a06f331eb8
CI / benchmark (push) Has been skipped
install-script / posix-syntax (push) Successful in 6m1s
CI / build-onnx (push) Failing after 6m43s
init-smoke / dry-run (push) Failing after 15m57s
security / govulncheck (push) Has been cancelled
security / trivy-fs (push) Has been cancelled
CI / test (1.26, ubuntu-latest) (push) Has been cancelled
Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled
CI / test (1.26, macos-latest) (push) Has been cancelled
CI / build-windows (push) Has been cancelled
CI / lint (push) Has been cancelled
install-script / powershell-syntax (push) Has been cancelled
install-script / install (macos-14) (push) Has been cancelled
install-script / install (ubuntu-latest) (push) Has been cancelled
76 lines
2.7 KiB
Go
76 lines
2.7 KiB
Go
package main
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
)
|
|
|
|
// TestComposeDaemonHTTPHandler asserts the daemon's single HTTP listener
|
|
// routes /mcp to the streamable surface and /v1 to the REST handler, that
|
|
// /v1 is bearer-auth gated, and that CORS headers are emitted.
|
|
func TestComposeDaemonHTTPHandler(t *testing.T) {
|
|
streamH := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
|
_, _ = w.Write([]byte("MCP"))
|
|
})
|
|
v1 := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
|
_, _ = w.Write([]byte("V1"))
|
|
})
|
|
|
|
h := composeDaemonHTTPHandler(streamH, v1, func() string { return "secret" }, "*")
|
|
|
|
// /mcp (and any non-/v1 path) routes to the streamable surface.
|
|
t.Run("mcp routes to streamable", func(t *testing.T) {
|
|
rec := httptest.NewRecorder()
|
|
h.ServeHTTP(rec, httptest.NewRequest(http.MethodPost, "/mcp", nil))
|
|
if rec.Body.String() != "MCP" {
|
|
t.Fatalf("/mcp body = %q, want MCP", rec.Body.String())
|
|
}
|
|
})
|
|
|
|
// /v1 without a token is rejected.
|
|
t.Run("v1 requires auth", func(t *testing.T) {
|
|
rec := httptest.NewRecorder()
|
|
h.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/v1/health", nil))
|
|
if rec.Code != http.StatusUnauthorized {
|
|
t.Fatalf("/v1 without token = %d, want 401", rec.Code)
|
|
}
|
|
})
|
|
|
|
// /v1 with the bearer token reaches the REST handler.
|
|
t.Run("v1 with token reaches handler", func(t *testing.T) {
|
|
rec := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/v1/health", nil)
|
|
req.Header.Set("Authorization", "Bearer secret")
|
|
h.ServeHTTP(rec, req)
|
|
if rec.Body.String() != "V1" {
|
|
t.Fatalf("/v1 with token body = %q, want V1", rec.Body.String())
|
|
}
|
|
})
|
|
|
|
// CORS preflight is answered (and exempt from auth) with the origin header.
|
|
t.Run("cors preflight", func(t *testing.T) {
|
|
rec := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodOptions, "/v1/tools/search_symbols", nil)
|
|
req.Header.Set("Origin", "https://app.example.com")
|
|
h.ServeHTTP(rec, req)
|
|
if rec.Header().Get("Access-Control-Allow-Origin") == "" {
|
|
t.Fatalf("missing Access-Control-Allow-Origin header on preflight")
|
|
}
|
|
})
|
|
}
|
|
|
|
// TestComposeDaemonHTTPHandler_NoCORS asserts an empty origin skips the
|
|
// CORS wrapper (no header injected).
|
|
func TestComposeDaemonHTTPHandler_NoCORS(t *testing.T) {
|
|
v1 := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {})
|
|
h := composeDaemonHTTPHandler(http.NewServeMux(), v1, func() string { return "" }, "")
|
|
rec := httptest.NewRecorder()
|
|
req := httptest.NewRequest(http.MethodGet, "/v1/health", nil)
|
|
req.Header.Set("Origin", "https://app.example.com")
|
|
h.ServeHTTP(rec, req)
|
|
if got := rec.Header().Get("Access-Control-Allow-Origin"); got != "" {
|
|
t.Fatalf("CORS header present with empty origin: %q", got)
|
|
}
|
|
}
|