tests/unit/test_cors.py

"""Unit tests for CORS middleware.

WHAT:  Tests for the CORS middleware configuration, including wildcard
       origin handling, credentials support, and preflight responses.
WHY:   CORS misconfiguration can break browser clients or leak credentials.
EXPECTED: Correct Access-Control-* headers for all origin configurations.
"""
import pytest
from flask import Flask

from gatehouse_app.middleware.cors import (
    _is_origin_allowed,
    _cors_origin_header,
    setup_cors,
)


# ---------------------------------------------------------------------------
# _is_origin_allowed
# ---------------------------------------------------------------------------

class TestIsOriginAllowed:
    def test_empty_origin_rejected(self):
        """TEST: CORS-01 -- Empty origin is never allowed."""
        assert _is_origin_allowed("", ["https://example.com"]) is False
        assert _is_origin_allowed(None, "*") is False

    def test_wildcard_string(self):
        """TEST: CORS-02 -- Wildcard string allows any origin."""
        assert _is_origin_allowed("https://evil.com", "*") is True

    def test_wildcard_in_list(self):
        """TEST: CORS-03 -- Wildcard in list allows any origin."""
        assert _is_origin_allowed("https://evil.com", ["*", "https://example.com"]) is True

    def test_explicit_origin_match(self):
        """TEST: CORS-04 -- Explicit list matches exact origin."""
        origins = ["https://example.com", "http://localhost:3000"]
        assert _is_origin_allowed("https://example.com", origins) is True
        assert _is_origin_allowed("https://evil.com", origins) is False

    def test_empty_origins_list(self):
        """TEST: CORS-05 -- Empty list rejects everything."""
        assert _is_origin_allowed("https://example.com", []) is False


# ---------------------------------------------------------------------------
# _cors_origin_header
# ---------------------------------------------------------------------------

class TestCorsOriginHeader:
    def test_wildcard_with_origin_echoes(self):
        """TEST: CORS-HDR-01 -- Wildcard echoes request origin (for credentials)."""
        assert _cors_origin_header("*", "https://example.com") == "https://example.com"

    def test_wildcard_without_origin(self):
        """TEST: CORS-HDR-02 -- Wildcard with no origin returns *."""
        assert _cors_origin_header("*", None) == "*"

    def test_wildcard_in_list_with_origin(self):
        """TEST: CORS-HDR-03 -- Wildcard in list echoes request origin."""
        result = _cors_origin_header(["*", "https://example.com"], "https://any.com")
        assert result == "https://any.com"

    def test_specific_origin_match(self):
        """TEST: CORS-HDR-04 -- Matching origin is echoed."""
        origins = ["https://example.com"]
        assert _cors_origin_header(origins, "https://example.com") == "https://example.com"

    def test_specific_origin_no_match(self):
        """TEST: CORS-HDR-05 -- Non-matching origin returns None."""
        origins = ["https://example.com"]
        assert _cors_origin_header(origins, "https://evil.com") is None

    def test_no_origin_no_match(self):
        """TEST: CORS-HDR-06 -- No origin with specific list returns None."""
        origins = ["https://example.com"]
        assert _cors_origin_header(origins, None) is None


# ---------------------------------------------------------------------------
# Integration: preflight response
# ---------------------------------------------------------------------------

class TestPreflightIntegration:
    @pytest.fixture
    def app_wildcard(self):
        app = Flask(__name__)
        app.config["CORS_ORIGINS"] = "*"
        app.config["CORS_SUPPORTS_CREDENTIALS"] = True
        setup_cors(app)
        app.config["TESTING"] = True
        return app

    @pytest.fixture
    def app_specific(self):
        app = Flask(__name__)
        app.config["CORS_ORIGINS"] = ["https://example.com"]
        app.config["CORS_SUPPORTS_CREDENTIALS"] = True
        setup_cors(app)
        app.config["TESTING"] = True
        return app

    def test_wildcard_preflight_echoes_origin(self, app_wildcard):
        """TEST: CORS-PF-01 -- Wildcard preflight echoes request origin."""
        with app_wildcard.test_client() as client:
            resp = client.options("/", headers={"Origin": "https://example.com"})
            assert resp.status_code == 204
            assert resp.headers.get("Access-Control-Allow-Origin") == "https://example.com"
            assert resp.headers.get("Access-Control-Allow-Credentials") == "true"

    def test_specific_origin_preflight(self, app_specific):
        """TEST: CORS-PF-02 -- Specific origin preflight allows matching origin."""
        with app_specific.test_client() as client:
            resp = client.options("/", headers={"Origin": "https://example.com"})
            assert resp.status_code == 204
            assert resp.headers.get("Access-Control-Allow-Origin") == "https://example.com"
            assert resp.headers.get("Access-Control-Allow-Credentials") == "true"

    def test_specific_origin_rejects_unknown(self, app_specific):
        """TEST: CORS-PF-03 -- Non-matching origin gets no CORS headers."""
        with app_specific.test_client() as client:
            resp = client.options("/", headers={"Origin": "https://evil.com"})
            # No preflight handler runs, Flask returns default
            assert resp.headers.get("Access-Control-Allow-Origin") is None
fix(cors): handle wildcard origin with credentials and add unit tests 2026-04-26 01:12:39 +09:30			`"""Unit tests for CORS middleware.`

			`WHAT: Tests for the CORS middleware configuration, including wildcard`
			`origin handling, credentials support, and preflight responses.`
			`WHY: CORS misconfiguration can break browser clients or leak credentials.`
			`EXPECTED: Correct Access-Control-* headers for all origin configurations.`
			`"""`
			`import pytest`
			`from flask import Flask`

