(
test_client_factory: TestClientFactory,
)
| 8 | |
| 9 | |
| 10 | def test_cors_allow_all( |
| 11 | test_client_factory: TestClientFactory, |
| 12 | ) -> None: |
| 13 | def homepage(request: Request) -> PlainTextResponse: |
| 14 | return PlainTextResponse("Homepage", status_code=200) |
| 15 | |
| 16 | app = Starlette( |
| 17 | routes=[Route("/", endpoint=homepage)], |
| 18 | middleware=[ |
| 19 | Middleware( |
| 20 | CORSMiddleware, |
| 21 | allow_origins=["*"], |
| 22 | allow_headers=["*"], |
| 23 | allow_methods=["*"], |
| 24 | expose_headers=["X-Status"], |
| 25 | allow_credentials=True, |
| 26 | ) |
| 27 | ], |
| 28 | ) |
| 29 | |
| 30 | client = test_client_factory(app) |
| 31 | |
| 32 | # Test pre-flight response |
| 33 | headers = { |
| 34 | "Origin": "https://example.org", |
| 35 | "Access-Control-Request-Method": "GET", |
| 36 | "Access-Control-Request-Headers": "X-Example", |
| 37 | } |
| 38 | response = client.options("/", headers=headers) |
| 39 | assert response.status_code == 200 |
| 40 | assert response.text == "OK" |
| 41 | assert response.headers["access-control-allow-origin"] == "https://example.org" |
| 42 | assert response.headers["access-control-allow-headers"] == "X-Example" |
| 43 | assert response.headers["access-control-allow-credentials"] == "true" |
| 44 | assert response.headers["vary"] == "Origin" |
| 45 | |
| 46 | # Test standard response |
| 47 | headers = {"Origin": "https://example.org"} |
| 48 | response = client.get("/", headers=headers) |
| 49 | assert response.status_code == 200 |
| 50 | assert response.text == "Homepage" |
| 51 | assert response.headers["access-control-allow-origin"] == "https://example.org" |
| 52 | assert response.headers["access-control-expose-headers"] == "X-Status" |
| 53 | assert response.headers["access-control-allow-credentials"] == "true" |
| 54 | |
| 55 | # Test standard credentialed response |
| 56 | headers = {"Origin": "https://example.org", "Cookie": "star_cookie=sugar"} |
| 57 | response = client.get("/", headers=headers) |
| 58 | assert response.status_code == 200 |
| 59 | assert response.text == "Homepage" |
| 60 | assert response.headers["access-control-allow-origin"] == "https://example.org" |
| 61 | assert response.headers["access-control-expose-headers"] == "X-Status" |
| 62 | assert response.headers["access-control-allow-credentials"] == "true" |
| 63 | |
| 64 | # Test non-CORS response |
| 65 | response = client.get("/") |
| 66 | assert response.status_code == 200 |
| 67 | assert response.text == "Homepage" |
nothing calls this directly
no test coverage detected