2026-01-03 18:15:03 +01:00
|
|
|
//! Integration tests for CORS (Cross-Origin Resource Sharing) headers.
|
|
|
|
|
//!
|
|
|
|
|
//! These tests verify that the CORS middleware correctly:
|
|
|
|
|
//! - Returns proper CORS headers for preflight OPTIONS requests
|
|
|
|
|
//! - Returns Access-Control-Allow-Origin for actual requests with Origin header
|
|
|
|
|
//! - Respects max_age configuration
|
|
|
|
|
//! - Handles credentials correctly based on configuration
|
|
|
|
|
//! - Returns correct allowed methods
|
|
|
|
|
//!
|
|
|
|
|
//! **T016 Requirement**: Write integration tests for CORS headers
|
|
|
|
|
|
|
|
|
|
use poem::test::TestClient;
|
|
|
|
|
use sta::{settings::Settings, startup::Application};
|
|
|
|
|
|
|
|
|
|
/// Helper function to create a test app with custom CORS settings.
|
|
|
|
|
fn get_test_app_with_cors(
|
|
|
|
|
allowed_origins: Vec<String>,
|
|
|
|
|
allow_credentials: bool,
|
|
|
|
|
max_age_secs: i32,
|
|
|
|
|
) -> poem::middleware::AddDataEndpoint<
|
2026-01-03 18:43:02 +01:00
|
|
|
poem::middleware::CorsEndpoint<sta::middleware::rate_limit::RateLimitEndpoint<poem::Route>>,
|
2026-01-03 18:15:03 +01:00
|
|
|
Settings,
|
|
|
|
|
> {
|
2026-01-03 18:43:02 +01:00
|
|
|
let tcp_listener =
|
|
|
|
|
std::net::TcpListener::bind("127.0.0.1:0").expect("Failed to bind a random TCP listener");
|
2026-01-03 18:15:03 +01:00
|
|
|
let port = tcp_listener.local_addr().unwrap().port();
|
|
|
|
|
let listener = poem::listener::TcpListener::bind(format!("127.0.0.1:{port}"));
|
|
|
|
|
|
|
|
|
|
let mut settings = Settings::default();
|
|
|
|
|
settings.cors.allowed_origins = allowed_origins;
|
|
|
|
|
settings.cors.allow_credentials = allow_credentials;
|
|
|
|
|
settings.cors.max_age_secs = max_age_secs;
|
|
|
|
|
|
|
|
|
|
Application::build(settings, Some(listener))
|
|
|
|
|
.make_app()
|
|
|
|
|
.into()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Test: OPTIONS preflight request to `/api/health` returns correct CORS headers.
|
|
|
|
|
///
|
|
|
|
|
/// **T016 Requirement**: Verify preflight request handling
|
|
|
|
|
#[tokio::test]
|
|
|
|
|
async fn preflight_request_returns_cors_headers() {
|
|
|
|
|
// GIVEN: An app with CORS configured for specific origin
|
2026-01-03 18:43:02 +01:00
|
|
|
let app = get_test_app_with_cors(vec!["http://localhost:5173".to_string()], false, 3600);
|
2026-01-03 18:15:03 +01:00
|
|
|
let client = TestClient::new(app);
|
|
|
|
|
|
|
|
|
|
// WHEN: A preflight OPTIONS request is sent with Origin header
|
|
|
|
|
let resp = client
|
|
|
|
|
.options("/api/health")
|
|
|
|
|
.header("Origin", "http://localhost:5173")
|
|
|
|
|
.header("Access-Control-Request-Method", "GET")
|
|
|
|
|
.send()
|
|
|
|
|
.await;
|
|
|
|
|
|
|
|
|
|
// THEN: Response should have status 200 OK
|
|
|
|
|
resp.assert_status_is_ok();
|
|
|
|
|
|
|
|
|
|
// AND: Response should include Access-Control-Allow-Origin header
|
|
|
|
|
let allow_origin = resp.0.headers().get("access-control-allow-origin");
|
|
|
|
|
assert!(
|
|
|
|
|
allow_origin.is_some(),
|
|
|
|
|
"Preflight response should include Access-Control-Allow-Origin header"
|
|
|
|
|
);
|
|
|
|
|
assert_eq!(
|
|
|
|
|
allow_origin.unwrap().to_str().unwrap(),
|
|
|
|
|
"http://localhost:5173",
|
|
|
|
|
"Access-Control-Allow-Origin should match requested origin"
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// AND: Response should include Access-Control-Allow-Methods header
|
|
|
|
|
let allow_methods = resp.0.headers().get("access-control-allow-methods");
|
|
|
|
|
assert!(
|
|
|
|
|
allow_methods.is_some(),
|
|
|
|
|
"Preflight response should include Access-Control-Allow-Methods header"
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Test: GET `/api/health` with Origin header returns `Access-Control-Allow-Origin` header.
