Files
CyberStrikeAI/internal/app/cors_security_test.go
T
2026-07-10 18:50:57 +08:00

35 lines
1.1 KiB
Go

package app
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/gin-gonic/gin"
)
func TestCORSMiddlewareAllowsSameOriginAndRejectsForeignOrigin(t *testing.T) {
gin.SetMode(gin.TestMode)
router := gin.New()
router.Use(corsMiddleware())
router.GET("/test", func(c *gin.Context) { c.Status(http.StatusNoContent) })
same := httptest.NewRequest(http.MethodGet, "http://app.example/test", nil)
same.Host = "app.example"
same.Header.Set("Origin", "http://app.example")
sameW := httptest.NewRecorder()
router.ServeHTTP(sameW, same)
if sameW.Code != http.StatusNoContent || sameW.Header().Get("Access-Control-Allow-Origin") != "http://app.example" {
t.Fatalf("same-origin response = %d, allow-origin=%q", sameW.Code, sameW.Header().Get("Access-Control-Allow-Origin"))
}
foreign := httptest.NewRequest(http.MethodGet, "http://app.example/test", nil)
foreign.Host = "app.example"
foreign.Header.Set("Origin", "https://evil.example")
foreignW := httptest.NewRecorder()
router.ServeHTTP(foreignW, foreign)
if foreignW.Code != http.StatusForbidden {
t.Fatalf("foreign-origin response = %d, want %d", foreignW.Code, http.StatusForbidden)
}
}