-
Notifications
You must be signed in to change notification settings - Fork 558
/
useCors.spec.ts
141 lines (140 loc) 路 4.44 KB
/
useCors.spec.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
import { Request } from '@whatwg-node/fetch'
import { createSchema } from '../schema.js'
import { createYoga } from '../server.js'
import { YogaInitialContext } from '../types.js'
import { getCORSHeadersByRequestAndOptions, CORSOptions } from './useCORS.js'
describe('CORS', () => {
describe('OPTIONS call', () => {
it('should respond with correct status & headers', async () => {
const schemaFactory = async (ctx: YogaInitialContext) => {
return createSchema({
typeDefs: /* GraphQL */ `
type Query {
foo: String
}
`,
resolvers: {
Query: {
foo: () => 'bar',
},
},
})
}
const yoga = createYoga({
schema: schemaFactory,
})
let result = await yoga.fetch('http://yoga/graphql', {
method: 'OPTIONS',
headers: {
'Content-Type': 'application/json',
},
})
expect(result.status).toEqual(204)
expect(result.headers.get('Content-Length')).toEqual('0')
})
})
describe('No origins specified', () => {
const corsOptionsWithNoOrigins = {}
it('should return the wildcard if no origin is sent with header', () => {
const request = new Request('http://localhost:4000/graphql', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
})
const headers = getCORSHeadersByRequestAndOptions(
request,
corsOptionsWithNoOrigins,
)
expect(headers['Access-Control-Allow-Origin']).toBe('*')
})
it('should return the origin if it is sent with header', () => {
const origin = 'http://localhost:4000'
const request = new Request('http://localhost:4000/graphql', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
origin,
},
})
const headers = getCORSHeadersByRequestAndOptions(
request,
corsOptionsWithNoOrigins,
)
expect(headers['Access-Control-Allow-Origin']).toBe(origin)
})
})
describe('Single allowed origin', () => {
const corsOptionsWithSingleOrigin = {
origin: 'http://localhost:4000',
}
it('should return the origin even if it is different than the sent origin', () => {
const request = new Request('http://localhost:4001/graphql', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
origin: 'http://localhost:4001',
},
})
const headers = getCORSHeadersByRequestAndOptions(
request,
corsOptionsWithSingleOrigin,
)
expect(headers['Access-Control-Allow-Origin']).toBe(
'http://localhost:4000',
)
})
})
describe('Multiple allowed origins', () => {
const corsOptionsWithMultipleOrigins: CORSOptions = {
origin: ['http://localhost:4000', 'http://localhost:4001'],
}
it('should return the origin itself if it matches', () => {
const request = new Request('http://localhost:4001/graphql', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
origin: 'http://localhost:4001',
},
})
const headers = getCORSHeadersByRequestAndOptions(
request,
corsOptionsWithMultipleOrigins,
)
expect(headers['Access-Control-Allow-Origin']).toBe(
'http://localhost:4001',
)
})
it('should return null if the sent origin does not match', () => {
const request = new Request('http://localhost:4002/graphql', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
origin: 'http://localhost:4002',
},
})
const headers = getCORSHeadersByRequestAndOptions(
request,
corsOptionsWithMultipleOrigins,
)
expect(headers['Access-Control-Allow-Origin']).toBe('null')
})
})
describe('Disabled CORS', () => {
const corsOptionsWithDisabledCORS: CORSOptions = false
it('should return null if the origin is sent', () => {
const request = new Request('http://localhost:4001/graphql', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
origin: 'http://localhost:4001',
},
})
const headers = getCORSHeadersByRequestAndOptions(
request,
corsOptionsWithDisabledCORS,
)
expect(headers['Access-Control-Allow-Origin']).toBeUndefined()
})
})
})