Run CORS middleware in development

2013-09-20 12:47:14 +02:00 · 2013-09-20 12:47:14 +02:00 · 0681e54cf1
commit 0681e54cf1
parent d6684dd441
3 changed files with 72 additions and 0 deletions
--- a/lib/travis/api/app.rb
+++ b/lib/travis/api/app.rb
@ -31,6 +31,7 @@ module Travis::Api
    autoload :Helpers,      'travis/api/app/helpers'
    autoload :Middleware,   'travis/api/app/middleware'
    autoload :Responders,   'travis/api/app/responders'
+    autoload :Cors,         'travis/api/app/cors'

    Rack.autoload :SSL, 'rack/ssl'

@ -79,6 +80,7 @@ module Travis::Api
          [ 420, {}, ['Enhance Your Calm']]
        end

+        use Travis::Api::App::Cors unless Endpoint.production?
        use Raven::Rack if Endpoint.production?
        use Rack::Protection::PathTraversal
        use Rack::SSL if Endpoint.production?
--- a/lib/travis/api/app/cors.rb
+++ b/lib/travis/api/app/cors.rb
@ -0,0 +1,20 @@
+require 'travis/api/app'
+
+class Travis::Api::App
+  # Implements Cross-Origin Resource Sharing. Supported by all major browsers.
+  # See http://www.w3.org/TR/cors/
+  #
+  # TODO: Be smarter about origin.
+  class Cors < Base
+    before do
+      headers['Access-Control-Allow-Origin']      = "*"
+      headers['Access-Control-Allow-Credentials'] = "true"
+      headers['Access-Control-Expose-Headers']    = "Content-Type, Cache-Control, Expires, Etag, Last-Modified"
+    end
+
+    options // do
+      headers['Access-Control-Allow-Methods'] = "HEAD, GET, POST, PATCH, PUT, DELETE"
+      headers['Access-Control-Allow-Headers'] = "Content-Type, Authorization, Accept, If-None-Match, If-Modified-Since"
+    end
+  end
+end
--- a/spec/unit/cors_spec.rb
+++ b/spec/unit/cors_spec.rb
@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe Travis::Api::App::Cors do
+  before do
+    mock_app do
+      use Travis::Api::App::Cors
+      get('/check_cors') { 'ok' }
+    end
+  end
+
+  describe 'normal request' do
+    before { get('/check_cors').should be_ok }
+
+    it 'sets Access-Control-Allow-Origin' do
+      headers['Access-Control-Allow-Origin'].should == "*"
+    end
+
+    it 'sets Access-Control-Allow-Credentials' do
+      headers['Access-Control-Allow-Credentials'].should == "true"
+    end
+
+    it 'sets Access-Control-Expose-Headers' do
+      headers['Access-Control-Expose-Headers'].should == "Content-Type, Cache-Control, Expires, Etag, Last-Modified"
+    end
+  end
+
+  describe 'OPTIONS requests' do
+    before { options('/').should be_ok }
+
+    it 'sets Access-Control-Allow-Origin' do
+      headers['Access-Control-Allow-Origin'].should == "*"
+    end
+
+    it 'sets Access-Control-Allow-Credentials' do
+      headers['Access-Control-Allow-Credentials'].should == "true"
+    end
+
+    it 'sets Access-Control-Expose-Headers' do
+      headers['Access-Control-Expose-Headers'].should == "Content-Type, Cache-Control, Expires, Etag, Last-Modified"
+    end
+
+    it 'sets Access-Control-Allow-Methods' do
+      headers['Access-Control-Allow-Methods'].should == "HEAD, GET, POST, PATCH, PUT, DELETE"
+    end
+
+    it 'sets Access-Control-Allow-Headers' do
+      headers['Access-Control-Allow-Headers'].should == "Content-Type, Authorization, Accept, If-None-Match, If-Modified-Since"
+    end
+  end
+end