shlink/module/Rest/test/Middleware/CrossDomainMiddlewareTest.php

<?php

declare(strict_types=1);

namespace ShlinkioTest\Shlink\Rest\Middleware;

use Laminas\Diactoros\Response;
use Laminas\Diactoros\ServerRequest;
use PHPUnit\Framework\TestCase;
use Prophecy\Argument;
use Prophecy\PhpUnit\ProphecyTrait;
use Prophecy\Prophecy\ObjectProphecy;
use Psr\Http\Server\RequestHandlerInterface;
use Shlinkio\Shlink\Rest\Middleware\CrossDomainMiddleware;

class CrossDomainMiddlewareTest extends TestCase
{
    use ProphecyTrait;

    private CrossDomainMiddleware $middleware;
    private ObjectProphecy $handler;

    public function setUp(): void
    {
        $this->middleware = new CrossDomainMiddleware(['max_age' => 1000]);
        $this->handler = $this->prophesize(RequestHandlerInterface::class);
    }

    /** @test */
    public function nonCrossDomainRequestsAreNotAffected(): void
    {
        $originalResponse = (new Response())->withStatus(404);
        $this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();

        $response = $this->middleware->process(new ServerRequest(), $this->handler->reveal());
        $headers = $response->getHeaders();

        self::assertSame($originalResponse, $response);
        self::assertEquals(404, $response->getStatusCode());
        self::assertArrayNotHasKey('Access-Control-Allow-Origin', $headers);
        self::assertArrayNotHasKey('Access-Control-Allow-Methods', $headers);
        self::assertArrayNotHasKey('Access-Control-Max-Age', $headers);
        self::assertArrayNotHasKey('Access-Control-Allow-Headers', $headers);
    }

    /** @test */
    public function anyRequestIncludesTheAllowAccessHeader(): void
    {
        $originalResponse = new Response();
        $this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();

        $response = $this->middleware->process(
            (new ServerRequest())->withHeader('Origin', 'local'),
            $this->handler->reveal(),
        );
        self::assertNotSame($originalResponse, $response);

        $headers = $response->getHeaders();

        self::assertEquals('*', $response->getHeaderLine('Access-Control-Allow-Origin'));
        self::assertArrayNotHasKey('Access-Control-Allow-Methods', $headers);
        self::assertArrayNotHasKey('Access-Control-Max-Age', $headers);
        self::assertArrayNotHasKey('Access-Control-Allow-Headers', $headers);
    }

    /** @test */
    public function optionsRequestIncludesMoreHeaders(): void
    {
        $originalResponse = new Response();
        $request = (new ServerRequest())
            ->withMethod('OPTIONS')
            ->withHeader('Origin', 'local')
            ->withHeader('Access-Control-Request-Headers', 'foo, bar, baz');
        $this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();

        $response = $this->middleware->process($request, $this->handler->reveal());
        self::assertNotSame($originalResponse, $response);

        $headers = $response->getHeaders();

        self::assertEquals('*', $response->getHeaderLine('Access-Control-Allow-Origin'));
        self::assertArrayHasKey('Access-Control-Allow-Methods', $headers);
        self::assertEquals('1000', $response->getHeaderLine('Access-Control-Max-Age'));
        self::assertEquals('foo, bar, baz', $response->getHeaderLine('Access-Control-Allow-Headers'));
        self::assertEquals(204, $response->getStatusCode());
    }

    /**
     * @test
     * @dataProvider provideRouteResults
     */
    public function optionsRequestParsesRouteMatchToDetermineAllowedMethods(
        ?string $allowHeader,
        string $expectedAllowedMethods
    ): void {
        $originalResponse = new Response();
        if ($allowHeader !== null) {
            $originalResponse = $originalResponse->withHeader('Allow', $allowHeader);
        }
        $request = (new ServerRequest())->withHeader('Origin', 'local')
                                        ->withMethod('OPTIONS');
        $this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();

        $response = $this->middleware->process($request, $this->handler->reveal());

        self::assertEquals($response->getHeaderLine('Access-Control-Allow-Methods'), $expectedAllowedMethods);
        self::assertEquals(204, $response->getStatusCode());
    }

    public function provideRouteResults(): iterable
    {
        yield 'no allow header in response' => [null, 'GET,POST,PUT,PATCH,DELETE'];
        yield 'allow header in response' => ['POST,GET', 'POST,GET'];
        yield 'also allow header in response' => ['DELETE,PATCH,PUT', 'DELETE,PATCH,PUT'];
    }

