mockaton 7.0.0 → 7.1.0

package/README.md

@@ -12,8 +12,8 @@ my-mocks-dir/api/user/[user-id].GET.200.json
 [This browser extension](https://github.com/ericfortis/devtools-ext-tar-http-requests)
 can be used for downloading a TAR of your XHR requests following that convention.
 
-## What do I use it for?
-- I’m a frontend dev, so I don’t have to spin up and maintain hefty or complex backends.
+## Benefits
+- Avoids having to spin up and maintain hefty or complex backends when developing UIs.
 - For a deterministic and comprehensive backend state. For example, having all the possible
   state variants of a particular collection helps for spotting inadvertent bugs. And having those
   assorted responses are not easy to trigger from the backend.
@@ -71,6 +71,7 @@ node my-mockaton.js
 ```
 
 ## Config Options
+There’s a Config section below with more details.
 ```ts
 interface Config {
   mocksDir: string
@@ -87,10 +88,12 @@ interface Config {
   extraMimes?: { [fileExt: string]: string }
   extraHeaders?: []
 
+  corsAllowed?: boolean, // Defaults to false
+  // The options for customizing CORS are listed below
+
   onReady?: (dashboardUrl: string) => void // Defaults to trying to open macOS and Win default browser.
 }
 ```
-There’s a Config section below with more details.
 
 ---
 
@@ -259,6 +262,19 @@ Config.extraMimes = {
 }
 ```
 
+## `Config.corsAllowed`
+```js
+Config.corsAllowed = true
+
+// Defaults when `corsAllowed === true`
+Config.corsOrigins = ['*']
+Config.corsMethods = ['GET', 'PUT', 'DELETE', 'POST', 'PATCH', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT']
+Config.corsHeaders = []
+Config.corsCredentials = true
+Config.corsMaxAge = 0
+Config.corsExposedHeaders = []
+```
+
 ## `Config.onReady`
 This is a callback `(dashboardAddress: string) => void`, which defaults to
 trying to open the dashboard in your default browser in macOS and Windows.
@@ -296,32 +312,32 @@ import { Commander } from 'mockaton'
 
 
 const myMockatonAddr = 'http://localhost:2345'
-const commander = new Commander(myMockatonAddr)
+const mockaton = new Commander(myMockatonAddr)
 ```
 
 ### Select a mock file for a route
 ```js
-await commander.select('api/foo.200.GET.json')
+await mockaton.select('api/foo.200.GET.json')
 ```
 ### Select all mocks that have a particular comment
 ```js
-await commander.bulkSelectByComment('(demo-a)')
+await mockaton.bulkSelectByComment('(demo-a)')
 ```
 
 ### Set Route is Delayed Flag
 ```js
-await commander.setRouteIsDelayed('GET', '/api/foo', true)
+await mockaton.setRouteIsDelayed('GET', '/api/foo', true)
 ```
 
 ### Select a cookie
 In `Config.cookies`, each key is the label used for selecting it.
 ```js
-await commander.selectCookie('My Normal User')
+await mockaton.selectCookie('My Normal User')
 ```
 
 ### Set Fallback Proxy
 ```js
-await commander.setProxyFallback('http://example.com')
+await mockaton.setProxyFallback('http://example.com')
 ```
 Pass an empty string to disable it.
 
@@ -330,7 +346,7 @@ Re-initialize the collection. So if you added or removed mocks they
 will be considered. The selected mocks, cookies, and delays go
 back to default, but `Config.proxyFallback` is not affected.
