package middleware import ( "net/http" "net/http/httptest" "testing" "github.com/gin-gonic/gin" "github.com/stretchr/testify/require" ) func TestSecurityHeadersAddsNoStoreForSensitiveAuthPaths(t *testing.T) { t.Parallel() gin.SetMode(gin.TestMode) router := gin.New() router.Use(SecurityHeaders()) router.POST("/api/auth/login", func(c *gin.Context) { c.Status(http.StatusOK) }) req := httptest.NewRequest(http.MethodPost, "/api/auth/login", nil) req.Header.Set("X-Forwarded-Proto", "https") resp := httptest.NewRecorder() router.ServeHTTP(resp, req) require.Equal(t, http.StatusOK, resp.Code) require.Equal(t, "nosniff", resp.Header().Get("X-Content-Type-Options")) require.Equal(t, "DENY", resp.Header().Get("X-Frame-Options")) require.Equal(t, "no-store", resp.Header().Get("Cache-Control")) require.Equal(t, "no-cache", resp.Header().Get("Pragma")) require.Equal(t, "max-age=31536000; includeSubDomains", resp.Header().Get("Strict-Transport-Security")) } func TestCORSWithConfigRejectsUnknownPreflightOrigin(t *testing.T) { t.Parallel() gin.SetMode(gin.TestMode) router := gin.New() router.Use(CORSWithConfig(CORSConfig{AllowedOrigins: []string{"https://admin.example.com"}})) router.POST("/api/auth/login", func(c *gin.Context) { c.Status(http.StatusOK) }) req := httptest.NewRequest(http.MethodOptions, "/api/auth/login", nil) req.Header.Set("Origin", "https://evil.example.com") resp := httptest.NewRecorder() router.ServeHTTP(resp, req) require.Equal(t, http.StatusForbidden, resp.Code) require.Empty(t, resp.Header().Get("Access-Control-Allow-Origin")) } func TestCORSWithConfigAllowsConfiguredOrigin(t *testing.T) { t.Parallel() gin.SetMode(gin.TestMode) router := gin.New() router.Use(CORSWithConfig(CORSConfig{AllowedOrigins: []string{"https://admin.example.com"}})) router.POST("/api/auth/login", func(c *gin.Context) { c.Status(http.StatusOK) }) req := httptest.NewRequest(http.MethodOptions, "/api/auth/login", nil) req.Header.Set("Origin", "https://admin.example.com") resp := httptest.NewRecorder() router.ServeHTTP(resp, req) require.Equal(t, http.StatusNoContent, resp.Code) require.Equal(t, "https://admin.example.com", resp.Header().Get("Access-Control-Allow-Origin")) require.Equal(t, "Origin", resp.Header().Get("Vary")) }