    /**
     * @test
     * @dataProvider provideMethods
     */
    public function expectedStatusCodeIsReturnDependingOnRequestMethod(
        string $method,
        int $status,
        int $expectedStatus
    ): void {
        $originalResponse = (new Response())->withStatus($status);
        $request = (new ServerRequest())->withMethod($method)
                                        ->withHeader('Origin', 'local');
        $this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();

        $response = $this->middleware->process($request, $this->handler->reveal());

        self::assertEquals($expectedStatus, $response->getStatusCode());
    }

    public function provideMethods(): iterable
    {
        yield 'POST 200' => ['POST', 200, 200];
        yield 'POST 400' => ['POST', 400, 400];
        yield 'POST 500' => ['POST', 500, 500];
        yield 'GET 200' => ['GET', 200, 200];
        yield 'GET 400' => ['GET', 400, 400];
        yield 'GET 500' => ['GET', 500, 500];
        yield 'PATCH 200' => ['PATCH', 200, 200];
        yield 'PATCH 400' => ['PATCH', 400, 400];
        yield 'PATCH 500' => ['PATCH', 500, 500];
        yield 'DELETE 200' => ['DELETE', 200, 200];
        yield 'DELETE 400' => ['DELETE', 400, 400];
        yield 'DELETE 500' => ['DELETE', 500, 500];
        yield 'OPTIONS 200' => ['OPTIONS', 200, 204];
        yield 'OPTIONS 400' => ['OPTIONS', 400, 204];
        yield 'OPTIONS 500' => ['OPTIONS', 500, 204];
    }
}
Added first tests to Rest module 2016-07-19 11:19:05 -05:00			`<?php`
Updated to coding styles v2 2019-10-05 10:26:10 -05:00
Improved coding styles 2017-10-12 03:13:20 -05:00			`declare(strict_types=1);`

Added first tests to Rest module 2016-07-19 11:19:05 -05:00			`namespace ShlinkioTest\Shlink\Rest\Middleware;`

Project migrated from zend to laminas 2020-01-01 14:11:53 -06:00			`use Laminas\Diactoros\Response;`
			`use Laminas\Diactoros\ServerRequest;`
Updated to phpunit 6 2017-03-24 14:34:18 -05:00			`use PHPUnit\Framework\TestCase;`
Migrated CrossDomainMiddleware to psr-15 middleware 2017-03-25 03:44:34 -05:00			`use Prophecy\Argument;`
Updated dependencies 2020-11-02 04:50:19 -06:00			`use Prophecy\PhpUnit\ProphecyTrait;`
Migrated CrossDomainMiddleware to psr-15 middleware 2017-03-25 03:44:34 -05:00			`use Prophecy\Prophecy\ObjectProphecy;`
Fixed tests 2018-03-26 12:02:41 -05:00			`use Psr\Http\Server\RequestHandlerInterface;`
Added first tests to Rest module 2016-07-19 11:19:05 -05:00			`use Shlinkio\Shlink\Rest\Middleware\CrossDomainMiddleware;`
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00
Added first tests to Rest module 2016-07-19 11:19:05 -05:00			`class CrossDomainMiddlewareTest extends TestCase`
			`{`
Updated dependencies 2020-11-02 04:50:19 -06:00			`use ProphecyTrait;`

Added property types to all non-deprecated classes 2019-12-29 15:48:40 -06:00			`private CrossDomainMiddleware $middleware;`
			`private ObjectProphecy $handler;`
Added first tests to Rest module 2016-07-19 11:19:05 -05:00
Updated testing tools 2019-02-16 03:53:45 -06:00			`public function setUp(): void`
Added first tests to Rest module 2016-07-19 11:19:05 -05:00			`{`
Created API tests for CORS 2020-12-31 06:28:06 -06:00			`$this->middleware = new CrossDomainMiddleware(['max_age' => 1000]);`
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00			`$this->handler = $this->prophesize(RequestHandlerInterface::class);`
Added first tests to Rest module 2016-07-19 11:19:05 -05:00			`}`