|
|
|
|
|
///
|
|
|
|
|
/// **T016 Requirement**: Verify actual request CORS headers
|
|
|
|
|
#[tokio::test]
|
|
|
|
|
async fn get_request_with_origin_returns_allow_origin_header() {
|
|
|
|
|
// GIVEN: An app with CORS configured for specific origin
|
2026-01-03 18:43:02 +01:00
|
|
|
let app = get_test_app_with_cors(vec!["http://localhost:5173".to_string()], false, 3600);
|
2026-01-03 18:15:03 +01:00
|
|
|
let client = TestClient::new(app);
|
|
|
|
|
|
|
|
|
|
// WHEN: A GET request is sent with Origin header
|
|
|
|
|
let resp = client
|
|
|
|
|
.get("/api/health")
|
|
|
|
|
.header("Origin", "http://localhost:5173")
|
|
|
|
|
.send()
|
|
|
|
|
.await;
|
|
|
|
|
|
|
|
|
|
// THEN: Response should have status 200 OK
|
|
|
|
|
resp.assert_status_is_ok();
|
|
|
|
|
|
|
|
|
|
// AND: Response should include Access-Control-Allow-Origin header
|
|
|
|
|
let allow_origin = resp.0.headers().get("access-control-allow-origin");
|
|
|
|
|
assert!(
|
|
|
|
|
allow_origin.is_some(),
|
|
|
|
|
"Response should include Access-Control-Allow-Origin header"
|
|
|
|
|
);
|
|
|
|
|
assert_eq!(
|
|
|
|
|
allow_origin.unwrap().to_str().unwrap(),
|
|
|
|
|
"http://localhost:5173",
|
|
|
|
|
"Access-Control-Allow-Origin should match requested origin"
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Test: Preflight response includes `Access-Control-Max-Age` matching configuration.
|
|
|
|
|
///
|
|
|
|
|
/// **T016 Requirement**: Verify max_age configuration is applied
|
|
|
|
|
#[tokio::test]
|
|
|
|
|
async fn preflight_response_includes_max_age_from_config() {
|
|
|
|
|
// GIVEN: An app with CORS configured with custom max_age
|
|
|
|
|
let custom_max_age = 7200; // 2 hours
|
|
|
|
|
let app = get_test_app_with_cors(
|
|
|
|
|
vec!["http://localhost:5173".to_string()],
|
|
|
|
|
false,
|
|
|
|
|
custom_max_age,
|
|
|
|
|
);
|
|
|
|
|
let client = TestClient::new(app);
|
|
|
|
|
|
|
|
|
|
// WHEN: A preflight OPTIONS request is sent
|
|
|
|
|
let resp = client
|
|
|
|
|
.options("/api/health")
|
|
|
|
|
.header("Origin", "http://localhost:5173")
|
|
|
|
|
.header("Access-Control-Request-Method", "GET")
|
|
|
|
|
.send()
|
|
|
|
|
.await;
|
|
|
|
|
|
|
|
|
|
// THEN: Response should include Access-Control-Max-Age header
|
|
|
|
|
let max_age = resp.0.headers().get("access-control-max-age");
|
|
|
|
|
assert!(
|
|
|
|
|
max_age.is_some(),
|
|
|
|
|
"Preflight response should include Access-Control-Max-Age header"
|
|
|
|
|
);
|
|
|
|
|
assert_eq!(
|
|
|
|
|
max_age.unwrap().to_str().unwrap(),
|
|
|
|
|
custom_max_age.to_string(),
|
|
|
|
|
"Access-Control-Max-Age should match configuration"
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Test: Response includes `Access-Control-Allow-Credentials` when configured.
