Files
geo/server/internal/shared/middleware/security_headers_test.go
T

76 lines
2.3 KiB
Go

package middleware
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/gin-gonic/gin"
"github.com/stretchr/testify/require"
)
func TestSecurityHeadersAddsNoStoreForSensitiveAuthPaths(t *testing.T) {
t.Parallel()
gin.SetMode(gin.TestMode)
router := gin.New()
router.Use(SecurityHeaders())
router.POST("/api/auth/login", func(c *gin.Context) {
c.Status(http.StatusOK)
})
req := httptest.NewRequest(http.MethodPost, "/api/auth/login", nil)
req.Header.Set("X-Forwarded-Proto", "https")
resp := httptest.NewRecorder()
router.ServeHTTP(resp, req)
require.Equal(t, http.StatusOK, resp.Code)
require.Equal(t, "nosniff", resp.Header().Get("X-Content-Type-Options"))
require.Equal(t, "DENY", resp.Header().Get("X-Frame-Options"))
require.Equal(t, "no-store", resp.Header().Get("Cache-Control"))
require.Equal(t, "no-cache", resp.Header().Get("Pragma"))
require.Equal(t, "max-age=31536000; includeSubDomains", resp.Header().Get("Strict-Transport-Security"))
}
func TestCORSWithConfigRejectsUnknownPreflightOrigin(t *testing.T) {
t.Parallel()
gin.SetMode(gin.TestMode)
router := gin.New()
router.Use(CORSWithConfig(CORSConfig{AllowedOrigins: []string{"https://admin.example.com"}}))
router.POST("/api/auth/login", func(c *gin.Context) {
c.Status(http.StatusOK)
})
req := httptest.NewRequest(http.MethodOptions, "/api/auth/login", nil)
req.Header.Set("Origin", "https://evil.example.com")
resp := httptest.NewRecorder()
router.ServeHTTP(resp, req)
require.Equal(t, http.StatusForbidden, resp.Code)
require.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
}
func TestCORSWithConfigAllowsConfiguredOrigin(t *testing.T) {
t.Parallel()
gin.SetMode(gin.TestMode)
router := gin.New()
router.Use(CORSWithConfig(CORSConfig{AllowedOrigins: []string{"https://admin.example.com"}}))
router.POST("/api/auth/login", func(c *gin.Context) {
c.Status(http.StatusOK)
})
req := httptest.NewRequest(http.MethodOptions, "/api/auth/login", nil)
req.Header.Set("Origin", "https://admin.example.com")
resp := httptest.NewRecorder()
router.ServeHTTP(resp, req)
require.Equal(t, http.StatusNoContent, resp.Code)
require.Equal(t, "https://admin.example.com", resp.Header().Get("Access-Control-Allow-Origin"))
require.Equal(t, "Origin", resp.Header().Get("Vary"))
}