diff options
Diffstat (limited to 'test/cors.test.ts')
| -rw-r--r-- | test/cors.test.ts | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/test/cors.test.ts b/test/cors.test.ts new file mode 100644 index 0000000..621c263 --- /dev/null +++ b/test/cors.test.ts @@ -0,0 +1,39 @@ +import { describe, expect, it } from 'vitest'; + +import { PosthookServer } from '../src/server/index.js'; + +const corsHeaders = (corsOriginsRaw: string, origin: string | undefined) => { + const server = new PosthookServer({} as any, {} as any, corsOriginsRaw); + return (server as any).corsHeaders(origin) as Record<string, string>; +}; + +describe('CORS origin matching', () => { + it('defaults to allow-all with *', () => { + expect(corsHeaders('*', 'http://localhost:8080')).toEqual({ + 'Access-Control-Allow-Origin': '*', + }); + }); + + it('supports apex and wildcard host matching over https', () => { + expect(corsHeaders('*.liz.coffee,liz.coffee', 'https://liz.coffee')).toEqual({ + 'Access-Control-Allow-Origin': 'https://liz.coffee', + }); + + expect(corsHeaders('*.liz.coffee,liz.coffee', 'https://beta.posthook.liz.coffee')).toEqual({ + 'Access-Control-Allow-Origin': 'https://beta.posthook.liz.coffee', + }); + + expect(corsHeaders('*.liz.coffee,liz.coffee', 'https://evil.com')).toEqual({}); + }); + + it('rejects http origins when restricted', () => { + expect(corsHeaders('*.liz.coffee,liz.coffee', 'http://liz.coffee')).toEqual({}); + }); + + it('does not match apex with wildcard alone', () => { + expect(corsHeaders('*.liz.coffee', 'https://liz.coffee')).toEqual({}); + expect(corsHeaders('*.liz.coffee', 'https://a.liz.coffee')).toMatchObject({ + 'Access-Control-Allow-Origin': 'https://a.liz.coffee', + }); + }); +}); |