package tusd import ( "net/http" "net/http/httptest" "testing" ) func TestCORS(t *testing.T) { handler, _ := NewHandler(Config{}) // Test preflight request req, _ := http.NewRequest("OPTIONS", "", nil) req.Header.Set("Origin", "tus.io") w := httptest.NewRecorder() handler.ServeHTTP(w, req) if w.Code != http.StatusNoContent { t.Errorf("Expected 204 No Content for OPTIONS request (got %v)", w.Code) } headers := []string{ "Access-Control-Allow-Headers", "Access-Control-Allow-Methods", "Access-Control-Max-Age", } for _, header := range headers { if _, ok := w.HeaderMap[header]; !ok { t.Errorf("Header '%s' not contained in response", header) } } origin := w.HeaderMap.Get("Access-Control-Allow-Origin") if origin != "tus.io" { t.Errorf("Allowed origin not 'tus.io' but '%s'", origin) } // Test actual request req, _ = http.NewRequest("GET", "", nil) req.Header.Set("Origin", "tus.io") w = httptest.NewRecorder() handler.ServeHTTP(w, req) origin = w.HeaderMap.Get("Access-Control-Allow-Origin") if origin != "tus.io" { t.Errorf("Allowed origin not 'tus.io' but '%s'", origin) } if _, ok := w.HeaderMap["Access-Control-Expose-Headers"]; !ok { t.Error("Expose-Headers not contained in response") } }