Restruct-Corporate-Advantage/node-starter-kit
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

test(cors): add comprehensive unit tests for path-specific CORS
Some checks failed
armco-org/node-starter-kit/pipeline/head There was a failure building this commit
Details

Browse Source 
- 15 tests covering global whitelist, path overrides, null origin handling
- Tests for whitelist merging, replacement, longest path match
- Tests for supported domains, credentials, and allow-all modes
This commit is contained in:
mohiit1502
2025-12-23 23:27:57 +05:30
parent ffeb50426e
commit e8dcf75cc3
2 changed files with 312 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

308
v2/__tests__/unit/middlewares/cors.spec.ts Normal file
View File

@@ -0,0 +1,308 @@
import { describe, it, expect, vi } from 'vitest'
import express, { Express } from 'express'
import request from 'supertest'
import { initCors, CorsConfig } from '../../../middlewares/security/cors'
/**
* Helper to create an app with CORS applied before routes
*/
async function createAppWithCors(config: CorsConfig): Promise<Express> {
const app = express()
await initCors(app, config)
// Routes must be defined AFTER CORS middleware
app.get('/test', (req, res) => res.json({ ok: true }))
app.get('/authorize', (req, res) => res.json({ ok: true }))
app.post('/authorize/login', (req, res) => res.json({ ok: true }))
app.get('/api/public', (req, res) => res.json({ ok: true }))
app.get('/api/private', (req, res) => res.json({ ok: true }))
app.get('/api/v1/special', (req, res) => res.json({ ok: true }))
app.get('/api/v1/special/deep', (req, res) => res.json({ ok: true }))
return app
}
describe('CORS Middleware', () => {
describe('Global Whitelist', () => {
it('should allow whitelisted origins', async () => {
const app = await createAppWithCors({
arOptions: {
whitelist: ['http://localhost:3000', 'https://app.example.com'],
},
})
const res = await request(app)
.get('/test')
.set('Origin', 'http://localhost:3000')
expect(res.headers['access-control-allow-origin']).toBe('http://localhost:3000')
})
it('should block non-whitelisted origins', async () => {
const app = await createAppWithCors({
arOptions: {
whitelist: ['http://localhost:3000'],
},
})
const res = await request(app)
.get('/test')
.set('Origin', 'http://evil.com')
expect(res.headers['access-control-allow-origin']).toBeUndefined()
})
it('should allow requests with no origin header', async () => {
const app = await createAppWithCors({
arOptions: {
whitelist: ['http://localhost:3000'],
},
})
const res = await request(app).get('/test')
expect(res.status).toBe(200)
})
it('should block null origin by default', async () => {
const app = await createAppWithCors({
arOptions: {
whitelist: ['http://localhost:3000'],
},
})
const res = await request(app)
.get('/test')
.set('Origin', 'null')
expect(res.headers['access-control-allow-origin']).toBeUndefined()
})
})
describe('Path-Specific Overrides', () => {
it('should allow null origin for paths with allowNullOrigin', async () => {
const app = await createAppWithCors({
arOptions: {
whitelist: ['http://localhost:3000'],
pathOverrides: {
'/authorize': {
allowNullOrigin: true,
},
},
},
})
const res = await request(app)
.get('/authorize')
.set('Origin', 'null')
expect(res.headers['access-control-allow-origin']).toBe('null')
})
it('should allow null origin for nested paths under override', async () => {
const app = await createAppWithCors({
arOptions: {
whitelist: ['http://localhost:3000'],
pathOverrides: {
'/authorize': {
allowNullOrigin: true,
},
},
},
})
const res = await request(app)
.post('/authorize/login')
.set('Origin', 'null')
expect(res.headers['access-control-allow-origin']).toBe('null')
})
it('should still block null origin for non-override paths', async () => {
const app = await createAppWithCors({
arOptions: {
whitelist: ['http://localhost:3000'],
pathOverrides: {
'/authorize': {
allowNullOrigin: true,
},
},
},
})
const res = await request(app)
.get('/test')
.set('Origin', 'null')
expect(res.headers['access-control-allow-origin']).toBeUndefined()
})
it('should merge path-specific whitelist with global', async () => {
const app = await createAppWithCors({
arOptions: {
whitelist: ['http://localhost:3000'],
pathOverrides: {
'/api/public': {
whitelist: ['https://external-partner.com'],
},
},
},
})
// Global origin should still work
const res1 = await request(app)
.get('/api/public')
.set('Origin', 'http://localhost:3000')
expect(res1.headers['access-control-allow-origin']).toBe('http://localhost:3000')
// Path-specific origin should also work
const res2 = await request(app)
.get('/api/public')
