aaronrene / knowtation public
gateway-cors-middleware.test.mjs
83 lines 3.1 KB
Raw
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd feat(calendar): enforce agent context tiers in retrieval AP… Human minor ⚠ breaking 1 day ago
1 import { describe, it } from 'node:test';
2 import assert from 'node:assert/strict';
3 import {
4 applyGatewayCors,
5 isWwwApexPair,
6 resolveGatewayAllowOrigin,
7 } from '../hub/gateway/cors-middleware.mjs';
8
9 function mockRes() {
10 const headers = {};
11 return {
12 set(name, value) {
13 headers[name.toLowerCase()] = value;
14 },
15 headers,
16 };
17 }
18
19 describe('applyGatewayCors', () => {
20 it('with empty HUB list uses * and does not set Allow-Credentials', () => {
21 const res = mockRes();
22 applyGatewayCors(res, 'https://knowtation.store', []);
23 assert.equal(res.headers['access-control-allow-origin'], '*');
24 assert.equal(res.headers['access-control-allow-credentials'], undefined);
25 });
26
27 it('with configured origins reflects matching Origin and sets credentials', () => {
28 const res = mockRes();
29 const list = ['https://knowtation.store', 'https://www.knowtation.store'];
30 applyGatewayCors(res, 'https://www.knowtation.store', list);
31 assert.equal(res.headers['access-control-allow-origin'], 'https://www.knowtation.store');
32 assert.equal(res.headers['access-control-allow-credentials'], 'true');
33 assert.equal(res.headers.vary, 'Origin');
34 });
35
36 it('with configured origins and foreign Origin falls back to first allowlisted (browser may still block)', () => {
37 const res = mockRes();
38 const list = ['https://knowtation.store', 'https://www.knowtation.store'];
39 applyGatewayCors(res, 'https://evil.example', list);
40 assert.equal(res.headers['access-control-allow-origin'], 'https://knowtation.store');
41 assert.equal(res.headers['access-control-allow-credentials'], 'true');
42 });
43
44 it('echoes request Origin when allowlist has only www but page is apex (www/apex pair)', () => {
45 const res = mockRes();
46 const list = ['https://www.knowtation.store'];
47 applyGatewayCors(res, 'https://knowtation.store', list);
48 assert.equal(res.headers['access-control-allow-origin'], 'https://knowtation.store');
49 assert.equal(res.headers['access-control-allow-credentials'], 'true');
50 });
51
52 it('echoes request Origin when allowlist has only apex but page is www', () => {
53 const res = mockRes();
54 const list = ['https://knowtation.store'];
55 applyGatewayCors(res, 'https://www.knowtation.store', list);
56 assert.equal(res.headers['access-control-allow-origin'], 'https://www.knowtation.store');
57 assert.equal(res.headers['access-control-allow-credentials'], 'true');
58 });
59 });
60
61 describe('isWwwApexPair', () => {
62 it('matches www and bare host for same site', () => {
63 assert.equal(
64 isWwwApexPair('https://www.knowtation.store', 'https://knowtation.store'),
65 true
66 );
67 });
68 it('does not match unrelated hosts', () => {
69 assert.equal(isWwwApexPair('https://a.com', 'https://b.com'), false);
70 });
71 });
72
73 describe('resolveGatewayAllowOrigin', () => {
74 it('returns * when no allowlist (caller uses * path)', () => {
75 assert.equal(resolveGatewayAllowOrigin('https://x.com', []), '*');
76 });
77 it('returns first entry when no request Origin and list set', () => {
78 assert.equal(
79 resolveGatewayAllowOrigin(undefined, ['https://www.knowtation.store']),
80 'https://www.knowtation.store'
81 );
82 });
83 });
File History 2 commits
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd feat(calendar): enforce agent context tiers in retrieval AP… Human minor 1 day ago
sha256:9103f98c89257ed2b01c237cea895dabb3e85ea337dccb1161c175e4422355b6 docs: accept Calendar Events v0 spec with Phase 0 security … Human 1 day ago