From 2b147a298c5834ec636c9e9ef027af399d4d0b6b Mon Sep 17 00:00:00 2001 From: alv2017 Date: Sat, 8 Mar 2025 14:58:52 +0200 Subject: [PATCH 1/3] refactoring: tests/test_tutorial/test_cors/test_tutorial001.py --- .../test_cors/test_tutorial001.py | 136 +++++++++++++----- 1 file changed, 101 insertions(+), 35 deletions(-) diff --git a/tests/test_tutorial/test_cors/test_tutorial001.py b/tests/test_tutorial/test_cors/test_tutorial001.py index f62c9df4f..b261d1209 100644 --- a/tests/test_tutorial/test_cors/test_tutorial001.py +++ b/tests/test_tutorial/test_cors/test_tutorial001.py @@ -1,37 +1,103 @@ +import pytest from fastapi.testclient import TestClient -from docs_src.cors.tutorial001 import app - - -def test_cors(): - client = TestClient(app) - # Test pre-flight response - headers = { - "Origin": "https://localhost.tiangolo.com", - "Access-Control-Request-Method": "GET", - "Access-Control-Request-Headers": "X-Example", - } - response = client.options("/", headers=headers) - assert response.status_code == 200, response.text - assert response.text == "OK" - assert ( - response.headers["access-control-allow-origin"] - == "https://localhost.tiangolo.com" - ) - assert response.headers["access-control-allow-headers"] == "X-Example" - - # Test standard response - headers = {"Origin": "https://localhost.tiangolo.com"} - response = client.get("/", headers=headers) - assert response.status_code == 200, response.text - assert response.json() == {"message": "Hello World"} - assert ( - response.headers["access-control-allow-origin"] - == "https://localhost.tiangolo.com" - ) - - # Test non-CORS response - response = client.get("/") - assert response.status_code == 200, response.text - assert response.json() == {"message": "Hello World"} - assert "access-control-allow-origin" not in response.headers +from docs_src.cors.tutorial001 import app, origins + + +@pytest.fixture(name="client") +def get_test_client(): + return TestClient(app) + + +class TestCORS: + allowed_origins = origins + + @pytest.mark.parametrize("allowed_origin_url", origins) + def test_preflight_with_allowed_origin(self, client, allowed_origin_url): + origin_url = allowed_origin_url + headers = { + "Origin": origin_url, + "Access-Control-Request-Method": "GET", + "Access-Control-Request-Headers": "X-Example", + } + response = client.options("/", headers=headers) + assert origin_url in self.allowed_origins + # response + assert response.status_code == 200 + # response headers: cors + assert "access-control-allow-methods" in response.headers + assert "access-control-allow-credentials" in response.headers + assert "access-control-max-age" in response.headers + assert "access-control-allow-headers" in response.headers + # response headers: cors: origin + assert "access-control-allow-origin" in response.headers + assert response.headers["access-control-allow-origin"] == origin_url + + def test_preflight_with_not_allowed_origin(self, client): + origin_url = "https://www.example.com" + headers = { + "Origin": origin_url, + "Access-Control-Request-Method": "GET", + "Access-Control-Request-Headers": "X-Example", + } + response = client.options("/", headers=headers) + assert origin_url not in self.allowed_origins + # response + assert response.status_code == 400 + # response headers: cors + assert "access-control-allow-methods" in response.headers + assert "access-control-allow-credentials" in response.headers + assert "access-control-max-age" in response.headers + assert "access-control-allow-headers" in response.headers + # response headers: cors: origin + assert "access-control-allow-origin" not in response.headers + + @pytest.mark.parametrize("allowed_origin_url", origins) + def test_simple_response_with_allowed_origin(self, client, allowed_origin_url): + origin_url = allowed_origin_url + headers = { + "Origin": origin_url, + } + response = client.get("/", headers=headers) + assert origin_url in self.allowed_origins + # response + assert response.status_code == 200 + assert response.json() == {"message": "Hello World"} + # response headers: cors + assert "access-control-allow-methods" not in response.headers + assert "access-control-allow-credentials" in response.headers + assert "access-control-max-age" not in response.headers + assert "access-control-allow-headers" not in response.headers + # response headers: cors: origin + assert "access-control-allow-origin" in response.headers + assert response.headers["access-control-allow-origin"] == origin_url + + def test_simple_response_with_not_allowed_origin(self, client): + origin_url = "https://example.com" + headers = { + "Origin": origin_url, + } + response = client.get("/", headers=headers) + assert origin_url not in self.allowed_origins + # response + assert response.status_code == 200 + assert response.json() == {"message": "Hello World"} + # response headers: cors + assert "access-control-allow-methods" not in response.headers + assert "access-control-allow-credentials" in response.headers + assert "access-control-max-age" not in response.headers + assert "access-control-allow-headers" not in response.headers + # response headers: cors: origin + assert "access-control-allow-origin" not in response.headers + + def test_non_cors_response(self, client): + response = client.get("/") + # response + assert response.status_code == 200, response.text + assert response.json() == {"message": "Hello World"} + # response headers: cors + assert "access-control-allow-methods" not in response.headers + assert "access-control-allow-credentials" not in response.headers + assert "access-control-max-age" not in response.headers + assert "access-control-allow-headers" not in response.headers + assert "access-control-allow-origin" not in response.headers From b11171019454b501c2ebc3d398858f7d03ab3914 Mon Sep 17 00:00:00 2001 From: alv2017 Date: Thu, 20 Mar 2025 12:42:38 +0200 Subject: [PATCH 2/3] tests/test_tutorial/test_cors/test_tutorial001.py: more preflight checks added --- tests/test_tutorial/test_cors/test_tutorial001.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/test_tutorial/test_cors/test_tutorial001.py b/tests/test_tutorial/test_cors/test_tutorial001.py index b261d1209..9ce61735d 100644 --- a/tests/test_tutorial/test_cors/test_tutorial001.py +++ b/tests/test_tutorial/test_cors/test_tutorial001.py @@ -18,17 +18,19 @@ class TestCORS: headers = { "Origin": origin_url, "Access-Control-Request-Method": "GET", - "Access-Control-Request-Headers": "X-Example", + "Access-Control-Request-Headers": "X-Example-1, X-Example-2", } response = client.options("/", headers=headers) assert origin_url in self.allowed_origins # response assert response.status_code == 200 + assert response.text == "OK" # response headers: cors assert "access-control-allow-methods" in response.headers assert "access-control-allow-credentials" in response.headers assert "access-control-max-age" in response.headers assert "access-control-allow-headers" in response.headers + assert response.headers["access-control-allow-headers"] == "X-Example-1, X-Example-2" # response headers: cors: origin assert "access-control-allow-origin" in response.headers assert response.headers["access-control-allow-origin"] == origin_url @@ -38,17 +40,19 @@ class TestCORS: headers = { "Origin": origin_url, "Access-Control-Request-Method": "GET", - "Access-Control-Request-Headers": "X-Example", + "Access-Control-Request-Headers": "X-Example-1, X-Example-2", } response = client.options("/", headers=headers) assert origin_url not in self.allowed_origins # response assert response.status_code == 400 + assert response.text == "Disallowed CORS origin" # response headers: cors assert "access-control-allow-methods" in response.headers assert "access-control-allow-credentials" in response.headers assert "access-control-max-age" in response.headers assert "access-control-allow-headers" in response.headers + assert response.headers["access-control-allow-headers"] == "X-Example-1, X-Example-2" # response headers: cors: origin assert "access-control-allow-origin" not in response.headers From 807f17e18af29c328ea92921b5d71cc68d22304b Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 20 Mar 2025 10:44:43 +0000 Subject: [PATCH 3/3] =?UTF-8?q?=F0=9F=8E=A8=20[pre-commit.ci]=20Auto=20for?= =?UTF-8?q?mat=20from=20pre-commit.com=20hooks?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- tests/test_tutorial/test_cors/test_tutorial001.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tests/test_tutorial/test_cors/test_tutorial001.py b/tests/test_tutorial/test_cors/test_tutorial001.py index 9ce61735d..89eea154b 100644 --- a/tests/test_tutorial/test_cors/test_tutorial001.py +++ b/tests/test_tutorial/test_cors/test_tutorial001.py @@ -30,7 +30,10 @@ class TestCORS: assert "access-control-allow-credentials" in response.headers assert "access-control-max-age" in response.headers assert "access-control-allow-headers" in response.headers - assert response.headers["access-control-allow-headers"] == "X-Example-1, X-Example-2" + assert ( + response.headers["access-control-allow-headers"] + == "X-Example-1, X-Example-2" + ) # response headers: cors: origin assert "access-control-allow-origin" in response.headers assert response.headers["access-control-allow-origin"] == origin_url @@ -52,7 +55,10 @@ class TestCORS: assert "access-control-allow-credentials" in response.headers assert "access-control-max-age" in response.headers assert "access-control-allow-headers" in response.headers - assert response.headers["access-control-allow-headers"] == "X-Example-1, X-Example-2" + assert ( + response.headers["access-control-allow-headers"] + == "X-Example-1, X-Example-2" + ) # response headers: cors: origin assert "access-control-allow-origin" not in response.headers