3 class CrossOriginTest < ActionDispatch::IntegrationTest
5 # Rails doesn't support OPTIONS the same way as GET, POST, etc.
6 reset! unless integration_session
7 integration_session.__send__(:process, :options, *args).tap do
8 copy_session_variables!
12 %w(/login /logout /auth/example/callback /auth/joshid).each do |path|
13 test "OPTIONS requests are refused at #{path}" do
15 assert_no_cors_headers
18 test "CORS headers do not exist at GET #{path}" do
20 assert_no_cors_headers
24 %w(/discovery/v1/apis/arvados/v1/rest).each do |path|
25 test "CORS headers are set at GET #{path}" do
27 assert_response :success
32 ['/arvados/v1/collections',
34 '/arvados/v1/api_client_authorizations'].each do |path|
35 test "CORS headers are set and body is stub at OPTIONS #{path}" do
37 assert_response :success
39 assert_equal '-', response.body
42 test "CORS headers are set at authenticated GET #{path}" do
43 get path, {}, auth(:active_trustedclient)
44 assert_response :success
48 # CORS headers are OK only if cookies are *not* used to determine
49 # whether a transaction is allowed. The following is a (far from
50 # perfect) test that the usual Rails cookie->session mechanism
51 # does not grant access to any resources.
52 ['GET', 'POST'].each do |method|
53 test "Session does not work at #{method} #{path}" do
54 send method.downcase, path, {format: 'json'}, {user_id: 1}
62 def assert_cors_headers
63 assert_equal '*', response.headers['Access-Control-Allow-Origin']
64 allowed = response.headers['Access-Control-Allow-Methods'].split(', ')
65 %w(GET HEAD POST PUT DELETE).each do |m|
66 assert_includes allowed, m, "A-C-A-Methods should include #{m}"
68 assert_equal 'Authorization', response.headers['Access-Control-Allow-Headers']
71 def assert_no_cors_headers
72 response.headers.keys.each do |h|
73 assert_no_match /^Access-Control-/i, h
projects / arvados.git / blob