 'sessionId=abc123');
|
|
165
|
+
|
|
166
|
+
expect(response.headers['access-control-allow-origin']).toBe('*');
|
|
167
|
+
expect(response.headers['access-control-allow-credentials']).toBeUndefined();
|
|
168
|
+
// IRL the browser will hate this result of '*' and refuse to share response w/ client
|
|
169
|
+
|
|
170
|
+
expect(response.status).toBe(200);
|
|
171
|
+
});
|
|
172
|
+
it('should allow requests with credentials from allowed origins', async () => {
|
|
173
|
+
const response = await request(app.callback())
|
|
174
|
+
.get('/hellos') // Custom whitelist cors() implementation
|
|
175
|
+
.set('Origin', 'https://partner.com')
|
|
176
|
+
.set('Cookie', 'sessionId=abc123');
|
|
177
|
+
|
|
178
|
+
expect(response.headers['access-control-allow-origin']).toBe('https://partner.com');
|
|
179
|
+
expect(response.headers['access-control-allow-credentials']).toBe('true');
|
|
180
|
+
|
|
181
|
+
expect(response.status).toBe(200);
|
|
182
|
+
});
|
|
183
|
+
|
|
184
|
+
it('should allow preflight requests with credentials from allowed origins', async () => {
|
|
185
|
+
const response = await request(app.callback())
|
|
186
|
+
.options('/hellos') // Custom whitelist cors() implementation
|
|
187
|
+
.set('Access-Control-Request-Method', 'GET')
|
|
188
|
+
.set('Origin', 'https://partner.com')
|
|
189
|
+
.set('Cookie', 'sessionId=abc123');
|
|
190
|
+
|
|
191
|
+
expect(response.status).toBe(204);
|
|
192
|
+
expect(response.headers['access-control-allow-origin']).toBe('https://partner.com');
|
|
193
|
+
expect(response.headers['access-control-allow-credentials']).toBe('true');
|
|
194
|
+
});
|
|
195
|
+
it('should allow preflight requests with credentials from allowed origins', async () => {
|
|
196
|
+
const response = await request(app.callback())
|
|
197
|
+
.options('/hellor') // Regular cors() defaults from Koa
|
|
198
|
+
.set('Access-Control-Request-Method', 'GET')
|
|
199
|
+
.set('Origin', 'https://crimewave.com')
|
|
200
|
+
.set('Cookie', 'sessionId=abc123');
|
|
201
|
+
|
|
202
|
+
expect(response.status).toBe(204);
|
|
203
|
+
expect(response.headers['access-control-allow-origin']).toBe('*');
|
|
204
|
+
expect(response.headers['access-control-allow-credentials']).toBeUndefined();
|
|
205
|
+
});
|
|
206
|
+
it('should allow preflight requests with credentials from allowed origins', async () => {
|
|
207
|
+
const response = await request(app.callback())
|
|
208
|
+
.options('/hellod') // Default CORS policy
|
|
209
|
+
.set('Access-Control-Request-Method', 'GET')
|
|
210
|
+
.set('Origin', 'https://crimewave.com')
|
|
211
|
+
.set('Cookie', 'sessionId=abc123');
|
|
212
|
+
|
|
213
|
+
expect(response.status).toBe(204);
|
|
214
|
+
expect(response.headers['access-control-allow-origin']).toBe('https://crimewave.com');
|
|
215
|
+
expect(response.headers['access-control-allow-credentials']).toBe('true');
|
|
216
|
+
expect(response.headers['access-control-allow-headers']).toBe(
|
|
217
|
+
'Origin,X-Requested-With,Content-Type,Accept,Authorization',
|
|
218
|
+
);
|
|
219
|
+
});
|
|
220
|
+
|
|
221
|
+
// Check get with another origin AND credentials