Reduced amount of dead lines in tests 2019-02-17 13:28:34 -06:00			`/** @test */`
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00			`public function nonCrossDomainRequestsAreNotAffected(): void`
Added first tests to Rest module 2016-07-19 11:19:05 -05:00			`{`
Ensured CrossDomainMiddleware always returns empty responses with success status on OPTIONS requests 2020-01-11 13:36:17 -06:00			`$originalResponse = (new Response())->withStatus(404);`
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00			`$this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();`
Migrated CrossDomainMiddleware to psr-15 middleware 2017-03-25 03:44:34 -05:00
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00			`$response = $this->middleware->process(new ServerRequest(), $this->handler->reveal());`
Improved CrossDomainMiddleware preventing headers to be injected on non-CORS requests 2016-07-19 13:20:18 -05:00			`$headers = $response->getHeaders();`
More test improvements trying to increase mutation score 2019-12-01 03:47:56 -06:00
Invoke PHPUnit's assertions statically 2020-10-03 17:35:14 -05:00			`self::assertSame($originalResponse, $response);`
			`self::assertEquals(404, $response->getStatusCode());`
			`self::assertArrayNotHasKey('Access-Control-Allow-Origin', $headers);`
			`self::assertArrayNotHasKey('Access-Control-Allow-Methods', $headers);`
			`self::assertArrayNotHasKey('Access-Control-Max-Age', $headers);`
			`self::assertArrayNotHasKey('Access-Control-Allow-Headers', $headers);`
Improved CrossDomainMiddleware preventing headers to be injected on non-CORS requests 2016-07-19 13:20:18 -05:00			`}`

Reduced amount of dead lines in tests 2019-02-17 13:28:34 -06:00			`/** @test */`
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00			`public function anyRequestIncludesTheAllowAccessHeader(): void`
Improved CrossDomainMiddleware preventing headers to be injected on non-CORS requests 2016-07-19 13:20:18 -05:00			`{`
			`$originalResponse = new Response();`
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00			`$this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();`
Migrated CrossDomainMiddleware to psr-15 middleware 2017-03-25 03:44:34 -05:00
			`$response = $this->middleware->process(`
Do not use ServerRequestFactory::fromGlobals in tests 2018-12-25 16:01:30 -06:00			`(new ServerRequest())->withHeader('Origin', 'local'),`
Updated to coding standard v2.1 2020-01-01 13:48:31 -06:00			`$this->handler->reveal(),`
Added first tests to Rest module 2016-07-19 11:19:05 -05:00			`);`
Invoke PHPUnit's assertions statically 2020-10-03 17:35:14 -05:00			`self::assertNotSame($originalResponse, $response);`
Added first tests to Rest module 2016-07-19 11:19:05 -05:00
			`$headers = $response->getHeaders();`
More test improvements trying to increase mutation score 2019-12-01 03:47:56 -06:00
Changed value returned in Access-Control-Allow-Origin so that it is always set to '*' 2021-01-24 02:22:46 -06:00			`self::assertEquals('*', $response->getHeaderLine('Access-Control-Allow-Origin'));`
Invoke PHPUnit's assertions statically 2020-10-03 17:35:14 -05:00			`self::assertArrayNotHasKey('Access-Control-Allow-Methods', $headers);`
			`self::assertArrayNotHasKey('Access-Control-Max-Age', $headers);`
			`self::assertArrayNotHasKey('Access-Control-Allow-Headers', $headers);`
Added first tests to Rest module 2016-07-19 11:19:05 -05:00			`}`

Reduced amount of dead lines in tests 2019-02-17 13:28:34 -06:00			`/** @test */`
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00			`public function optionsRequestIncludesMoreHeaders(): void`
Added first tests to Rest module 2016-07-19 11:19:05 -05:00			`{`
Improved CrossDomainMiddleware preventing headers to be injected on non-CORS requests 2016-07-19 13:20:18 -05:00			`$originalResponse = new Response();`
More test improvements trying to increase mutation score 2019-12-01 03:47:56 -06:00			`$request = (new ServerRequest())`
			`->withMethod('OPTIONS')`
			`->withHeader('Origin', 'local')`
			`->withHeader('Access-Control-Request-Headers', 'foo, bar, baz');`
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00			`$this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();`
Added first tests to Rest module 2016-07-19 11:19:05 -05:00
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00			`$response = $this->middleware->process($request, $this->handler->reveal());`
Invoke PHPUnit's assertions statically 2020-10-03 17:35:14 -05:00			`self::assertNotSame($originalResponse, $response);`
Added first tests to Rest module 2016-07-19 11:19:05 -05:00
			`$headers = $response->getHeaders();`
More test improvements trying to increase mutation score 2019-12-01 03:47:56 -06:00
Changed value returned in Access-Control-Allow-Origin so that it is always set to '*' 2021-01-24 02:22:46 -06:00			`self::assertEquals('*', $response->getHeaderLine('Access-Control-Allow-Origin'));`
Invoke PHPUnit's assertions statically 2020-10-03 17:35:14 -05:00			`self::assertArrayHasKey('Access-Control-Allow-Methods', $headers);`
			`self::assertEquals('1000', $response->getHeaderLine('Access-Control-Max-Age'));`
			`self::assertEquals('foo, bar, baz', $response->getHeaderLine('Access-Control-Allow-Headers'));`
			`self::assertEquals(204, $response->getStatusCode());`
Added first tests to Rest module 2016-07-19 11:19:05 -05:00			`}`
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00
			`/**`
			`* @test`
			`* @dataProvider provideRouteResults`
			`*/`
			`public function optionsRequestParsesRouteMatchToDetermineAllowedMethods(`
Fixed CrossDomainMiddleware not inferring proper allowed methods 2021-01-24 06:49:57 -06:00			`?string $allowHeader,`
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00			`string $expectedAllowedMethods`
			`): void {`
			`$originalResponse = new Response();`
Fixed CrossDomainMiddleware not inferring proper allowed methods 2021-01-24 06:49:57 -06:00			`if ($allowHeader !== null) {`
			`$originalResponse = $originalResponse->withHeader('Allow', $allowHeader);`
			`}`
			`$request = (new ServerRequest())->withHeader('Origin', 'local')`
			`->withMethod('OPTIONS');`
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00			`$this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();`

