From 0681e54cf1f72ad77ccdcc438f69635adc19128c Mon Sep 17 00:00:00 2001
From: Piotr Sarnacki <drogus@gmail.com>
Date: Fri, 20 Sep 2013 12:47:14 +0200
Subject: [PATCH] Run CORS middleware in development

---
 lib/travis/api/app.rb      |  2 ++
 lib/travis/api/app/cors.rb | 20 +++++++++++++++
 spec/unit/cors_spec.rb     | 50 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 72 insertions(+)
 create mode 100644 lib/travis/api/app/cors.rb
 create mode 100644 spec/unit/cors_spec.rb

diff --git a/lib/travis/api/app.rb b/lib/travis/api/app.rb
index 7cfdc659..023ff2c7 100644
--- a/lib/travis/api/app.rb
+++ b/lib/travis/api/app.rb
@@ -31,6 +31,7 @@ module Travis::Api
     autoload :Helpers,      'travis/api/app/helpers'
     autoload :Middleware,   'travis/api/app/middleware'
     autoload :Responders,   'travis/api/app/responders'
+    autoload :Cors,         'travis/api/app/cors'
 
     Rack.autoload :SSL, 'rack/ssl'
 
@@ -79,6 +80,7 @@ module Travis::Api
           [ 420, {}, ['Enhance Your Calm']]
         end
 
+        use Travis::Api::App::Cors unless Endpoint.production?
         use Raven::Rack if Endpoint.production?
         use Rack::Protection::PathTraversal
         use Rack::SSL if Endpoint.production?
diff --git a/lib/travis/api/app/cors.rb b/lib/travis/api/app/cors.rb
new file mode 100644
index 00000000..781efc00
--- /dev/null
+++ b/lib/travis/api/app/cors.rb
@@ -0,0 +1,20 @@
+require 'travis/api/app'
+
+class Travis::Api::App
+  # Implements Cross-Origin Resource Sharing. Supported by all major browsers.
+  # See http://www.w3.org/TR/cors/
+  #
+  # TODO: Be smarter about origin.
+  class Cors < Base
+    before do
+      headers['Access-Control-Allow-Origin']      = "*"
+      headers['Access-Control-Allow-Credentials'] = "true"
+      headers['Access-Control-Expose-Headers']    = "Content-Type, Cache-Control, Expires, Etag, Last-Modified"
+    end
+
+    options // do
+      headers['Access-Control-Allow-Methods'] = "HEAD, GET, POST, PATCH, PUT, DELETE"
+      headers['Access-Control-Allow-Headers'] = "Content-Type, Authorization, Accept, If-None-Match, If-Modified-Since"
+    end
+  end
+end
diff --git a/spec/unit/cors_spec.rb b/spec/unit/cors_spec.rb
new file mode 100644
index 00000000..83e79914
--- /dev/null
+++ b/spec/unit/cors_spec.rb
@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe Travis::Api::App::Cors do
+  before do
+    mock_app do
+      use Travis::Api::App::Cors
+      get('/check_cors') { 'ok' }
+    end
+  end
+
+  describe 'normal request' do
+    before { get('/check_cors').should be_ok }
+
+    it 'sets Access-Control-Allow-Origin' do
+      headers['Access-Control-Allow-Origin'].should == "*"
+    end
+
+    it 'sets Access-Control-Allow-Credentials' do
+      headers['Access-Control-Allow-Credentials'].should == "true"
+    end
+
+    it 'sets Access-Control-Expose-Headers' do
+      headers['Access-Control-Expose-Headers'].should == "Content-Type, Cache-Control, Expires, Etag, Last-Modified"
+    end
+  end
+
+  describe 'OPTIONS requests' do
+    before { options('/').should be_ok }
+
+    it 'sets Access-Control-Allow-Origin' do
+      headers['Access-Control-Allow-Origin'].should == "*"
+    end
+
+    it 'sets Access-Control-Allow-Credentials' do
+      headers['Access-Control-Allow-Credentials'].should == "true"
+    end
+
+    it 'sets Access-Control-Expose-Headers' do
+      headers['Access-Control-Expose-Headers'].should == "Content-Type, Cache-Control, Expires, Etag, Last-Modified"
+    end
+
+    it 'sets Access-Control-Allow-Methods' do
+      headers['Access-Control-Allow-Methods'].should == "HEAD, GET, POST, PATCH, PUT, DELETE"
+    end
+
+    it 'sets Access-Control-Allow-Headers' do
+      headers['Access-Control-Allow-Headers'].should == "Content-Type, Authorization, Accept, If-None-Match, If-Modified-Since"
+    end
+  end
+end