test(gw): improve CORS tests #8718
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mar1n3r0
reviewed
Feb 11, 2022
| ' | ||
| # OPTIONS Response from the API should NOT contain CORS headers | ||
| test_expect_success "OPTIONS response for API looks good" ' | ||
| test_expect_success "OPTIONS response from {gw}/api/v0 has no CORS header" ' | ||
| cat curl_output && | ||
| grep -q "Access-Control-Allow-" curl_output && false || true | ||
| ' |
There was a problem hiding this comment.
Tests for the examples you have provided here : #7667
# HTTP OPTIONS Request
test_expect_success "OPTIONS to {gw}/api/v0 succeeds" '
curl -svX OPTIONS -H "Origin: https://example.com" "http://127.0.0.1:$GWAY_PORT/api/v0/cat?arg=$thash" 2>curl_output
'
# OPTIONS Response from the API should NOT contain CORS headers
test_expect_success "OPTIONS response from {gw}/api/v0 has no CORS header" '
cat curl_output &&
grep -q "Access-Control-Allow-" curl_output && false || true
'
test_kill_ipfs_daemon
# Test CORS safelisting of standard headers
test_expect_success "Can configure standard CORS headers" '
ipfs config --json Gateway.HTTPHeaders.Access-Control-Allow-Headers "[\"Content-Disposition\"]" &&
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin "[\"https://example.com\"]" &&
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods "[\"PUT\", \"POST\"]"
'
test_launch_ipfs_daemon
# HTTP OPTIONS POST Request
test_expect_success "OPTIONS to {gw}/api/v0 CORS headers" '
curl -svX OPTIONS -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: Content-Disposition" -H "Origin: https://example.com" "http://127.0.0.1:$GWAY_PORT/api/v0/cat?arg=$thash" 2>curl_output
'
# OPTIONS POST Response from the API should contain custom CORS headers
test_expect_success "OPTIONS response from {gw}/api/v0 has custom CORS header" '
test_expect_code 1 grep "< Access-Control-Allow-Headers: Content-Disposition" curl_output
'
# OPTIONS POST Response from the API should contain default CORS headers
test_expect_success "OPTIONS response from {gw}/api/v0 has default CORS headers " '
grep "< Access-Control-Allow-Methods: POST" curl_output &&
grep "< Access-Control-Allow-Origin: https://example.com" curl_output
'
mar1n3r0
reviewed
Feb 11, 2022
test/sharness/t0112-gateway-cors.sh
Outdated
| grep "< Access-Control-Allow-Origin: localhost" curl_output | ||
| ' | ||
|
|
||
| # Read-Only API (at the Gateway Port) | ||
| # Read-Only /api/v0 RPC API (exposed on the Gateway Port) |
There was a problem hiding this comment.
test_expect_success "OPTIONS to RPC API (exposed on the Gateway Port) with a custom header succeeds" '
curl -svX OPTIONS -H "Origin: https://example.com" -H "Access-Control-Request-Headers: Content-Disposition" "http://127.0.0.1:$GWAY_PORT/api/v0/cat?args=$thash" 2>curl_output &&
cat curl_output
'
test_expect_success "Access-Control-Allow-Headers extends the previous implicit list" '
test_expect_code 1 grep "< Access-Control-Allow-Headers: Content-Disposition" curl_output
'
lidel
force-pushed
the
fix/api-headers-cors-preflight
branch
2 times, most recently
from
c413030
to
81e2477
Compare
|
I've rebased this to get more confidence around CORS behavior ( Thank you for submitting tests in comments, they will be useful when someone has time for #7667 |
lidel
force-pushed
the
fix/api-headers-cors-preflight
branch
from
81e2477
to
a08fffc
Compare
lidel
force-pushed
the
fix/api-headers-cors-preflight
branch
from
a08fffc
to
f2fd841
Compare
This cleans up old CORS tests and adds more resolution (proper Origin test, testing custom header behavior) It also adds basic regression tests for /api/v0 subset exposed on Gateway port.
lidel
force-pushed
the
fix/api-headers-cors-preflight
branch
from
f2fd841
to
7b01368
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR cleans up old CORS tests and adds more resolution:
CORS on API port: fix CORS preflight requests to RPC API with custom headers #7667