allow local dev origins on api

2026-06-13 11:07:53 -04:00 · 2026-06-13 11:07:53 -04:00 · 7e095b51f6
commit 7e095b51f6
parent 4446b228d7
5 changed files with 213 additions and 6 deletions
--- a/services/api/tests/cors.test.ts
+++ b/services/api/tests/cors.test.ts
@ -0,0 +1,81 @@
+import { describe, expect, it } from "bun:test";
+import {
+  createCorsPreflightResponse,
+  parseCorsAllowedOrigins,
+  resolveCorsOrigin,
+  withCorsHeaders
+} from "../src/cors";
+
+describe("api cors helpers", () => {
+  const allowedOrigins = parseCorsAllowedOrigins(
+    "https://flow.deltaisland.io, http://127.0.0.1:3000/, http://localhost:3100"
+  );
+
+  it("normalizes configured origins", () => {
+    expect(allowedOrigins.has("https://flow.deltaisland.io")).toBe(true);
+    expect(allowedOrigins.has("http://127.0.0.1:3000")).toBe(true);
+    expect(allowedOrigins.has("http://localhost:3100")).toBe(true);
+    expect(allowedOrigins.has("http://127.0.0.1:3000/")).toBe(false);
+  });
+
+  it("reflects allowed browser origins", () => {
+    const req = new Request("https://api.flow.deltaisland.io/prints/options", {
+      headers: {
+        origin: "http://127.0.0.1:3000"
+      }
+    });
+
+    expect(resolveCorsOrigin(req, allowedOrigins)).toBe("http://127.0.0.1:3000");
+  });
+
+  it("does not reflect unknown origins", () => {
+    const req = new Request("https://api.flow.deltaisland.io/prints/options", {
+      headers: {
+        origin: "http://evil.example"
+      }
+    });
+
+    expect(resolveCorsOrigin(req, allowedOrigins)).toBeNull();
+  });
+
+  it("adds cors headers to normal responses for allowed origins", async () => {
+    const req = new Request("https://api.flow.deltaisland.io/health", {
+      headers: {
+        origin: "https://flow.deltaisland.io"
+      }
+    });
+    const response = withCorsHeaders(
+      req,
+      new Response(JSON.stringify({ status: "ok" }), {
+        headers: {
+          "content-type": "application/json"
+        }
+      }),
+      allowedOrigins
+    );
+
+    expect(response.headers.get("access-control-allow-origin")).toBe("https://flow.deltaisland.io");
+    expect(response.headers.get("vary")).toBe("Origin");
+    expect(response.headers.get("content-type")).toBe("application/json");
+    expect(await response.json()).toEqual({ status: "ok" });
+  });
+
+  it("answers preflight requests for allowed origins", () => {
+    const req = new Request("https://api.flow.deltaisland.io/lookup/options-support", {
+      method: "OPTIONS",
+      headers: {
+        origin: "http://localhost:3100",
+        "access-control-request-method": "POST",
+        "access-control-request-headers": "content-type,authorization"
+      }
+    });
+    const response = createCorsPreflightResponse(req, allowedOrigins);
+
+    expect(response.status).toBe(204);
+    expect(response.headers.get("access-control-allow-origin")).toBe("http://localhost:3100");
+    expect(response.headers.get("access-control-allow-methods")).toContain("POST");
+    expect(response.headers.get("access-control-allow-headers")).toBe(
+      "content-type,authorization"
+    );
+  });
+});