refactoring: tests/test_tutorial/test_cors/test_tutorial001.py

tests/test_tutorial/test_cors/test_tutorial001.py

@@ -1,37 +1,103 @@
+import pytest
 from fastapi.testclient import TestClient
 
-from docs_src.cors.tutorial001 import app
+from docs_src.cors.tutorial001 import app, origins
 
 
-def test_cors():
+@pytest.fixture(name="client")
-    client = TestClient(app)
+def get_test_client():
-    # Test pre-flight response
+    return TestClient(app)
+
+
+class TestCORS:
+    allowed_origins = origins
+
+    @pytest.mark.parametrize("allowed_origin_url", origins)
+    def test_preflight_with_allowed_origin(self, client, allowed_origin_url):
+        origin_url = allowed_origin_url
         headers = {
-        "Origin": "https://localhost.tiangolo.com",
+            "Origin": origin_url,
             "Access-Control-Request-Method": "GET",
             "Access-Control-Request-Headers": "X-Example",
         }
         response = client.options("/", headers=headers)
-    assert response.status_code == 200, response.text
+        assert origin_url in self.allowed_origins
-    assert response.text == "OK"
+        # response
-    assert (
+        assert response.status_code == 200
-        response.headers["access-control-allow-origin"]
+        # response headers: cors
-        == "https://localhost.tiangolo.com"
+        assert "access-control-allow-methods" in response.headers
-    )
+        assert "access-control-allow-credentials" in response.headers
-    assert response.headers["access-control-allow-headers"] == "X-Example"
+        assert "access-control-max-age" in response.headers
-
+        assert "access-control-allow-headers" in response.headers
-    # Test standard response
+        # response headers: cors: origin
-    headers = {"Origin": "https://localhost.tiangolo.com"}
+        assert "access-control-allow-origin" in response.headers
+        assert response.headers["access-control-allow-origin"] == origin_url
+
+    def test_preflight_with_not_allowed_origin(self, client):
+        origin_url = "https://www.example.com"
+        headers = {
+            "Origin": origin_url,
+            "Access-Control-Request-Method": "GET",
+            "Access-Control-Request-Headers": "X-Example",
+        }
+        response = client.options("/", headers=headers)
+        assert origin_url not in self.allowed_origins
+        # response
+        assert response.status_code == 400
+        # response headers: cors
+        assert "access-control-allow-methods" in response.headers
+        assert "access-control-allow-credentials" in response.headers
+        assert "access-control-max-age" in response.headers
+        assert "access-control-allow-headers" in response.headers
+        # response headers: cors: origin
+        assert "access-control-allow-origin" not in response.headers
+
+    @pytest.mark.parametrize("allowed_origin_url", origins)
+    def test_simple_response_with_allowed_origin(self, client, allowed_origin_url):
+        origin_url = allowed_origin_url
+        headers = {
+            "Origin": origin_url,
+        }
         response = client.get("/", headers=headers)
-    assert response.status_code == 200, response.text
+        assert origin_url in self.allowed_origins
+        # response
+        assert response.status_code == 200
+        assert response.json() == {"message": "Hello World"}
+        # response headers: cors
+        assert "access-control-allow-methods" not in response.headers
+        assert "access-control-allow-credentials" in response.headers
+        assert "access-control-max-age" not in response.headers
+        assert "access-control-allow-headers" not in response.headers
+        # response headers: cors: origin
+        assert "access-control-allow-origin" in response.headers
+        assert response.headers["access-control-allow-origin"] == origin_url
+
+    def test_simple_response_with_not_allowed_origin(self, client):
+        origin_url = "https://example.com"
+        headers = {
+            "Origin": origin_url,
+        }
+        response = client.get("/", headers=headers)
+        assert origin_url not in self.allowed_origins
+        # response
+        assert response.status_code == 200
         assert response.json() == {"message": "Hello World"}
-    assert (
+        # response headers: cors
-        response.headers["access-control-allow-origin"]
+        assert "access-control-allow-methods" not in response.headers
-        == "https://localhost.tiangolo.com"
+        assert "access-control-allow-credentials" in response.headers
-    )
+        assert "access-control-max-age" not in response.headers
+        assert "access-control-allow-headers" not in response.headers
+        # response headers: cors: origin
+        assert "access-control-allow-origin" not in response.headers
 
-    # Test non-CORS response
+    def test_non_cors_response(self, client):
         response = client.get("/")
+        # response
         assert response.status_code == 200, response.text
         assert response.json() == {"message": "Hello World"}
+        # response headers: cors
+        assert "access-control-allow-methods" not in response.headers
+        assert "access-control-allow-credentials" not in response.headers
+        assert "access-control-max-age" not in response.headers
+        assert "access-control-allow-headers" not in response.headers
         assert "access-control-allow-origin" not in response.headers