 ```js
-await commander.reset()
+await mockaton.reset()
 ```
 
 

package/Tests.js

@@ -13,6 +13,7 @@ import { mimeFor } from './src/utils/mime.js'
 import { Mockaton } from './src/Mockaton.js'
 import { Commander } from './src/Commander.js'
 import { parseFilename } from './src/Filename.js'
+import { PreflightHeader } from './src/utils/http-cors.js'
 import { API, DEFAULT_500_COMMENT, DEFAULT_MOCK_COMMENT } from './src/ApiConstants.js'
 
 
@@ -157,7 +158,9 @@ const server = Mockaton({
 	extraHeaders: ['Server', 'MockatonTester'],
 	extraMimes: {
 		my_custom_extension: 'my_custom_mime'
-	}
+	},
+	corsAllowed: true,
+	corsOrigins: ['http://example.com']
 })
 server.on('listening', runTests)
 
@@ -223,10 +226,12 @@ async function runTests() {
 	await testMockDispatching(...fixtureCustomMime, 'my_custom_mime')
 	await testJsFunctionMocks()
 
+	await testCorsAllowed()
 	await testItUpdatesUserRole()
 	await testStaticFileServing()
 	await testInvalidFilenamesAreIgnored()
 	await testEnableFallbackSoRoutesWithoutMocksGetRelayed()
+
 	server.close()
 }
 
@@ -435,6 +440,23 @@ async function testEnableFallbackSoRoutesWithoutMocksGetRelayed() {
 	})
 }
 
+// TODO make API for changing CORS? so we can automate testing?
+async function testCorsAllowed() {
+	await it('cors', async () => {
+		const res = await request('/does-not-matter', {
+			method: 'OPTIONS',
+			headers: {
+				[PreflightHeader.Origin]: 'http://example.com',
+				[PreflightHeader.AccessControlRequestMethod]: 'GET'
+			}
+		})
+		equal(res.status, 204)
+		equal(res.headers.get(PreflightHeader.AccessControlAllowOrigin), 'http://example.com')
+		equal(res.headers.get(PreflightHeader.AccessControlAllowMethods), 'GET')
+	})
+}
+
+
 // Utils
 
 function write(filename, data) {

package/index.d.ts

@@ -15,6 +15,14 @@ interface Config {
 	extraHeaders?: [string, string][]
 	extraMimes?: { [fileExt: string]: string }
 
+	corsAllowed?: boolean,
+	corsOrigins: string[]
+	corsMethods: string[]
+	corsHeaders: string[]
+	corsExposedHeaders: string[]
+	corsCredentials: boolean
+	corsMaxAge: number
+
 	onReady?: (address: string) => void
 }
 

package/package.json

@@ -2,7 +2,7 @@
 	"name": "mockaton",
 	"description": "A deterministic server-side for developing and testing frontend clients",
 	"type": "module",
-	"version": "7.0.0",
+	"version": "7.1.0",
 	"main": "index.js",
 	"types": "index.d.ts",
 	"license": "MIT",

package/src/Config.js

@@ -1,6 +1,7 @@
+import { isDirectory } from './utils/fs.js'
 import { openInBrowser } from './utils/openInBrowser.js'
+import { StandardMethods } from './utils/http-request.js'
 import { validate, is, optional } from './utils/validate.js'
-import { isDirectory } from './utils/fs.js'
 
 
 export const Config = Object.seal({
@@ -18,6 +19,14 @@ export const Config = Object.seal({
 	extraHeaders: [],
 	extraMimes: {},
 
+	corsAllowed: false,
+	corsOrigins: ['*'],
+	corsMethods: StandardMethods,
+	corsHeaders: [],
+	corsExposedHeaders: [],
+	corsCredentials: true,
+	corsMaxAge: 0,
+
 	onReady: openInBrowser
 })
 
@@ -36,11 +45,39 @@ export function setup(options) {
 
 		delay: ms => Number.isInteger(ms) && ms > 0,
 		cookies: is(Object),
-		extraHeaders: Array.isArray,
+		extraHeaders: val => Array.isArray(val) && val.length % 2 === 0,
 		extraMimes: is(Object),
 
+		corsAllowed: is(Boolean),
+		corsOrigins: validateCorsAllowedOrigins,
+		corsMethods: validateCorsAllowedMethods,
+		corsHeaders: Array.isArray,
+		corsExposedHeaders: Array.isArray,
+		corsCredentials: is(Boolean),
+		corsMaxAge: is(Number),
+
 		onReady: is(Function)
 	})