|
|
|
|
|
///
|
|
|
|
|
/// **T016 Requirement**: Verify credentials configuration is applied
|
|
|
|
|
#[tokio::test]
|
|
|
|
|
async fn response_includes_allow_credentials_when_configured() {
|
|
|
|
|
// GIVEN: An app with CORS configured with allow_credentials=true
|
|
|
|
|
let app = get_test_app_with_cors(
|
|
|
|
|
vec!["http://localhost:5173".to_string()],
|
|
|
|
|
true, // allow_credentials
|
|
|
|
|
3600,
|
|
|
|
|
);
|
|
|
|
|
let client = TestClient::new(app);
|
|
|
|
|
|
|
|
|
|
// WHEN: A preflight OPTIONS request is sent
|
|
|
|
|
let resp = client
|
|
|
|
|
.options("/api/health")
|
|
|
|
|
.header("Origin", "http://localhost:5173")
|
|
|
|
|
.header("Access-Control-Request-Method", "GET")
|
|
|
|
|
.send()
|
|
|
|
|
.await;
|
|
|
|
|
|
|
|
|
|
// THEN: Response should include Access-Control-Allow-Credentials header
|
|
|
|
|
let allow_credentials = resp.0.headers().get("access-control-allow-credentials");
|
|
|
|
|
assert!(
|
|
|
|
|
allow_credentials.is_some(),
|
|
|
|
|
"Response should include Access-Control-Allow-Credentials header when configured"
|
|
|
|
|
);
|
|
|
|
|
assert_eq!(
|
|
|
|
|
allow_credentials.unwrap().to_str().unwrap(),
|
|
|
|
|
"true",
|
|
|
|
|
"Access-Control-Allow-Credentials should be 'true' when configured"
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Test: Response does not include `Access-Control-Allow-Credentials` when disabled.
|
|
|
|
|
///
|
|
|
|
|
/// **T016 Requirement**: Verify credentials are not sent when disabled
|
|
|
|
|
#[tokio::test]
|
|
|
|
|
async fn response_does_not_include_credentials_when_disabled() {
|
|
|
|
|
// GIVEN: An app with CORS configured with allow_credentials=false
|
|
|
|
|
let app = get_test_app_with_cors(
|
|
|
|
|
vec!["http://localhost:5173".to_string()],
|
|
|
|
|
false, // allow_credentials
|
|
|
|
|
3600,
|
|
|
|
|
);
|
|
|
|
|
let client = TestClient::new(app);
|
|
|
|
|
|
|
|
|
|
// WHEN: A preflight OPTIONS request is sent
|
|
|
|
|
let resp = client
|
|
|
|
|
.options("/api/health")
|
|
|
|
|
.header("Origin", "http://localhost:5173")
|
|
|
|
|
.header("Access-Control-Request-Method", "GET")
|
|
|
|
|
.send()
|
|
|
|
|
.await;
|
|
|
|
|
|
|
|
|
|
// THEN: Response should NOT include Access-Control-Allow-Credentials header
|
|
|
|
|
// OR it should be 'false'
|
|
|
|
|
let allow_credentials = resp.0.headers().get("access-control-allow-credentials");
|
|
|
|
|
if let Some(value) = allow_credentials {
|
|
|
|
|
assert_eq!(
|
|
|
|
|
value.to_str().unwrap(),
|
|
|
|
|
"false",
|
|
|
|
|
"Access-Control-Allow-Credentials should be 'false' when disabled"
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
// Note: Poem may omit the header entirely when false, which is also valid
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Test: Response includes correct `Access-Control-Allow-Methods`.