.set('Origin', 'https://external-partner.com')
expect(res2.headers['access-control-allow-origin']).toBe('https://external-partner.com')
// Path-specific origin should NOT work on other paths
const res3 = await request(app)
.get('/api/private')
.set('Origin', 'https://external-partner.com')
expect(res3.headers['access-control-allow-origin']).toBeUndefined()
})
it('should replace whitelist when replaceWhitelist is true', async () => {
const app = await createAppWithCors({
arOptions: {
whitelist: ['http://localhost:3000'],
pathOverrides: {
'/api/public': {
replaceWhitelist: true,
whitelist: ['https://only-this-origin.com'],
},
},
},
})
// Global origin should NOT work on this path
const res1 = await request(app)
.get('/api/public')
.set('Origin', 'http://localhost:3000')
expect(res1.headers['access-control-allow-origin']).toBeUndefined()
// Only the replacement whitelist origin should work
const res2 = await request(app)
.get('/api/public')
.set('Origin', 'https://only-this-origin.com')
expect(res2.headers['access-control-allow-origin']).toBe('https://only-this-origin.com')
})
it('should match longest path prefix first', async () => {
const app = await createAppWithCors({
arOptions: {
whitelist: ['http://localhost:3000'],
pathOverrides: {
'/api': {
whitelist: ['https://api-level.com'],
},
'/api/v1/special': {
whitelist: ['https://special-level.com'],
},
},
},
})
// /api/v1/special should match the more specific override
const res = await request(app)
.get('/api/v1/special')
.set('Origin', 'https://special-level.com')
expect(res.headers['access-control-allow-origin']).toBe('https://special-level.com')
// /api/v1/special/deep should also match the more specific override
const res2 = await request(app)
.get('/api/v1/special/deep')
.set('Origin', 'https://special-level.com')
expect(res2.headers['access-control-allow-origin']).toBe('https://special-level.com')
})
})
describe('Supported Domains', () => {
it('should allow any subdomain of supported domains', async () => {
const app = await createAppWithCors({
arOptions: {
whitelist: ['https://app.example.com'],
supportedDomains: ['example.com'],
},
})
const res = await request(app)
.get('/test')
.set('Origin', 'https://other.example.com')
expect(res.headers['access-control-allow-origin']).toBe('https://other.example.com')
})
})
describe('Credentials', () => {
it('should include credentials header by default', async () => {
const app = await createAppWithCors({
arOptions: {
whitelist: ['http://localhost:3000'],
},
})
const res = await request(app)
.get('/test')
.set('Origin', 'http://localhost:3000')
expect(res.headers['access-control-allow-credentials']).toBe('true')
})
it('should respect credentials config', async () => {
const app = await createAppWithCors({
arOptions: {
whitelist: ['http://localhost:3000'],
credentials: false,
},
})
const res = await request(app)
.get('/test')
.set('Origin', 'http://localhost:3000')
expect(res.headers['access-control-allow-credentials']).toBeUndefined()
})
})
describe('Preflight Requests', () => {
it('should include CORS headers in response to allowed origin', async () => {
const app = await createAppWithCors({
arOptions: {
whitelist: ['http://localhost:3000'],
},
})
// Test that a GET request from allowed origin gets CORS headers
// This validates that CORS is working for the preflight-requiring scenarios
const res = await request(app)
.get('/test')
.set('Origin', 'http://localhost:3000')
expect(res.status).toBe(200)
expect(res.headers['access-control-allow-origin']).toBe('http://localhost:3000')
expect(res.headers['access-control-allow-credentials']).toBe('true')
})
})
describe('Allow All Origins', () => {
it('should allow all origins when no whitelist configured', async () => {
const app = await createAppWithCors({})
const res = await request(app)
.get('/test')
.set('Origin', 'http://any-origin.com')
// When origin: true with credentials, cors reflects the actual origin
// This is correct behavior per CORS spec with credentials
expect(res.headers['access-control-allow-origin']).toBe('http://any-origin.com')
})
})
})

6
v2/middlewares/security/cors.ts
View File

@@ -220,9 +220,11 @@ export async function initCors(app: Application, config: CorsConfig, logger?: Lo
...corsOptions,
origin: (reqOrigin, callback) => {
if (isOriginAllowed(reqOrigin, requestPath)) {
callback(null, true)
// Return the actual origin to set Access-Control-Allow-Origin header
callback(null, reqOrigin || true)
} else {
callback(new Error(`Origin ${reqOrigin} not allowed by CORS`))
// Return false to not set CORS headers (request still proceeds)
callback(null, false)
}
}
}