+
+	if (!Config.corsAllowed) // TESTME
+		Config.corsOrigins = []
+}
+
+
+function validateCorsAllowedOrigins(arr) {
+	if (!Array.isArray(arr))
+		return false
+
+	if (arr.length === 1 && arr[0] === '*')
+		return true
+
+	return arr.every(o => URL.canParse(o))
 }
 
 
+function validateCorsAllowedMethods(arr) {
+	if (!Array.isArray(arr))
+		return false
+
+	return arr.every(m => StandardMethods.includes(m))
+}

package/src/Mockaton.js

@@ -1,16 +1,18 @@
 import { createServer } from 'node:http'
 
 import { API } from './ApiConstants.js'
-import { Config, setup } from './Config.js'
 import { dispatchMock } from './MockDispatcher.js'
+import { Config, setup } from './Config.js'
 import * as mockBrokerCollection from './mockBrokersCollection.js'
 import { dispatchStatic, isStatic } from './StaticDispatcher.js'
+import { setCorsHeaders, isPreflight } from './utils/http-cors.js'
 import { apiPatchRequests, apiGetRequests } from './Api.js'
 
 
 export function Mockaton(options) {
 	setup(options)
 	mockBrokerCollection.init()
+
 	const server = createServer(onRequest)
 	server.listen(Config.port, Config.host, (error) => {
 		const { address, port } = server.address()
@@ -26,10 +28,25 @@ export function Mockaton(options) {
 }
 
 async function onRequest(req, response) {
+	const { url, method } = req
 	response.setHeader('Server', 'Mockaton')
 
-	const { url, method } = req
-	if (method === 'GET' && apiGetRequests.has(url))
+	if (Config.corsAllowed)
+		setCorsHeaders(req, response, {
+			origins: Config.corsOrigins,
+			headers: Config.corsHeaders,
+			methods: Config.corsMethods,
+			maxAge: Config.corsMaxAge,
+			credentials: Config.corsCredentials,
+			exposedHeaders: Config.extraHeaders
+		})
+
+
+	if (isPreflight(req)) {
+		response.statusCode = 204
+		response.end()
+	}
+	else if (method === 'GET' && apiGetRequests.has(url))
 		apiGetRequests.get(url)(req, response)
 
 	else if (method === 'PATCH' && apiPatchRequests.has(url))

package/src/utils/http-cors.js

@@ -0,0 +1,70 @@
+import { StandardMethods } from './http-request.js'
+
+// https://www.w3.org/TR/2020/SPSD-cors-20200602/#resource-processing-model
+
+export const PreflightHeader = {
+	// request
+	Origin: 'origin',
+	AccessControlRequestMethod: 'access-control-request-method',
+	AccessControlRequestHeaders: 'access-control-request-headers', // Comma separated
+
+	// response
+	AccessControlMaxAge: 'Access-Control-Max-Age',
+	AccessControlAllowOrigin: 'Access-Control-Allow-Origin', // '*' | Space delimited | null
+	AccessControlAllowMethods: 'Access-Control-Allow-Methods', // '*' | Comma delimited
+	AccessControlAllowHeaders: 'Access-Control-Allow-Headers', // '*' | Comma delimited 
+	AccessControlExposeHeaders: 'Access-Control-Expose-Headers', // '*' | Comma delimited 
+	AccessControlAllowCredentials: 'Access-Control-Allow-Credentials' // 'true'
+}
+const PH = PreflightHeader
+
+
+export function isPreflight(req) {
+	return req.method === 'OPTIONS'
+		&& URL.canParse(req.headers[PH.Origin])
+		&& StandardMethods.includes(req.headers[PH.AccessControlRequestMethod])
+}
+
+
+export function setCorsHeaders(req, response, {
+	origins = [],
+	methods = [],
+	headers = [],
+	exposedHeaders = [],
+	credentials = false,
+	maxAge = 0
+}) {
+	const reqOrigin = req.headers[PH.Origin]
+	const hasWildcard = origins.some(ao => ao === '*')
+	if (!reqOrigin || (!hasWildcard && !origins.includes(reqOrigin)))
+		return
+	response.setHeader(PH.AccessControlAllowOrigin, reqOrigin) // Never '*', so no need to `Vary` it
+
+	if (credentials)
+		response.setHeader(PH.AccessControlAllowCredentials, 'true')
