fix: Ensure CORS headers are still added when an error occurs in the authenticator (#32)

mattbearman · web-flow · commit 76cc18adca6d · 2024-09-18T14:36:26.000+01:00
* fix: Ensure CORS headers are still added when an error occurs in the authenticator

* fix: Fix failing tests in Rack &gt;= 3.1.0

The `rack.input` header was made optional, so we need to always set an input in our mock requests

* chore: Fix linting issues

- add_runtime_dependency is deprecated in favour of add_dependency
- params are not required for `super` when the method signature is unchanged

* test: Add status check
diff --git a/apia.gemspec b/apia.gemspec
@@ -13,6 +13,6 @@ Gem::Specification.new do |s|
   s.authors       = ['Adam Cooke']
   s.email         = ['adam@k.io']
   s.licenses      = ['MIT']
-  s.add_runtime_dependency 'json'
-  s.add_runtime_dependency 'rack'
+  s.add_dependency 'json'
+  s.add_dependency 'rack'
 end
diff --git a/lib/apia/dsls/endpoint.rb b/lib/apia/dsls/endpoint.rb
@@ -69,7 +69,7 @@ def field(name, *args, type: nil, **options, &block)
 
           field :pagination, type: PaginationObject
         end
-        super(name, *args, type: type, **options, &block)
+        super
       end
 
       def fields(fieldset)
diff --git a/lib/apia/endpoint.rb b/lib/apia/endpoint.rb
@@ -47,7 +47,7 @@ def execute(request)
         response = Response.new(request, self)
         environment = RequestEnvironment.new(request, response)
 
-        catch_errors(response) do
+        catch_errors(response, environment) do
           # Determine an authenticator for this endpoint
           request.authenticator = definition.authenticator || request.controller&.definition&.authenticator || request.api&.definition&.authenticator
 
@@ -92,10 +92,14 @@ def execute(request)
       #
       # @param response [Apia::Response]
       # @return [void]
-      def catch_errors(response)
+      def catch_errors(response, environment)
         yield
       rescue Apia::RuntimeError => e
-        catch_errors(response) do
+        # If the error was triggered by the authenticator, the cors headers wont yet have been merged
+        # so ensure cors headers are merged here
+        response.headers.merge!(environment.cors.to_headers)
+
+        catch_errors(response, environment) do
           response.body = { error: e.hash }
           response.status = e.http_status
           response.headers['x-api-schema'] = 'json-error'
diff --git a/lib/apia/request.rb b/lib/apia/request.rb
@@ -36,7 +36,7 @@ def json_body
     end
 
     def body?
-      has_header?('rack.input')
+      has_header?(::Rack::RACK_INPUT)
     end
 
     def params
diff --git a/spec/specs/apia/argument_set_spec.rb b/spec/specs/apia/argument_set_spec.rb
@@ -40,7 +40,7 @@
     end
 
     it 'should create a new set using HTTP params if provided' do
-      env = Rack::MockRequest.env_for('/?name=michael')
+      env = Rack::MockRequest.env_for('/?name=michael', input: '')
       request = Apia::Request.new(env)
       as = Apia::ArgumentSet.create('ExampleSet') do
         argument :name, type: :string
diff --git a/spec/specs/apia/endpoint_spec.rb b/spec/specs/apia/endpoint_spec.rb
@@ -130,7 +130,7 @@
       end
 
       it 'should create an argument set from standard HTTP query string parameters' do
-        request = Apia::Request.new(Rack::MockRequest.env_for('/?name=Adam'))
+        request = Apia::Request.new(Rack::MockRequest.env_for('/?name=Adam', input: ''))
         request.endpoint = Apia::Endpoint.create('Endpoint') do
           argument :name, type: :string
         end
@@ -173,6 +173,38 @@
             expect(response.headers['Access-Control-Allow-Headers']).to eq 'X-Custom'
           end
         end
+
+        context 'when cors values are set by the authenticator and it throws an error' do
+          it 'includes the CORS headers from the authenticator in the response' do
+            request = Apia::Request.new(Rack::MockRequest.env_for('/', input: ''))
+
+            authenticator = Apia::Authenticator.create('ExampleAPIAuthenticator') do
+              potential_error 'Failed' do
+                code :failed
+                http_status 500
+              end
+            end
+
+            authenticator.action do
+              cors.origin = 'example.com'
+              cors.methods = 'GET, POST'
+              cors.headers = 'X-Custom'
+
+              raise_error 'Failed'
+            end
+
+            endpoint = Apia::Endpoint.create('Endpoint') do
+              authenticator authenticator
+            end
+
+            response = endpoint.execute(request)
+
+            expect(response.status).to eq 500
+            expect(response.headers['Access-Control-Allow-Origin']).to eq 'example.com'
+            expect(response.headers['Access-Control-Allow-Methods']).to eq 'GET, POST'
+            expect(response.headers['Access-Control-Allow-Headers']).to eq 'X-Custom'
+          end
+        end
       end
 
       context 'when the request is an OPTIONS request' do
diff --git a/spec/specs/apia/request_spec.rb b/spec/specs/apia/request_spec.rb
@@ -41,7 +41,7 @@
     end
 
     it 'should return a hash if no body is provided but there is an _arguments parameter containing a string' do
-      request = Apia::Request.new(Rack::MockRequest.env_for('/', params: { _arguments: '{"name":"Jamie"}' }))
+      request = Apia::Request.new(Rack::MockRequest.env_for('/', params: { _arguments: '{"name":"Jamie"}' }, input: ''))
       expect(request.json_body).to be_a Hash
       expect(request.json_body['name']).to eq 'Jamie'
     end
