nexstream-api / backend /tests /api /cors.test.ts
nexstream-deploy
deploy: nexstream backend (experiment)
2276d59
Raw
History Blame Contribute Delete
1.21 kB
import { describe, it, expect, afterEach, vi } from 'vitest';
import request from 'supertest';
import app from '../../src/app.js';
describe('cors hardening', () => {
afterEach(() => vi.unstubAllEnvs());
it('does not send credentials with a reflected origin (open mode)', async () => {
vi.stubEnv('ALLOWED_ORIGINS', '');
const res = await request(app)
.get('/ping')
.set('Origin', 'https://evil.example');
expect(res.headers['access-control-allow-origin']).toBe(
'https://evil.example'
);
expect(res.headers['access-control-allow-credentials']).toBeUndefined();
});
it('only echoes allowlisted origins when ALLOWED_ORIGINS is set', async () => {
vi.stubEnv('ALLOWED_ORIGINS', 'https://good.example');
const ok = await request(app)
.get('/ping')
.set('Origin', 'https://good.example');
expect(ok.headers['access-control-allow-origin']).toBe(
'https://good.example'
);
expect(ok.headers['access-control-allow-credentials']).toBe('true');
const bad = await request(app)
.get('/ping')
.set('Origin', 'https://evil.example');
expect(bad.headers['access-control-allow-origin']).toBeUndefined();
});
});