			`$response = $this->middleware->process($request, $this->handler->reveal());`

Invoke PHPUnit's assertions statically 2020-10-03 17:35:14 -05:00			`self::assertEquals($response->getHeaderLine('Access-Control-Allow-Methods'), $expectedAllowedMethods);`
			`self::assertEquals(204, $response->getStatusCode());`
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00			`}`

			`public function provideRouteResults(): iterable`
			`{`
Fixed CrossDomainMiddleware not inferring proper allowed methods 2021-01-24 06:49:57 -06:00			`yield 'no allow header in response' => [null, 'GET,POST,PUT,PATCH,DELETE'];`
			`yield 'allow header in response' => ['POST,GET', 'POST,GET'];`
			`yield 'also allow header in response' => ['DELETE,PATCH,PUT', 'DELETE,PATCH,PUT'];`
Ensured accepted methods on CORS requests are dynamically fetched from route match when possible 2019-05-05 02:45:35 -05:00			`}`
Ensured CrossDomainMiddleware always returns empty responses with success status on OPTIONS requests 2020-01-11 13:36:17 -06:00
			`/**`
			`* @test`
			`* @dataProvider provideMethods`
			`*/`
			`public function expectedStatusCodeIsReturnDependingOnRequestMethod(`
			`string $method,`
			`int $status,`
			`int $expectedStatus`
			`): void {`
			`$originalResponse = (new Response())->withStatus($status);`
			`$request = (new ServerRequest())->withMethod($method)`
			`->withHeader('Origin', 'local');`
			`$this->handler->handle(Argument::any())->willReturn($originalResponse)->shouldBeCalledOnce();`

			`$response = $this->middleware->process($request, $this->handler->reveal());`

Invoke PHPUnit's assertions statically 2020-10-03 17:35:14 -05:00			`self::assertEquals($expectedStatus, $response->getStatusCode());`
Ensured CrossDomainMiddleware always returns empty responses with success status on OPTIONS requests 2020-01-11 13:36:17 -06:00			`}`

			`public function provideMethods(): iterable`
			`{`
			`yield 'POST 200' => ['POST', 200, 200];`
			`yield 'POST 400' => ['POST', 400, 400];`
			`yield 'POST 500' => ['POST', 500, 500];`
			`yield 'GET 200' => ['GET', 200, 200];`
			`yield 'GET 400' => ['GET', 400, 400];`
			`yield 'GET 500' => ['GET', 500, 500];`
			`yield 'PATCH 200' => ['PATCH', 200, 200];`
			`yield 'PATCH 400' => ['PATCH', 400, 400];`
			`yield 'PATCH 500' => ['PATCH', 500, 500];`
			`yield 'DELETE 200' => ['DELETE', 200, 200];`
			`yield 'DELETE 400' => ['DELETE', 400, 400];`
			`yield 'DELETE 500' => ['DELETE', 500, 500];`
			`yield 'OPTIONS 200' => ['OPTIONS', 200, 204];`
			`yield 'OPTIONS 400' => ['OPTIONS', 400, 204];`
			`yield 'OPTIONS 500' => ['OPTIONS', 500, 204];`
			`}`
Added first tests to Rest module 2016-07-19 11:19:05 -05:00			`}`