fix: return Access-Control-Allow-Headers=* for OPTIONS requests with no Access-Control-Request-Headers

bethesque · bethesque · commit 855fd83c03b7 · 2018-07-04T13:55:44.000+10:00
Closes: pact-foundation/pact-js#195
diff --git a/lib/pact/mock_service/request_handlers/options.rb b/lib/pact/mock_service/request_handlers/options.rb
@@ -7,32 +7,44 @@ class Options < BaseRequestHandler
 
         attr_reader :name, :logger, :cors_enabled
 
+        HTTP_ACCESS_CONTROL_REQUEST_METHOD = "HTTP_ACCESS_CONTROL_REQUEST_METHOD".freeze
+        HTTP_ACCESS_CONTROL_REQUEST_HEADERS = "HTTP_ACCESS_CONTROL_REQUEST_HEADERS".freeze
+        ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin".freeze
+        ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods".freeze
+        ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers".freeze
+        HTTP_ORIGIN = "HTTP_ORIGIN".freeze
+        ALL_METHODS = "DELETE, POST, GET, HEAD, PUT, TRACE, CONNECT, PATCH".freeze
+        REQUEST_METHOD = "REQUEST_METHOD".freeze
+        OPTIONS = "OPTIONS".freeze
+        X_PACT_MOCK_SERVICE_REGEXP = /x-pact-mock-service/i
+
         def initialize name, logger, cors_enabled
           @name = name
           @logger = logger
           @cors_enabled = cors_enabled
         end
 
         def match? env
-           is_options_request?(env) && (cors_enabled || is_administration_request?(env))
+          is_options_request?(env) && (cors_enabled || is_administration_request?(env))
         end
 
         def respond env
           cors_headers = {
-           'Access-Control-Allow-Origin' => env.fetch('HTTP_ORIGIN','*'),
-           'Access-Control-Allow-Headers' => headers_from(env)["Access-Control-Request-Headers"],
-           'Access-Control-Allow-Methods' => 'DELETE, POST, GET, HEAD, PUT, TRACE, CONNECT, PATCH'
+            ACCESS_CONTROL_ALLOW_ORIGIN => env.fetch(HTTP_ORIGIN,'*'),
+            ACCESS_CONTROL_ALLOW_HEADERS => env.fetch(HTTP_ACCESS_CONTROL_REQUEST_HEADERS, '*'),
+            ACCESS_CONTROL_ALLOW_METHODS => ALL_METHODS
           }
-          logger.info "Received OPTIONS request for mock service administration endpoint #{env['HTTP_ACCESS_CONTROL_REQUEST_METHOD']} #{env['PATH_INFO']}. Returning CORS headers: #{cors_headers.to_json}."
+
+          logger.info "Received OPTIONS request for mock service administration endpoint #{env[HTTP_ACCESS_CONTROL_REQUEST_METHOD]} #{env['PATH_INFO']}. Returning CORS headers: #{cors_headers}."
           [200, cors_headers, []]
         end
 
         def is_options_request? env
-          env['REQUEST_METHOD'] == 'OPTIONS'
+          env[REQUEST_METHOD] == OPTIONS
         end
 
         def is_administration_request? env
-          (env["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"] || '').match(/x-pact-mock-service/i)
+          (env[HTTP_ACCESS_CONTROL_REQUEST_HEADERS] || '').match(X_PACT_MOCK_SERVICE_REGEXP)
         end
       end
     end
diff --git a/spec/lib/pact/mock_service/request_handlers/options_spec.rb b/spec/lib/pact/mock_service/request_handlers/options_spec.rb
@@ -0,0 +1,55 @@
+require 'pact/mock_service/request_handlers/options'
+
+module Pact
+  module MockService
+    module RequestHandlers
+      describe Options do
+        subject {  }
+
+        let(:logger) { Logger.new(StringIO.new) }
+        let(:cors_enabled) { true }
+
+        describe "respond" do
+          let(:response) { Options.new('provider', logger, cors_enabled).respond(env) }
+
+          describe "response headers" do
+            let(:env) do
+              {
+                'HTTP_ORIGIN' => 'foo.com',
+                'HTTP_ACCESS_CONTROL_REQUEST_HEADERS' => 'foo'
+              }
+            end
+
+            subject { response[1] }
+
+            it { is_expected.to include 'Access-Control-Allow-Methods' => 'DELETE, POST, GET, HEAD, PUT, TRACE, CONNECT, PATCH' }
+
+            context "with Origin" do
+              it { is_expected.to include 'Access-Control-Allow-Origin' => 'foo.com' }
+            end
+
+            context "with no Origin" do
+              let(:env) { {} }
+
+              it { is_expected.to include 'Access-Control-Allow-Origin' => '*' }
+            end
+
+            context "with no Access-Control-Request-Headers" do
+              it { is_expected.to_not include 'Access-Control-Allow-Headers' => '*' }
+            end
+
+            context "with Access-Control-Request-Headers" do
+              it { is_expected.to include 'Access-Control-Allow-Headers' => 'foo' }
+            end
+
+            context "with no Access-Control-Request-Headers" do
+              let(:env) { {} }
+
+              it { is_expected.to include 'Access-Control-Allow-Headers' => '*' }
+            end
+          end
+        end
+      end
+    end
+  end
+end
