ag/unisono
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CORS implemented in a static manner: unable to configure on another machine

Browse Source
This commit is contained in:
aodulov
2025-10-15 13:45:36 +03:00
parent ea0e025b0e
commit 03d31011fd
18 changed files with 582 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
backend/tests/cors.test.ts Normal file
View File

@@ -0,0 +1,118 @@
import { Request, Response, NextFunction } from 'express';
import cors from 'cors';
// Mock the express request, response, and next function
const mockRequest = (origin: string | undefined) => {
return { header: (name: string) => (name === 'Origin' ? origin : undefined) } as Request;
};
const mockResponse = () => {
const res: Partial<Response> = {};
res.setHeader = jest.fn().mockReturnValue(res as Response);
res.status = jest.fn().mockReturnValue(res as Response);
res.json = jest.fn().mockReturnValue(res as Response);
return res as Response;
};
const mockNext = () => jest.fn() as NextFunction;
describe('CORS Middleware Configuration', () => {
const OLD_ENV = process.env;
beforeEach(() => {
jest.resetModules(); // Most important - it clears the cache
process.env = { ...OLD_ENV }; // Make a copy
});
afterAll(() => {
process.env = OLD_ENV; // Restore old environment
});
test('should allow a request from the configured CORS_ORIGIN', () => {
process.env.CORS_ORIGIN = 'http://allowed.com';
const corsOptions = {
origin: (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => {
if (!origin || process.env.CORS_ORIGIN?.includes(origin)) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
},
};
const corsMiddleware = cors(corsOptions);
const req = mockRequest('http://allowed.com');
const res = mockResponse();
const next = mockNext();
corsMiddleware(req, res, next);
expect(next).toHaveBeenCalledWith();
expect(next).not.toHaveBeenCalledWith(expect.any(Error));
});
test('should block a request from an unlisted origin', () => {
process.env.CORS_ORIGIN = 'http://allowed.com';
const corsOptions = {
origin: (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => {
if (!origin || process.env.CORS_ORIGIN?.includes(origin)) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
},
};
const corsMiddleware = cors(corsOptions);
const req = mockRequest('http://denied.com');
const res = mockResponse();
const next = mockNext();
corsMiddleware(req, res, next);
expect(next).toHaveBeenCalledWith(new Error('Not allowed by CORS'));
});
test('should block a cross-origin request if CORS_ORIGIN is not set (default same-origin)', () => {
delete process.env.CORS_ORIGIN;
const corsOptions = {
origin: (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => {
// In a real scenario, an empty CORS_ORIGIN would mean only same-origin is allowed.
// This is simulated by checking if origin exists and is not in the (non-existent) whitelist.
if (!origin || process.env.CORS_ORIGIN?.includes(origin)) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
},
};
const corsMiddleware = cors(corsOptions);
const req = mockRequest('http://any-origin.com');
const res = mockResponse();
const next = mockNext();
corsMiddleware(req, res, next);
expect(next).toHaveBeenCalledWith(new Error('Not allowed by CORS'));
});
test('should allow a same-origin request if CORS_ORIGIN is not set', () => {
delete process.env.CORS_ORIGIN;
const corsOptions = {
origin: (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => {
if (!origin || process.env.CORS_ORIGIN?.includes(origin)) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
},
};
const corsMiddleware = cors(corsOptions);
const req = mockRequest(undefined); // A same-origin request has no Origin header
const res = mockResponse();
const next = mockNext();
corsMiddleware(req, res, next);
expect(next).toHaveBeenCalledWith();
expect(next).not.toHaveBeenCalledWith(expect.any(Error));
});
});