public function testHandlePreflightRequest()
{
$this->service = new CorsService();
$this->request = new Request();
$this->specify('403 response if origin is not allowed', function () {
$this->request->headers->set('Origin', 'http://foo.com');
$this->request->headers->set('Access-Control-Request-Method', 'POST');
$this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type');
$response = $this->service->handlePreflightRequest($this->request);
verify($response->getStatusCode())->equals(403);
});
$this->service = new CorsService(['allow_origins' => ['http://foo.com']]);
$this->specify('405 response if method is not allowed', function () {
$this->request->headers->set('Origin', 'http://foo.com');
$this->request->headers->set('Access-Control-Request-Method', 'POST');
$this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type');
$response = $this->service->handlePreflightRequest($this->request);
verify($response->getStatusCode())->equals(405);
});
$this->service = new CorsService(['allow_origins' => ['http://foo.com'], 'allow_methods' => ['post']]);
$this->specify('403 response if header is not allowed', function () {
$this->request->headers->set('Origin', 'http://foo.com');
$this->request->headers->set('Access-Control-Request-Method', 'POST');
$this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type');
$response = $this->service->handlePreflightRequest($this->request);
});
$this->service = new CorsService(['allow_origins' => ['http://foo.com'], 'allow_methods' => ['post'], 'allow_headers' => ['accept', 'authorization', 'content-type']]);
$this->specify('200 response when origin, method and headers are allowed', function () {
$this->request->headers->set('Origin', 'http://foo.com');
$this->request->headers->set('Access-Control-Request-Method', 'POST');
$this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type');
$response = $this->service->handlePreflightRequest($this->request);
verify($response->getStatusCode())->equals(200);
});
$this->service = new CorsService(['allow_origins' => ['*']]);
$this->specify('InvalidArgument exception when origin is not set', function () {
$this->service->handlePreflightRequest($this->request);
}, ['throws' => 'Nord\\Lumen\\Cors\\Exceptions\\InvalidArgument']);
$this->service = new CorsService(['allow_origins' => ['http://foo.com'], 'allow_methods' => ['post'], 'allow_headers' => ['accept', 'authorization', 'content-type']]);
$this->service = new CorsService(['allow_origins' => ['*'], 'allow_headers' => ['accept']]);
$this->specify('InvalidArgument exception when header is not set', function () {
$this->request->headers->set('Origin', 'http://foo.com');
$this->request->headers->set('Access-Control-Request-Headers', 'accept, ');
$this->service->handlePreflightRequest($this->request);
}, ['throws' => 'Nord\\Lumen\\Cors\\Exceptions\\InvalidArgument']);
$this->service = new CorsService(['allow_origins' => ['http://foo.com'], 'allow_methods' => ['post'], 'allow_headers' => ['accept', 'authorization', 'content-type']]);
$this->specify('response headers are set', function () {
$this->request->headers->set('Origin', 'http://foo.com');
$this->request->headers->set('Access-Control-Request-Method', 'POST');
$this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type');
$response = $this->service->handlePreflightRequest($this->request);
verify($response->headers->get('Access-Control-Allow-Origin'))->equals('http://foo.com');
verify($response->headers->get('Access-Control-Allow-Methods'))->equals('POST');
verify($response->headers->get('Access-Control-Allow-Headers'))->equals('accept, authorization, content-type');
verify($response->headers->has('Access-Control-Allow-Credentials'))->false();
verify($response->headers->has('Access-Control-Max-Age'))->false();
});
$this->service = new CorsService(['allow_origins' => ['*'], 'allow_methods' => ['*'], 'allow_headers' => ['*'], 'allow_credentials' => true]);
$this->specify('response credentials header is set', function () {
$this->request->headers->set('Origin', 'http://foo.com');
$this->request->headers->set('Access-Control-Request-Method', 'POST');
$this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type');
$response = $this->service->handlePreflightRequest($this->request);
verify($response->headers->get('Access-Control-Allow-Credentials'))->equals('true');
});
$this->service = new CorsService(['allow_origins' => ['*'], 'allow_methods' => ['*'], 'allow_headers' => ['*'], 'max_age' => 3600]);
$this->specify('response max-age header is set', function () {
$this->request->headers->set('Origin', 'http://foo.com');
$this->request->headers->set('Access-Control-Request-Method', 'POST');
$this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization, content-type');
$response = $this->service->handlePreflightRequest($this->request);
verify($response->headers->get('Access-Control-Max-Age'))->equals(3600);
});
$this->service = new CorsService(['allow_origins' => ['http://foo.com'], 'origin_not_allowed' => function () {
return new Response('INVALID ORIGIN', 403);
}]);
$this->specify('response origin_not_allowed header is set', function () {
$this->request->headers->set('Origin', 'http://bar.com');
$response = $this->service->handlePreflightRequest($this->request);
verify($response->getStatusCode())->equals(403);
verify($response->getContent())->equals('INVALID ORIGIN');
});
$this->service = new CorsService(['allow_origins' => ['*'], 'allow_methods' => ['GET'], 'method_not_allowed' => function () {
return new Response('INVALID METHOD', 403);
}]);
$this->specify('response method_not_allowed header is set', function () {
$this->request->headers->set('Origin', 'http://foo.com');
$this->request->headers->set('Access-Control-Request-Method', 'POST');
$response = $this->service->handlePreflightRequest($this->request);
verify($response->getStatusCode())->equals(403);
verify($response->getContent())->equals('INVALID METHOD');
});
$this->service = new CorsService(['allow_origins' => ['*'], 'allow_headers' => ['accept'], 'header_not_allowed' => function () {
return new Response('INVALID HEADER', 403);
}]);
$this->specify('response header_not_allowed header is set', function () {
$this->request->headers->set('Origin', 'http://foo.com');
$this->request->headers->set('Access-Control-Request-Headers', 'accept, authorization');
$response = $this->service->handlePreflightRequest($this->request);
verify($response->getStatusCode())->equals(403);
verify($response->getContent())->equals('INVALID HEADER');
});
}