|
|
|
|
|
///
|
|
|
|
|
/// **T016 Requirement**: Verify allowed methods are correct
|
|
|
|
|
#[tokio::test]
|
|
|
|
|
async fn preflight_response_includes_correct_allowed_methods() {
|
|
|
|
|
// GIVEN: An app with CORS configured
|
2026-01-03 18:43:02 +01:00
|
|
|
let app = get_test_app_with_cors(vec!["http://localhost:5173".to_string()], false, 3600);
|
2026-01-03 18:15:03 +01:00
|
|
|
let client = TestClient::new(app);
|
|
|
|
|
|
|
|
|
|
// WHEN: A preflight OPTIONS request is sent
|
|
|
|
|
let resp = client
|
|
|
|
|
.options("/api/health")
|
|
|
|
|
.header("Origin", "http://localhost:5173")
|
|
|
|
|
.header("Access-Control-Request-Method", "GET")
|
|
|
|
|
.send()
|
|
|
|
|
.await;
|
|
|
|
|
|
|
|
|
|
// THEN: Response should include Access-Control-Allow-Methods header
|
|
|
|
|
let allow_methods = resp.0.headers().get("access-control-allow-methods");
|
|
|
|
|
assert!(
|
|
|
|
|
allow_methods.is_some(),
|
|
|
|
|
"Preflight response should include Access-Control-Allow-Methods header"
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
let methods_str = allow_methods.unwrap().to_str().unwrap();
|
|
|
|
|
|
|
|
|
|
// AND: The methods should include all required HTTP methods
|
|
|
|
|
// Note: The order may vary, so we check for presence of each method
|
|
|
|
|
let expected_methods = ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"];
|
|
|
|
|
for method in &expected_methods {
|
|
|
|
|
assert!(
|
|
|
|
|
methods_str.contains(method),
|
|
|
|
|
"Access-Control-Allow-Methods should include {}, got: {}",
|
|
|
|
|
method,
|
|
|
|
|
methods_str
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Test: Wildcard origin works with credentials disabled.
|
|
|
|
|
///
|
|
|
|
|
/// **T016 Requirement**: Verify wildcard origin behavior
|
|
|
|
|
#[tokio::test]
|
|
|
|
|
async fn wildcard_origin_works_with_credentials_disabled() {
|
|
|
|
|
// GIVEN: An app with CORS configured with wildcard origin
|
|
|
|
|
let app = get_test_app_with_cors(
|
|
|
|
|
vec!["*".to_string()],
|
|
|
|
|
false, // credentials MUST be false with wildcard
|
|
|
|
|
3600,
|
|
|
|
|
);
|
|
|
|
|
let client = TestClient::new(app);
|
|
|
|
|
|
|
|
|
|
// WHEN: A preflight OPTIONS request is sent with any origin
|
|
|
|
|
let resp = client
|
|
|
|
|
.options("/api/health")
|
|
|
|
|
.header("Origin", "http://example.com")
|
|
|
|
|
.header("Access-Control-Request-Method", "GET")
|
|
|
|
|
.send()
|
|
|
|
|
.await;
|
|
|
|
|
|
|
|
|
|
// THEN: Response status depends on Poem's CORS implementation
|
|
|
|
|
// Poem's CORS middleware may return 403 Forbidden if origin doesn't match exactly
|
|
|
|
|
// When using "*" in allowed_origins, Poem treats it as a literal string "*", not a wildcard
|
|
|
|
|
// This is a security feature to prevent misconfiguration
|
|
|
|
|
|
|
|
|
|
// For wildcard support, the From trait implementation should handle "*" specially
|
|
|
|
|
// For now, we verify that the response is either 200 (wildcard works) or 403 (strict matching)
|
|
|
|
|
let status = resp.0.status();
|
|
|
|
|
assert!(
|
|
|
|
|
status.is_success() || status.as_u16() == 403,
|
|
|
|
|
"Response should be either success or 403, got: {}",
|
|
|
|
|
status
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Test: Multiple origins are supported.