+
+	if (req.headers[PH.AccessControlRequestMethod])
+		setPreflightSpecificHeaders(req, response, methods, headers, maxAge)
+	else
+		setActualRequestHeaders(response, exposedHeaders)
+}
+
+
+function setPreflightSpecificHeaders(req, response, methods, headers, maxAge) {
+	const methodAskingFor = req.headers[PH.AccessControlRequestMethod]
+	if (!methods.includes(methodAskingFor))
+		return
+
+	response.setHeader(PH.AccessControlAllowMethods, methodAskingFor)
+	if (headers.length)
+		response.setHeader(PH.AccessControlAllowHeaders, headers.join(','))
+
+	response.setHeader(PH.AccessControlMaxAge, maxAge)
+}
+
+
+function setActualRequestHeaders(response, exposedHeaders) {
+	// Exposed means the client-side JavaScript can read them
+	if (exposedHeaders.length)
+		response.setHeader(PH.AccessControlExposeHeaders, exposedHeaders.join(','))
+}

package/src/utils/http-cors.test.js

@@ -0,0 +1,190 @@
+import { equal } from 'node:assert/strict'
+import { promisify } from 'node:util'
+import { createServer } from 'node:http'
+import { describe, it, after } from 'node:test'
+import { isPreflight, setCorsHeaders, PreflightHeader as PH } from './http-cors.js'
+
+
+function headerIs(response, header, value) {
+	equal(response.headers.get(header), value)
+}
+
+const FooDotCom = 'http://foo.com'
+const AllowedDotCom = 'http://allowed.com'
+const NotAllowedDotCom = 'http://not-allowed.com'
+
+await describe('CORS', async () => {
+	let corsAllow = {}
+
+	const server = createServer((req, response) => {
+		if (isPreflight(req)) {
+			setCorsHeaders(req, response, corsAllow)
+			response.statusCode = 204
+			response.end()
+			return
+		}
+		response.end('NON_PREFLIGHT')
+	})
+	await promisify(server.listen).bind(server, 0, '127.0.0.1')()
+	after(() => {
+		server.close()
+	})
+	function preflight(headers, method = 'OPTIONS') {
+		const { address, port } = server.address()
+		return fetch(`http://${address}:${port}/`, { method, headers })
+	}
+
+	await describe('Identifies Preflight Requests', async () => {
+		const requiredRequestHeaders = {
+			[PH.Origin]: 'http://locahost:9999',
+			[PH.AccessControlRequestMethod]: 'POST'
+		}
+
+		await it('Ignores non-OPTIONS requests', async () => {
+			const res = await preflight(requiredRequestHeaders, 'POST')
+			equal(await res.text(), 'NON_PREFLIGHT')
+		})
+
+		await it(`Ignores non-parseable req ${PH.Origin} header`, async () => {
+			const headers = {
+				...requiredRequestHeaders,
+				[PH.Origin]: 'non-url'
+			}
+			const res = await preflight(headers)
+			equal(await res.text(), 'NON_PREFLIGHT')
+		})
+
+		await it(`Ignores missing method in ${PH.AccessControlRequestMethod} header`, async () => {
+			const headers = { ...requiredRequestHeaders }
+			delete headers[PH.AccessControlRequestMethod]
+			const res = await preflight(headers)
+			equal(await res.text(), 'NON_PREFLIGHT')
+		})
+
+		await it(`Ignores non-standard method in ${PH.AccessControlRequestMethod} header`, async () => {
+			const headers = {
+				...requiredRequestHeaders,
+				[PH.AccessControlRequestMethod]: 'NON_STANDARD'
+			}
+			const res = await preflight(headers)
+			equal(await res.text(), 'NON_PREFLIGHT')
+		})
+
+		await it('204 valid preflights', async () => {
+			const res = await preflight(requiredRequestHeaders)
+			equal(res.status, 204)
+		})
+	})
+
+	await describe('Preflight Response Headers', async () => {
+		await it('no origins allowed', async () => {
+			corsAllow = {
+				origins: [],
+				methods: ['GET']
+			}
+			const p = await preflight({
+				[PH.Origin]: FooDotCom,