|
|
222
|
+
it('should allow requests with credentials from allowed origins', async () => {
|
|
223
|
+
const response = await request(app.callback())
|
|
224
|
+
.get('/hellod') // Default CORS policy
|
|
225
|
+
.set('Origin', 'https://crimewave.com')
|
|
226
|
+
.set('Cookie', 'sessionId=abc123');
|
|
227
|
+
|
|
228
|
+
expect(response.headers['access-control-allow-origin']).toBe('https://crimewave.com');
|
|
229
|
+
expect(response.headers['access-control-allow-credentials']).toBe('true');
|
|
230
|
+
|
|
231
|
+
expect(response.status).toBe(200);
|
|
232
|
+
});
|
|
233
|
+
it('should allow requests with credentials from allowed origins', async () => {
|
|
234
|
+
const response = await request(app.callback())
|
|
235
|
+
.get('/hellor') // Regular cors() defaults from Koa
|
|
236
|
+
.set('Origin', 'https://crimewave.com')
|
|
237
|
+
.set('Cookie', 'sessionId=abc123');
|
|
238
|
+
|
|
239
|
+
expect(response.headers['access-control-allow-origin']).toBe('*');
|
|
240
|
+
expect(response.headers['access-control-allow-credentials']).toBeUndefined();
|
|
241
|
+
// IRL the browser will hate this result of '*' and refuse to share response w/ client
|
|
242
|
+
|
|
243
|
+
expect(response.status).toBe(200);
|
|
244
|
+
});
|
|
245
|
+
it('should allow requests with credentials from allowed origins - not this one', async () => {
|
|
246
|
+
const response = await request(app.callback())
|
|
247
|
+
.get('/hellos') // Custom whitelist cors() implementation
|
|
248
|
+
.set('Origin', 'https://crimewave.com')
|
|
249
|
+
.set('Cookie', 'sessionId=abc123');
|
|
250
|
+
|
|
251
|
+
expect(response.headers['access-control-allow-origin']).toBeUndefined();
|
|
252
|
+
expect(response.headers['access-control-allow-credentials']).toBeUndefined();
|
|
253
|
+
|
|
254
|
+
expect(response.status).toBe(200);
|
|
255
|
+
});
|
|
256
|
+
});
|
|
257
|
+
|
|
258
|
+
export class TestEndpointsDefCORS {
|
|
259
|
+
@dhttp.getApi('/hellod')
|
|
260
|
+
static async hello() {
|
|
261
|
+
return Promise.resolve({ message: 'hello!' });
|
|
262
|
+
}
|
|
263
|
+
}
|
|
264
|
+
|
|
265
|
+
@dhttp.koaCors(cors())
|
|
266
|
+
export class TestEndpointsRegCORS {
|
|
267
|
+
@dhttp.getApi('/hellor')
|
|
268
|
+
static async hello() {
|
|
269
|
+
return Promise.resolve({ message: 'hello!' });
|
|
270
|
+
}
|
|
271
|
+
}
|
|
272
|
+
|
|
273
|
+
@dhttp.koaCors(
|
|
274
|
+
cors({
|
|
275
|
+
credentials: true,
|
|
276
|
+
origin: (o: Koa.Context) => {
|
|
277
|
+
const whitelist = ['https://us.com', 'https://partner.com'];
|
|
278
|
+
const origin = o.request.header.origin ?? '*';
|
|
279
|
+
if (whitelist && whitelist.length > 0) {
|
|
280
|
+
return whitelist.includes(origin) ? origin : '';
|
|
281
|
+
}
|
|
282
|
+
return o.request.header.origin || '*';
|
|
283
|
+
},
|
|
284
|
+
allowMethods: 'GET,OPTIONS', // Need to have options for preflight.
|
|
285
|
+
}),
|
|
286
|
+
)
|
|
287
|
+
export class TestEndpointsSpecCORS {
|
|
288
|
+
@dhttp.getApi('/hellos')
|
|
289
|
+
static async hello() {
|
|
290
|
+
return Promise.resolve({ message: 'hello!' });
|
|
291
|
+
}
|
|
292
|
+
}
|