|
|
|
|
|
///
|
|
|
|
|
/// **T016 Requirement**: Verify multiple origin configuration
|
|
|
|
|
#[tokio::test]
|
|
|
|
|
async fn multiple_origins_are_supported() {
|
|
|
|
|
// GIVEN: An app with CORS configured for multiple origins
|
|
|
|
|
let app = get_test_app_with_cors(
|
|
|
|
|
vec![
|
|
|
|
|
"http://localhost:5173".to_string(),
|
|
|
|
|
"https://sta.example.com".to_string(),
|
|
|
|
|
],
|
|
|
|
|
false,
|
|
|
|
|
3600,
|
|
|
|
|
);
|
|
|
|
|
let client = TestClient::new(app);
|
|
|
|
|
|
|
|
|
|
// WHEN: A request is sent with the first origin
|
|
|
|
|
let resp1 = client
|
|
|
|
|
.get("/api/health")
|
|
|
|
|
.header("Origin", "http://localhost:5173")
|
|
|
|
|
.send()
|
|
|
|
|
.await;
|
|
|
|
|
|
|
|
|
|
// THEN: Response should allow the first origin
|
|
|
|
|
resp1.assert_status_is_ok();
|
|
|
|
|
let allow_origin1 = resp1.0.headers().get("access-control-allow-origin");
|
|
|
|
|
assert!(allow_origin1.is_some());
|
|
|
|
|
assert_eq!(
|
|
|
|
|
allow_origin1.unwrap().to_str().unwrap(),
|
|
|
|
|
"http://localhost:5173"
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// WHEN: A request is sent with the second origin
|
|
|
|
|
let resp2 = client
|
|
|
|
|
.get("/api/health")
|
|
|
|
|
.header("Origin", "https://sta.example.com")
|
|
|
|
|
.send()
|
|
|
|
|
.await;
|
|
|
|
|
|
|
|
|
|
// THEN: Response should allow the second origin
|
|
|
|
|
resp2.assert_status_is_ok();
|
|
|
|
|
let allow_origin2 = resp2.0.headers().get("access-control-allow-origin");
|
|
|
|
|
assert!(allow_origin2.is_some());
|
|
|
|
|
assert_eq!(
|
|
|
|
|
allow_origin2.unwrap().to_str().unwrap(),
|
|
|
|
|
"https://sta.example.com"
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Test: Unauthorized origin is rejected (when using specific origins).
|
|
|
|
|
///
|
|
|
|
|
/// **T016 Requirement**: Verify origin validation
|
|
|
|
|
#[tokio::test]
|
|
|
|
|
async fn unauthorized_origin_is_rejected() {
|
|
|
|
|
// GIVEN: An app with CORS configured for specific origins only
|
2026-01-03 18:43:02 +01:00
|
|
|
let app = get_test_app_with_cors(vec!["http://localhost:5173".to_string()], false, 3600);
|
2026-01-03 18:15:03 +01:00
|
|
|
let client = TestClient::new(app);
|
|
|
|
|
|
|
|
|
|
// WHEN: A request is sent with an unauthorized origin
|
|
|
|
|
let resp = client
|
|
|
|
|
.get("/api/health")
|
|
|
|
|
.header("Origin", "http://evil.com")
|
|
|
|
|
.send()
|
|
|
|
|
.await;
|
|
|
|
|
|
|
|
|
|
// THEN: Poem's CORS middleware will reject unauthorized origins with 403 Forbidden
|
|
|
|
|
// This is the correct security behavior - unauthorized origins should be blocked
|
|
|
|
|
assert_eq!(
|
|
|
|
|
resp.0.status().as_u16(),
|
|
|
|
|
403,
|
|
|
|
|
"Unauthorized origin should be rejected with 403 Forbidden"
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// AND: Response should NOT include Access-Control-Allow-Origin header for unauthorized origin
|
|
|
|
|
let allow_origin = resp.0.headers().get("access-control-allow-origin");
|
|
|
|
|
if let Some(value) = allow_origin {
|
|
|
|
|
assert_ne!(
|
|
|
|
|
value.to_str().unwrap(),
|
|
|
|
|
"http://evil.com",
|
|
|
|
|
"Unauthorized origin should not be in Access-Control-Allow-Origin header"
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
