From 9c9f35734e795e3c2cea21384349b655d7ffa164 Mon Sep 17 00:00:00 2001 From: Elizabeth Hunt Date: Sun, 14 Dec 2025 23:24:27 -0800 Subject: Add cors flags --- test/cors.test.ts | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 test/cors.test.ts (limited to 'test/cors.test.ts') diff --git a/test/cors.test.ts b/test/cors.test.ts new file mode 100644 index 0000000..621c263 --- /dev/null +++ b/test/cors.test.ts @@ -0,0 +1,39 @@ +import { describe, expect, it } from 'vitest'; + +import { PosthookServer } from '../src/server/index.js'; + +const corsHeaders = (corsOriginsRaw: string, origin: string | undefined) => { + const server = new PosthookServer({} as any, {} as any, corsOriginsRaw); + return (server as any).corsHeaders(origin) as Record; +}; + +describe('CORS origin matching', () => { + it('defaults to allow-all with *', () => { + expect(corsHeaders('*', 'http://localhost:8080')).toEqual({ + 'Access-Control-Allow-Origin': '*', + }); + }); + + it('supports apex and wildcard host matching over https', () => { + expect(corsHeaders('*.liz.coffee,liz.coffee', 'https://liz.coffee')).toEqual({ + 'Access-Control-Allow-Origin': 'https://liz.coffee', + }); + + expect(corsHeaders('*.liz.coffee,liz.coffee', 'https://beta.posthook.liz.coffee')).toEqual({ + 'Access-Control-Allow-Origin': 'https://beta.posthook.liz.coffee', + }); + + expect(corsHeaders('*.liz.coffee,liz.coffee', 'https://evil.com')).toEqual({}); + }); + + it('rejects http origins when restricted', () => { + expect(corsHeaders('*.liz.coffee,liz.coffee', 'http://liz.coffee')).toEqual({}); + }); + + it('does not match apex with wildcard alone', () => { + expect(corsHeaders('*.liz.coffee', 'https://liz.coffee')).toEqual({}); + expect(corsHeaders('*.liz.coffee', 'https://a.liz.coffee')).toMatchObject({ + 'Access-Control-Allow-Origin': 'https://a.liz.coffee', + }); + }); +}); -- cgit v1.2.3-70-g09d2