Add CORS live tests (#191)

devksingh4 · web-flow · commit 63eb78ac80ec · 2025-07-05T14:14:32.000-05:00
Run live CORS checks in QA environment to ensure that CORS responses are
correct for preflight and request, and that the right hosts are allowed
through.
diff --git a/tests/live/cors.test.ts b/tests/live/cors.test.ts
@@ -0,0 +1,95 @@
+import { describe, expect, test } from "vitest";
+import { getBaseEndpoint } from "./utils.js";
+
+const baseEndpoint = getBaseEndpoint();
+
+describe("CORS tests", async () => {
+  test("Events: Known URL is preflight allowed in CORS", async () => {
+    const response = await fetch(`${baseEndpoint}/api/v1/events`, {
+      method: "OPTIONS",
+      headers: {
+        "Access-Control-Request-Method": "GET",
+        Origin: "https://acmuiuc.pages.dev",
+      },
+    });
+    expect(response.status).toBe(204);
+    expect(response.headers.get("access-control-allow-origin")).toStrictEqual(
+      "https://acmuiuc.pages.dev",
+    );
+  });
+  test("Events: Known URL is allowed in CORS", async () => {
+    const response = await fetch(`${baseEndpoint}/api/v1/events`, {
+      headers: {
+        Origin: "https://acmuiuc.pages.dev",
+      },
+    });
+    expect(response.status).toBe(200);
+    expect(response.headers.get("access-control-allow-origin")).toStrictEqual(
+      "https://acmuiuc.pages.dev",
+    );
+  });
+  test("Events: Unknown URL is preflight not allowed in CORS", async () => {
+    const response = await fetch(`${baseEndpoint}/api/v1/events`, {
+      method: "OPTIONS",
+      headers: {
+        "Access-Control-Request-Method": "GET",
+        Origin: "https://google.com",
+      },
+    });
+    expect(response.status).toBe(204);
+    expect(response.headers).not.toHaveProperty("access-control-allow-origin");
+  });
+  test("Events: Unknown URL is not allowed in CORS", async () => {
+    const response = await fetch(`${baseEndpoint}/api/v1/events`, {
+      headers: {
+        Origin: "https://google.com",
+      },
+    });
+    expect(response.status).toBe(200);
+    expect(response.headers).not.toHaveProperty("access-control-allow-origin");
+  });
+  test("Membership: Known URL is allowed in CORS", async () => {
+    const response = await fetch(`${baseEndpoint}/api/v1/membership/zzzzzz`, {
+      headers: {
+        Origin: "https://acmuiuc.pages.dev",
+      },
+    });
+    expect(response.status).toBe(200);
+    expect(response.headers.get("access-control-allow-origin")).toStrictEqual(
+      "https://acmuiuc.pages.dev",
+    );
+  });
+  test("Membership: Known URL is preflight allowed in CORS", async () => {
+    const response = await fetch(`${baseEndpoint}/api/v1/membership/zzzzzz`, {
+      method: "OPTIONS",
+      headers: {
+        "Access-Control-Request-Method": "GET",
+        Origin: "https://acmuiuc.pages.dev",
+      },
+    });
+    expect(response.status).toBe(204);
+    expect(response.headers.get("access-control-allow-origin")).toStrictEqual(
+      "https://acmuiuc.pages.dev",
+    );
+  });
+  test("Membership: Unknown URL is not allowed in CORS", async () => {
+    const response = await fetch(`${baseEndpoint}/api/v1/membership/zzzzzz`, {
+      headers: {
+        Origin: "https://google.com",
+      },
+    });
+    expect(response.status).toBe(200);
+    expect(response.headers).not.toHaveProperty("access-control-allow-origin");
+  });
+  test("Membership: Unknown URL is preflight not allowed in CORS", async () => {
+    const response = await fetch(`${baseEndpoint}/api/v1/membership/zzzzzz`, {
+      method: "OPTIONS",
+      headers: {
+        "Access-Control-Request-Method": "GET",
+        Origin: "https://google.com",
+      },
+    });
+    expect(response.status).toBe(204);
+    expect(response.headers).not.toHaveProperty("access-control-allow-origin");
+  });
+});