+				[PH.AccessControlRequestMethod]: 'GET'
+			})
+			headerIs(p, PH.AccessControlAllowOrigin, null)
+			headerIs(p, PH.AccessControlAllowMethods, null)
+			headerIs(p, PH.AccessControlAllowCredentials, null)
+			headerIs(p, PH.AccessControlAllowHeaders, null)
+		})
+
+		await it('not in allowed origins', async () => {
+			corsAllow = {
+				origins: [AllowedDotCom],
+				methods: ['GET']
+			}
+			const p = await preflight({
+				[PH.Origin]: NotAllowedDotCom,
+				[PH.AccessControlRequestMethod]: 'GET'
+			})
+			headerIs(p, PH.AccessControlAllowOrigin, null)
+			headerIs(p, PH.AccessControlAllowMethods, null)
+			headerIs(p, PH.AccessControlAllowCredentials, null)
+			headerIs(p, PH.AccessControlAllowHeaders, null)
+		})
+
+		await it('origin and method match', async () => {
+			corsAllow = {
+				origins: [AllowedDotCom],
+				methods: ['GET']
+			}
+			const p = await preflight({
+				[PH.Origin]: AllowedDotCom,
+				[PH.AccessControlRequestMethod]: 'GET'
+			})
+			headerIs(p, PH.AccessControlAllowOrigin, AllowedDotCom)
+			headerIs(p, PH.AccessControlAllowMethods, 'GET')
+			headerIs(p, PH.AccessControlAllowCredentials, null)
+			headerIs(p, PH.AccessControlAllowHeaders, null)
+		})
+
+		await it('origin matches from multiple', async () => {
+			corsAllow = {
+				origins: [AllowedDotCom, FooDotCom],
+				methods: ['GET']
+			}
+			const p = await preflight({
+				[PH.Origin]: AllowedDotCom,
+				[PH.AccessControlRequestMethod]: 'GET'
+			})
+			headerIs(p, PH.AccessControlAllowOrigin, AllowedDotCom)
+			headerIs(p, PH.AccessControlAllowMethods, 'GET')
+			headerIs(p, PH.AccessControlAllowCredentials, null)
+			headerIs(p, PH.AccessControlAllowHeaders, null)
+		})
+
+		await it('wildcard origin', async () => {
+			corsAllow = {
+				origins: ['*'],
+				methods: ['GET']
+			}
+			const p = await preflight({
+				[PH.Origin]: FooDotCom,
+				[PH.AccessControlRequestMethod]: 'GET'
+			})
+			headerIs(p, PH.AccessControlAllowOrigin, FooDotCom)
+			headerIs(p, PH.AccessControlAllowMethods, 'GET')
+			headerIs(p, PH.AccessControlAllowCredentials, null)
+			headerIs(p, PH.AccessControlAllowHeaders, null)
+		})
+
+		await it(`wildcard and credentials`, async () => {
+			corsAllow = {
+				origins: ['*'],
+				methods: ['GET'],
+				credentials: true
+			}
+			const p = await preflight({
+				[PH.Origin]: FooDotCom,
+				[PH.AccessControlRequestMethod]: 'GET'
+			})
+			headerIs(p, PH.AccessControlAllowOrigin, FooDotCom)
+			headerIs(p, PH.AccessControlAllowMethods, 'GET')
+			headerIs(p, PH.AccessControlAllowCredentials, 'true')
+			headerIs(p, PH.AccessControlAllowHeaders, null)
+		})
+
+		await it(`wildcard, credentials, and headers`, async () => {
+			corsAllow = {
+				origins: ['*'],
+				methods: ['GET'],
+				credentials: true,
+				headers: ['content-type', 'my-header']
+			}
+			const p = await preflight({
+				[PH.Origin]: FooDotCom,
+				[PH.AccessControlRequestMethod]: 'GET'
+			})
+			headerIs(p, PH.AccessControlAllowOrigin, FooDotCom)
+			headerIs(p, PH.AccessControlAllowMethods, 'GET')
+			headerIs(p, PH.AccessControlAllowCredentials, 'true')
+			headerIs(p, PH.AccessControlAllowHeaders, 'content-type,my-header')
+		})
+	})
+
+	// TODO Actual request response headers
+})

package/src/utils/http-request.js

@@ -1,3 +1,9 @@
+export const StandardMethods = [
+	'GET', 'PUT', 'DELETE', 'POST', 'PATCH',
+	'HEAD', 'OPTIONS', 'TRACE', 'CONNECT'
+]
+
+
 export class JsonBodyParserError extends Error {}
 
 export function parseJSON(req) {
@@ -33,4 +39,4 @@ export function parseJSON(req) {
 				}
 		}
 	})
-}
+}