Added test for CORS and app config updates

Author: akclace

internal/app/app.go

@@ -4,6 +4,7 @@
 package app
 
 import (
+	"cmp"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -510,6 +511,29 @@ func (a *App) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, a.reloadError.Error(), http.StatusInternalServerError)
 		return
 	}
+
+	if a.appConfig.CORS.Setting == "strict" || a.appConfig.CORS.Setting == "lax" {
+		origin := "*"
+		if a.appConfig.CORS.Setting == "strict" {
+			origin = getRequestUrl(r)
+		}
+		if r.Method == http.MethodOptions {
+			w.Header().Set("Access-Control-Allow-Origin", cmp.Or(a.appConfig.CORS.AllowOrigin, origin))
+			w.Header().Set("Access-Control-Allow-Methods", a.appConfig.CORS.AllowMethods)
+			w.Header().Set("Access-Control-Allow-Headers", a.appConfig.CORS.AllowHeaders)
+			w.Header().Set("Access-Control-Allow-Credentials", a.appConfig.CORS.AllowCredentials)
+			w.Header().Set("Access-Control-Max-Age", a.appConfig.CORS.MaxAge)
+			w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			w.Header().Set("Content-Length", "0")
+			w.WriteHeader(http.StatusNoContent)
+			return
+		} else {
+			w.Header().Set("Access-Control-Allow-Origin", cmp.Or(a.appConfig.CORS.AllowOrigin, origin))
+			w.Header().Set("Access-Control-Allow-Methods", a.appConfig.CORS.AllowMethods)
+			w.Header().Set("Access-Control-Allow-Headers", a.appConfig.CORS.AllowHeaders)
+		}
+	}
+
 	a.appRouter.ServeHTTP(w, r)
 }
 

internal/app/setup.go

@@ -5,7 +5,6 @@ package app
 
 import (
 	"bytes"
-	"cmp"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -607,28 +606,6 @@ func (a *App) addProxyConfig(count int, router *chi.Mux, proxyDef *starlarkstruc
 	permsHandler := func(p *httputil.ReverseProxy) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 
-			if a.appConfig.CORS.Setting == "strict" || a.appConfig.CORS.Setting == "lax" {
-				origin := "*"
-				if a.appConfig.CORS.Setting == "strict" {
-					origin = getRequestUrl(r)
-				}
-				if r.Method == http.MethodOptions {
-					w.Header().Set("Access-Control-Allow-Origin", cmp.Or(a.appConfig.CORS.AllowOrigin, origin))
-					w.Header().Set("Access-Control-Allow-Methods", a.appConfig.CORS.AllowMethods)
-					w.Header().Set("Access-Control-Allow-Headers", a.appConfig.CORS.AllowHeaders)
-					w.Header().Set("Access-Control-Allow-Credentials", a.appConfig.CORS.AllowCredentials)
-					w.Header().Set("Access-Control-Max-Age", a.appConfig.CORS.MaxAge)
-					w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-					w.Header().Set("Content-Length", "0")
-					w.WriteHeader(http.StatusNoContent)
-					return
-				} else {
-					w.Header().Set("Access-Control-Allow-Origin", cmp.Or(a.appConfig.CORS.AllowOrigin, origin))
-					w.Header().Set("Access-Control-Allow-Methods", a.appConfig.CORS.AllowMethods)
-					w.Header().Set("Access-Control-Allow-Headers", a.appConfig.CORS.AllowHeaders)
-				}
-			}
-
 			// If write API, check if preview/stage app is allowed access
 			isWriteReques := r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete
 			if isWriteReques {

tests/commander/test_versions.yaml

@@ -160,5 +160,36 @@ tests:
     exit-code: 1
     stderr: "error: version commands not supported for dev app"
 
+  # Test CORS
+  versions0300: # default is strict origin
+    command: curl -Iu "admin:qwerty" localhost:25222/versions_local1 | grep -i access-control-allow-origin | cut -f2- -d':'
+    stdout: "http://localhost:25222"
+  versions0301: # change to lax setting
+    command: ../clace app update-metadata conf --promote cors.setting=lax /versions_local1
+  versions0302:
+    command: curl -Iu "admin:qwerty" localhost:25222/versions_local1 | grep -i access-control-allow-origin | cut -f2- -d':'
+    stdout: "*"
+  versions0303: # custom origin
+    command: ../clace app update-metadata conf --promote cors.allow_origin=abc /versions_local1
+  versions0304:
+    command: curl -Iu "admin:qwerty" localhost:25222/versions_local1 | grep -i access-control-allow-origin | cut -f2- -d':'
+    stdout: "abc"
+  versions0305: # custom headers
+    command: ../clace app update-metadata conf --promote cors.allow_headers="aa,bb" /versions_local1
+  versions0306:
+    command: curl -Iu "admin:qwerty" localhost:25222/versions_local1 | grep -i access-control-allow-headers | cut -f2- -d':'
+    stdout: "aa,bb"
+  versions0307: # delete custom headers
+    command: ../clace app update-metadata conf --promote cors.allow_headers=- /versions_local1
+  versions0308:
+    command: curl -Iu "admin:qwerty" localhost:25222/versions_local1 | grep -i access-control-allow-headers | cut -f2- -d':'
+    stdout: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Requested-With"
+  versions0309: # disable CORS
+    command: ../clace app update-metadata conf --promote cors.setting=disable /versions_local1
+  versions0310:
+    command: curl -Iu "admin:qwerty" localhost:25222/versions_local1 | grep -i access-control-allow-origin | cut -f2- -d':'
+    stdout:
+      line-count: 0
+
   versions99999: # Cleanup
     command: (rm -rf ./versionstest; ../clace app delete "*:versions**"; ../clace app delete "versions*:**") || true