From b11171019454b501c2ebc3d398858f7d03ab3914 Mon Sep 17 00:00:00 2001
From: alv2017 <v.alishauskaite@gmail.com>
Date: Thu, 20 Mar 2025 12:42:38 +0200
Subject: [PATCH] tests/test_tutorial/test_cors/test_tutorial001.py: more
 preflight checks added

---
 tests/test_tutorial/test_cors/test_tutorial001.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/tests/test_tutorial/test_cors/test_tutorial001.py b/tests/test_tutorial/test_cors/test_tutorial001.py
index b261d1209..9ce61735d 100644
--- a/tests/test_tutorial/test_cors/test_tutorial001.py
+++ b/tests/test_tutorial/test_cors/test_tutorial001.py
@@ -18,17 +18,19 @@ class TestCORS:
         headers = {
             "Origin": origin_url,
             "Access-Control-Request-Method": "GET",
-            "Access-Control-Request-Headers": "X-Example",
+            "Access-Control-Request-Headers": "X-Example-1, X-Example-2",
         }
         response = client.options("/", headers=headers)
         assert origin_url in self.allowed_origins
         # response
         assert response.status_code == 200
+        assert response.text == "OK"
         # response headers: cors
         assert "access-control-allow-methods" in response.headers
         assert "access-control-allow-credentials" in response.headers
         assert "access-control-max-age" in response.headers
         assert "access-control-allow-headers" in response.headers
+        assert response.headers["access-control-allow-headers"] == "X-Example-1, X-Example-2"
         # response headers: cors: origin
         assert "access-control-allow-origin" in response.headers
         assert response.headers["access-control-allow-origin"] == origin_url
@@ -38,17 +40,19 @@ class TestCORS:
         headers = {
             "Origin": origin_url,
             "Access-Control-Request-Method": "GET",
-            "Access-Control-Request-Headers": "X-Example",
+            "Access-Control-Request-Headers": "X-Example-1, X-Example-2",
         }
         response = client.options("/", headers=headers)
         assert origin_url not in self.allowed_origins
         # response
         assert response.status_code == 400
+        assert response.text == "Disallowed CORS origin"
         # response headers: cors
         assert "access-control-allow-methods" in response.headers
         assert "access-control-allow-credentials" in response.headers
         assert "access-control-max-age" in response.headers
         assert "access-control-allow-headers" in response.headers
+        assert response.headers["access-control-allow-headers"] == "X-Example-1, X-Example-2"
         # response headers: cors: origin
         assert "access-control-allow-origin" not in response.headers