76 lines
2.3 KiB
Go
76 lines
2.3 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestSecurityHeadersAddsNoStoreForSensitiveAuthPaths(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
gin.SetMode(gin.TestMode)
|
|
router := gin.New()
|
|
router.Use(SecurityHeaders())
|
|
router.POST("/api/auth/login", func(c *gin.Context) {
|
|
c.Status(http.StatusOK)
|
|
})
|
|
|
|
req := httptest.NewRequest(http.MethodPost, "/api/auth/login", nil)
|
|
req.Header.Set("X-Forwarded-Proto", "https")
|
|
resp := httptest.NewRecorder()
|
|
|
|
router.ServeHTTP(resp, req)
|
|
|
|
require.Equal(t, http.StatusOK, resp.Code)
|
|
require.Equal(t, "nosniff", resp.Header().Get("X-Content-Type-Options"))
|
|
require.Equal(t, "DENY", resp.Header().Get("X-Frame-Options"))
|
|
require.Equal(t, "no-store", resp.Header().Get("Cache-Control"))
|
|
require.Equal(t, "no-cache", resp.Header().Get("Pragma"))
|
|
require.Equal(t, "max-age=31536000; includeSubDomains", resp.Header().Get("Strict-Transport-Security"))
|
|
}
|
|
|
|
func TestCORSWithConfigRejectsUnknownPreflightOrigin(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
gin.SetMode(gin.TestMode)
|
|
router := gin.New()
|
|
router.Use(CORSWithConfig(CORSConfig{AllowedOrigins: []string{"https://admin.example.com"}}))
|
|
router.POST("/api/auth/login", func(c *gin.Context) {
|
|
c.Status(http.StatusOK)
|
|
})
|
|
|
|
req := httptest.NewRequest(http.MethodOptions, "/api/auth/login", nil)
|
|
req.Header.Set("Origin", "https://evil.example.com")
|
|
resp := httptest.NewRecorder()
|
|
|
|
router.ServeHTTP(resp, req)
|
|
|
|
require.Equal(t, http.StatusForbidden, resp.Code)
|
|
require.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
|
|
}
|
|
|
|
func TestCORSWithConfigAllowsConfiguredOrigin(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
gin.SetMode(gin.TestMode)
|
|
router := gin.New()
|
|
router.Use(CORSWithConfig(CORSConfig{AllowedOrigins: []string{"https://admin.example.com"}}))
|
|
router.POST("/api/auth/login", func(c *gin.Context) {
|
|
c.Status(http.StatusOK)
|
|
})
|
|
|
|
req := httptest.NewRequest(http.MethodOptions, "/api/auth/login", nil)
|
|
req.Header.Set("Origin", "https://admin.example.com")
|
|
resp := httptest.NewRecorder()
|
|
|
|
router.ServeHTTP(resp, req)
|
|
|
|
require.Equal(t, http.StatusNoContent, resp.Code)
|
|
require.Equal(t, "https://admin.example.com", resp.Header().Get("Access-Control-Allow-Origin"))
|
|
require.Equal(t, "Origin", resp.Header().Get("Vary"))
|
|
}
|