Files
2026-07-13 12:32:21 +08:00

156 lines
5.4 KiB
Lua

local helpers = require "spec.helpers"
describe("Admin API - CORS -", function()
for _, admin_gui_url in ipairs({ "", "http://admin.api:9100", "http://admin.api:9100/path/to/any/way" }) do
describe('when |admin_gui_url| is "' .. admin_gui_url .. '",', function ()
local client
lazy_setup(function()
assert(helpers.start_kong({
database = "off",
admin_gui_listen = "127.0.0.1:9002",
admin_gui_url = admin_gui_url,
}))
client = helpers.admin_client()
end)
teardown(function()
if client then
client:close()
end
helpers.stop_kong()
end)
describe("Pre-flight request", function ()
it("should return different allow-methods for specific route", function ()
local res
res = assert(client:send {
method = "OPTIONS",
path = "/"
})
assert.res_status(204, res)
assert.equal("GET, HEAD, OPTIONS", res.headers["Allow"])
assert.equal("GET, HEAD, OPTIONS", res.headers["Access-Control-Allow-Methods"])
res = assert(client:send {
method = "OPTIONS",
path = "/routes"
})
assert.res_status(204, res)
assert.equal("GET, HEAD, OPTIONS, POST", res.headers["Allow"])
assert.equal("GET, HEAD, OPTIONS, POST", res.headers["Access-Control-Allow-Methods"])
res = assert(client:send {
method = "OPTIONS",
path = "/routes/test"
})
assert.res_status(204, res)
assert.equal("DELETE, GET, HEAD, OPTIONS, PATCH, PUT", res.headers["Allow"])
assert.equal("DELETE, GET, HEAD, OPTIONS, PATCH, PUT", res.headers["Access-Control-Allow-Methods"])
end)
it("should allow headers from the request", function ()
local res, err = client:send({
path = "/",
method = "OPTIONS",
headers = {}
})
assert.is_nil(err)
assert.res_status(204, res)
assert.equal("Content-Type", res.headers["Access-Control-Allow-Headers"])
local res, err = client:send({
path = "/",
method = "OPTIONS",
headers = {
["Access-Control-Request-Headers"] = "X-Header-1,X-Header-2",
}
})
assert.is_nil(err)
assert.res_status(204, res)
assert.equal("X-Header-1,X-Header-2", res.headers["Access-Control-Allow-Headers"])
end)
it("should return the correct |AC-Allow-Origin| header when \"Origin\" is present in request headers", function ()
local res, err = client:send({
path = "/",
method = "OPTIONS",
headers = {
["Origin"] = "http://example.com",
}
})
local expected_allow_origin = admin_gui_url ~= "" and "http://admin.api:9100" or "http://example.com"
assert.is_nil(err)
assert.res_status(204, res)
assert.equal(expected_allow_origin, res.headers["Access-Control-Allow-Origin"])
end)
it("should return the correct |AC-Allow-Origin| header when \"Origin\" is absent in request headers", function ()
local res, err = client:send({
path = "/",
method = "OPTIONS",
headers = {}
})
local expected_allow_origin = admin_gui_url ~= "" and "http://admin.api:9100" or "*"
assert.is_nil(err)
assert.res_status(204, res)
assert.equal(expected_allow_origin, res.headers["Access-Control-Allow-Origin"])
end)
end)
describe("Main request", function ()
it("should not respond to |AC-Request-Method| or |AC-Request-Headers| headers", function ()
local res, err = client:send({
path = "/",
method = "GET",
headers = {
["Access-Control-Request-Method"] = "PATCH",
["Access-Control-Request-Headers"] = "X-Header-1,X-Header-2",
}
})
assert.is_nil(err)
assert.res_status(200, res)
assert.equal(nil, res.headers["Access-Control-Allow-Methods"])
assert.equal(nil, res.headers["Access-Control-Allow-Headers"])
end)
it("should return the correct |AC-Allow-Origin| header when \"Origin\" is present in request headers", function ()
local res, err = client:send({
path = "/",
method = "GET",
headers = {
["Origin"] = "http://example.com",
}
})
local expected_allow_origin = admin_gui_url ~= "" and "http://admin.api:9100" or "http://example.com"
assert.is_nil(err)
assert.res_status(200, res)
assert.equal(expected_allow_origin, res.headers["Access-Control-Allow-Origin"])
end)
it("should return the correct |AC-Allow-Origin| header when \"Origin\" is absent in request headers", function ()
local res, err = client:send({
path = "/",
method = "GET",
headers = {}
})
local expected_allow_origin = admin_gui_url ~= "" and "http://admin.api:9100" or "*"
assert.is_nil(err)
assert.res_status(200, res)
assert.equal(expected_allow_origin, res.headers["Access-Control-Allow-Origin"])
end)
end)
end)
end
end)