			`from gatehouse_app.middleware.cors import (`
			`_is_origin_allowed,`
			`_cors_origin_header,`
			`setup_cors,`
			`)`


			`# ---------------------------------------------------------------------------`
			`# _is_origin_allowed`
			`# ---------------------------------------------------------------------------`

			`class TestIsOriginAllowed:`
			`def test_empty_origin_rejected(self):`
			`"""TEST: CORS-01 -- Empty origin is never allowed."""`
			`assert _is_origin_allowed("", ["https://example.com"]) is False`
			`assert _is_origin_allowed(None, "*") is False`

			`def test_wildcard_string(self):`
			`"""TEST: CORS-02 -- Wildcard string allows any origin."""`
			`assert _is_origin_allowed("https://evil.com", "*") is True`

			`def test_wildcard_in_list(self):`
			`"""TEST: CORS-03 -- Wildcard in list allows any origin."""`
			`assert _is_origin_allowed("https://evil.com", ["*", "https://example.com"]) is True`

			`def test_explicit_origin_match(self):`
			`"""TEST: CORS-04 -- Explicit list matches exact origin."""`
			`origins = ["https://example.com", "http://localhost:3000"]`
			`assert _is_origin_allowed("https://example.com", origins) is True`
			`assert _is_origin_allowed("https://evil.com", origins) is False`

			`def test_empty_origins_list(self):`
			`"""TEST: CORS-05 -- Empty list rejects everything."""`
			`assert _is_origin_allowed("https://example.com", []) is False`


			`# ---------------------------------------------------------------------------`
			`# _cors_origin_header`
			`# ---------------------------------------------------------------------------`

			`class TestCorsOriginHeader:`
			`def test_wildcard_with_origin_echoes(self):`
			`"""TEST: CORS-HDR-01 -- Wildcard echoes request origin (for credentials)."""`
			`assert _cors_origin_header("*", "https://example.com") == "https://example.com"`

			`def test_wildcard_without_origin(self):`
			`"""TEST: CORS-HDR-02 -- Wildcard with no origin returns *."""`
			`assert _cors_origin_header("", None) == ""`

			`def test_wildcard_in_list_with_origin(self):`
			`"""TEST: CORS-HDR-03 -- Wildcard in list echoes request origin."""`
			`result = _cors_origin_header(["*", "https://example.com"], "https://any.com")`
			`assert result == "https://any.com"`

			`def test_specific_origin_match(self):`
			`"""TEST: CORS-HDR-04 -- Matching origin is echoed."""`
			`origins = ["https://example.com"]`
			`assert _cors_origin_header(origins, "https://example.com") == "https://example.com"`

			`def test_specific_origin_no_match(self):`
			`"""TEST: CORS-HDR-05 -- Non-matching origin returns None."""`
			`origins = ["https://example.com"]`
			`assert _cors_origin_header(origins, "https://evil.com") is None`

			`def test_no_origin_no_match(self):`
			`"""TEST: CORS-HDR-06 -- No origin with specific list returns None."""`
			`origins = ["https://example.com"]`
			`assert _cors_origin_header(origins, None) is None`


			`# ---------------------------------------------------------------------------`
			`# Integration: preflight response`
			`# ---------------------------------------------------------------------------`

			`class TestPreflightIntegration:`
			`@pytest.fixture`
			`def app_wildcard(self):`
			`app = Flask(__name__)`
			`app.config["CORS_ORIGINS"] = "*"`
			`app.config["CORS_SUPPORTS_CREDENTIALS"] = True`
			`setup_cors(app)`
			`app.config["TESTING"] = True`
			`return app`

			`@pytest.fixture`
			`def app_specific(self):`
			`app = Flask(__name__)`
			`app.config["CORS_ORIGINS"] = ["https://example.com"]`
			`app.config["CORS_SUPPORTS_CREDENTIALS"] = True`
			`setup_cors(app)`
			`app.config["TESTING"] = True`
			`return app`

			`def test_wildcard_preflight_echoes_origin(self, app_wildcard):`
			`"""TEST: CORS-PF-01 -- Wildcard preflight echoes request origin."""`
			`with app_wildcard.test_client() as client:`
			`resp = client.options("/", headers={"Origin": "https://example.com"})`
			`assert resp.status_code == 204`
			`assert resp.headers.get("Access-Control-Allow-Origin") == "https://example.com"`
			`assert resp.headers.get("Access-Control-Allow-Credentials") == "true"`

			`def test_specific_origin_preflight(self, app_specific):`
			`"""TEST: CORS-PF-02 -- Specific origin preflight allows matching origin."""`
			`with app_specific.test_client() as client:`
			`resp = client.options("/", headers={"Origin": "https://example.com"})`
			`assert resp.status_code == 204`
			`assert resp.headers.get("Access-Control-Allow-Origin") == "https://example.com"`
			`assert resp.headers.get("Access-Control-Allow-Credentials") == "true"`

			`def test_specific_origin_rejects_unknown(self, app_specific):`
			`"""TEST: CORS-PF-03 -- Non-matching origin gets no CORS headers."""`
			`with app_specific.test_client() as client:`
			`resp = client.options("/", headers={"Origin": "https://evil.com"})`
			`# No preflight handler runs, Flask returns default`
			`assert resp.headers.get("Access-Control-Allow-Origin") is None`