(t *testing.T)
| 10 | ) |
| 11 | |
| 12 | func TestSetCorsHeaders(t *testing.T) { |
| 13 | inner := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { |
| 14 | w.WriteHeader(http.StatusOK) |
| 15 | }) |
| 16 | handler := middleware.SetCorsHeaders(inner) |
| 17 | |
| 18 | t.Run("OPTIONS preflight returns 200 with CORS headers", func(t *testing.T) { |
| 19 | req := httptest.NewRequest(http.MethodOptions, "/", nil) |
| 20 | req.Header.Set("Origin", "http://localhost:6274") |
| 21 | rr := httptest.NewRecorder() |
| 22 | handler.ServeHTTP(rr, req) |
| 23 | |
| 24 | assert.Equal(t, http.StatusOK, rr.Code) |
| 25 | assert.Equal(t, "*", rr.Header().Get("Access-Control-Allow-Origin")) |
| 26 | assert.Contains(t, rr.Header().Get("Access-Control-Allow-Methods"), "POST") |
| 27 | assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "Authorization") |
| 28 | assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "Content-Type") |
| 29 | assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "Mcp-Session-Id") |
| 30 | assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "X-MCP-Lockdown") |
| 31 | assert.Contains(t, rr.Header().Get("Access-Control-Allow-Headers"), "X-MCP-Insiders") |
| 32 | assert.Contains(t, rr.Header().Get("Access-Control-Expose-Headers"), "Mcp-Session-Id") |
| 33 | assert.Contains(t, rr.Header().Get("Access-Control-Expose-Headers"), "WWW-Authenticate") |
| 34 | }) |
| 35 | |
| 36 | t.Run("POST request includes CORS headers", func(t *testing.T) { |
| 37 | req := httptest.NewRequest(http.MethodPost, "/", nil) |
| 38 | req.Header.Set("Origin", "http://localhost:6274") |
| 39 | rr := httptest.NewRecorder() |
| 40 | handler.ServeHTTP(rr, req) |
| 41 | |
| 42 | assert.Equal(t, http.StatusOK, rr.Code) |
| 43 | assert.Equal(t, "*", rr.Header().Get("Access-Control-Allow-Origin")) |
| 44 | }) |
| 45 | } |
nothing calls this directly
no test coverage detected