Skip to content

Commit 1c629c2

Browse files
jknackjknack
authored
Merge pull request jooby-project#1415 from jerouris/bugfix/1413
Bugfix/1413
2 parents 98bc676 + 0abc847 commit 1c629c2

File tree

2 files changed

+93
-4
lines changed

2 files changed

+93
-4
lines changed

jooby/src/main/java/io/jooby/CorsHandler.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -117,6 +117,8 @@ private static boolean isSimple(Context ctx) {
117117
return ctx.getMethod().equals(Router.GET)
118118
|| ctx.getMethod().equals(Router.POST)
119119
|| ctx.getMethod().equals(Router.HEAD);
120+
// Suggested:
121+
// return !ctx.getMethod().equals(Router.OPTIONS);
120122
}
121123

122124
private static void simple(final Context ctx, final Cors options, final String origin) {

tests/src/test/java/io/jooby/Issue1413.java

Lines changed: 91 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,17 +3,25 @@
33
import org.junit.jupiter.api.Test;
44

55
import static org.junit.jupiter.api.Assertions.assertEquals;
6+
import static org.junit.jupiter.api.Assertions.assertNull;
67

78
public class Issue1413 {
89

910
@Test
10-
public void shouldDoPreflight() {
11+
public void shouldDoPreflightWithCredentials() {
1112
new JoobyRunner(app -> {
12-
app.decorator(new CorsHandler(new Cors().setMethods("*")));
13+
app.decorator(new CorsHandler(new Cors()
14+
.setMethods("*")
15+
.setOrigin("http://foo.com")
16+
.setUseCredentials(true)
17+
));
1318

1419
app.put("/api/v1/machines/{key}", ctx -> ctx.path("key").value());
20+
app.post("/api/v1/machines/{key}", ctx -> ctx.path("key").value());
21+
app.get("/api/v1/machines/{key}", ctx -> ctx.path("key").value());
1522

1623
}).ready(client -> {
24+
// OPTIONS (Pre-flight), checking PUT Method => OK and Access Control Headers Present
1725
client
1826
.header("Origin", "http://foo.com")
1927
.header("Access-Control-Request-Method", "PUT")
@@ -24,13 +32,92 @@ public void shouldDoPreflight() {
2432
assertEquals("true", rsp.header("Access-Control-Allow-Credentials"));
2533
});
2634

35+
// POST Method by allowed origin => OK and Access Control Headers Present
36+
client
37+
.header("Origin", "http://foo.com")
38+
.post("/api/v1/machines/123", rsp -> {
39+
assertEquals("123", rsp.body().string());
40+
assertEquals(200, rsp.code());
41+
assertEquals("http://foo.com", rsp.header("Access-Control-Allow-Origin"));
42+
assertEquals("true", rsp.header("Access-Control-Allow-Credentials"));
43+
});
44+
45+
// Origin different from the allowed one => Forbidden
46+
client
47+
.header("Origin", "http://bar.com")
48+
.get("/api/v1/machines/123", rsp -> {
49+
assertEquals(403, rsp.code());
50+
assertNull(rsp.body().string());
51+
assertNull(rsp.header("Access-Control-Allow-Origin"));
52+
assertNull(rsp.header("Access-Control-Allow-Credentials"));
53+
});
54+
55+
// PUT Method and allowed origin => OK and Access Control Headers Present
2756
client
2857
.header("Origin", "http://foo.com")
2958
.put("/api/v1/machines/123", rsp -> {
3059
assertEquals("123", rsp.body().string());
3160
assertEquals(200, rsp.code());
32-
assertEquals(null, rsp.header("Access-Control-Allow-Origin"));
33-
assertEquals(null, rsp.header("Access-Control-Allow-Credentials"));
61+
assertEquals("http://foo.com", rsp.header("Access-Control-Allow-Origin"));
62+
assertEquals("true", rsp.header("Access-Control-Allow-Credentials"));
63+
});
64+
65+
});
66+
}
67+
68+
@Test
69+
public void shouldDoPreflightWithoutCredentials() {
70+
new JoobyRunner(app -> {
71+
app.decorator(new CorsHandler(new Cors()
72+
.setMethods("*")
73+
.setOrigin("http://foo.com")
74+
.setUseCredentials(false)
75+
));
76+
77+
app.put("/api/v1/machines/{key}", ctx -> ctx.path("key").value());
78+
app.post("/api/v1/machines/{key}", ctx -> ctx.path("key").value());
79+
app.get("/api/v1/machines/{key}", ctx -> ctx.path("key").value());
80+
81+
}).ready(client -> {
82+
// OPTIONS (Pre-flight), checking PUT Method => OK and Access Control Headers Present
83+
client
84+
.header("Origin", "http://foo.com")
85+
.header("Access-Control-Request-Method", "PUT")
86+
.options("/api/v1/machines/123", rsp -> {
87+
assertEquals("", rsp.body().string());
88+
assertEquals(200, rsp.code());
89+
assertEquals("http://foo.com", rsp.header("Access-Control-Allow-Origin"));
90+
assertNull(rsp.header("Access-Control-Allow-Credentials"));
91+
});
92+
93+
// POST Method by allowed origin => OK and Access Control Headers Present
94+
client
95+
.header("Origin", "http://foo.com")
96+
.post("/api/v1/machines/123", rsp -> {
97+
assertEquals("123", rsp.body().string());
98+
assertEquals(200, rsp.code());
99+
assertEquals("http://foo.com", rsp.header("Access-Control-Allow-Origin"));
100+
assertNull(rsp.header("Access-Control-Allow-Credentials"));
101+
});
102+
103+
// Origin different from the allowed one => Forbidden
104+
client
105+
.header("Origin", "http://bar.com")
106+
.get("/api/v1/machines/123", rsp -> {
107+
assertEquals(403, rsp.code());
108+
assertNull(rsp.body().string());
109+
assertNull(rsp.header("Access-Control-Allow-Origin"));
110+
assertNull(rsp.header("Access-Control-Allow-Credentials"));
111+
});
112+
113+
// PUT Method and allowed origin => OK and Access Control Headers Present
114+
client
115+
.header("Origin", "http://foo.com")
116+
.put("/api/v1/machines/123", rsp -> {
117+
assertEquals("123", rsp.body().string());
118+
assertEquals(200, rsp.code());
119+
assertEquals("http://foo.com", rsp.header("Access-Control-Allow-Origin"));
120+
assertNull(rsp.header("Access-Control-Allow-Credentials"));
34121
});
35122
});
36123
}

0 commit comments

Comments
 (0)