Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-03-18 02:21:47 -05:00
Code Issues Activity

Added a test suite for OPTIONS requests

Browse source 
refs https://github.com/TryGhost/Toolbox/issues/461

- The codebase has ambiguous behavior with OPTIONS request. Adding tests covering edge cases for all possible variations of OPTIONS responses is the first step to solving cahceability of these requests.
- The obvious question if you look into the changeset itself would also be: "WTF did you do with test suite naming? What are these changes in admin and click tracking suites? You having a bad day Naz?". The answer is "yes"  (╯°□°)╯︵ ┻━┻
- On a serious note. I've introduced multiple hacks here that should be fixed:
1. Forced test suite execution order for options request - extreme blasphemy. This was last resort decision. I went deep into trying to fixup the server shutdown in the "admin" test suite, which cascaded into failing "click tracking" suite, which has shortcomings on it's own (see notes left in that suite)
2. Exposed "ghostServer" from the e2e-framework's "getAgentsWithFrontend" method. Exposing ghostServer to be able to shut it down (or do other manipulations) was one of the pitfalls we had in the previous test utils, which ended up plaguing the test codebase. Ideally the framework should only be exposing the agents and the rest would happen behind the scenes.
- To fix the hacks above I've raised a cleanup issue (https://github.com/TryGhost/Toolbox/issues/471). I'm very sorry for this mess. The issue at hand has very little to do with fixing the e2e framework, so leaving things "as is".
This commit is contained in:
Naz 2022-11-02 13:10:49 +08:00 committed by naz
parent 5fe80c82c5
commit 26b0bbc623
5 changed files with 281 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
ghost/core/test/e2e-frontend/preview_routes.test.js
View file

@ -34,6 +34,10 @@ describe('Frontend Routing: Preview Routes', function () {
request = supertest.agent(config.get('url'));
});
after(async function () {
await testUtils.stopGhost();
});
before(addPosts);
it('should display draft posts accessed via uuid', async function () {

157
ghost/core/test/e2e-server/1-options-requests.test.js Normal file
View file

@ -0,0 +1,157 @@
const assert = require('assert');
const {agentProvider} = require('../utils/e2e-framework');
const config = require('../../core/shared/config');
describe('OPTIONS requests', function () {
let adminAgent;
let membersAgent;
let frontendAgent;
let contentAPIAgent;
let ghostServer;
before(async function () {
const agents = await agentProvider.getAgentsWithFrontend();
adminAgent = agents.adminAgent;
membersAgent = agents.membersAgent;
frontendAgent = agents.frontendAgent;
contentAPIAgent = agents.contentAPIAgent;
ghostServer = agents.ghostServer;
});
after(async function () {
await ghostServer.stop();
});
describe('CORS headers in Admin API', function () {
it('Handles same origin request', async function () {
await adminAgent
.options('site')
.expectStatus(204)
.matchHeaderSnapshot();
});
it('Rejects no origin header request', async function () {
await adminAgent
.options('site', {
headers: {
origin: null
}
})
.expectStatus(200)
.matchHeaderSnapshot();
});
it('Rejects unsupported origin header request', async function () {
await adminAgent
.options('site', {
headers: {
origin: 'https://otherdomain.tld/'
}
})
.expectStatus(200)
.matchHeaderSnapshot();
});
});
describe('CORS headers in Members API', function () {
it('Responds with no referer vary header value when same referer', async function () {
await membersAgent
.options('member')
.expectStatus(204)
.matchHeaderSnapshot();
});
it('Does not allow CORS with when no origin is present in the request', async function () {
await membersAgent
.options('member', {
headers: {
origin: null
}
})
.expectStatus(204)
.matchHeaderSnapshot();
});
it('Responds with no referer vary header value when different referer', async function () {
await membersAgent
.options('member', {
headers: {
origin: 'https://otherdomain.tld/'
}
})
.expectStatus(204)
.matchHeaderSnapshot();
});
});
describe('CORS headers in Frontend', function () {
it('Responds with no referer vary header value when same referer', async function () {
const res = await frontendAgent
.set('Origin', config.get('url'))
.options('/')
.expect(204);
assert.equal(res.headers['access-control-allow-origin'], 'http://127.0.0.1:2369');
assert.equal(res.headers['access-control-allow-credentials'], 'true');
assert.equal(res.headers['access-control-allow-methods'], 'GET,HEAD,PUT,PATCH,POST,DELETE');
assert.equal(res.headers['access-control-max-age'], '86400');
assert.equal(res.headers.vary, 'Origin, Access-Control-Request-Headers');
assert.equal(res.headers['cache-control'], undefined);
assert.equal(res.headers.allow, undefined);
});
it('Does not allow CORS with when no origin is present in the request', async function () {
const res = await frontendAgent
.options('/')
.set('origin', null)
.expect(200);
assert.equal(res.headers['cache-control'], 'public, max-age=0');
assert.equal(res.headers.vary, 'Accept-Encoding');
assert.equal(res.headers.allow, 'POST,GET,HEAD');
});
it('Responds with no referer vary header value when different referer', async function () {
const res = await frontendAgent
.options('/')
.set('origin', 'https://otherdomain.tld/')
.expect(200);
assert.equal(res.headers['cache-control'], 'public, max-age=0');
assert.equal(res.headers.vary, 'Accept-Encoding');
assert.equal(res.headers.allow, 'POST,GET,HEAD');
});
});
describe('CORS headers in Content API', function () {
it('Responds with no referer vary header value when same referer', async function () {
await contentAPIAgent
.options('site')
.expectStatus(204)
.matchHeaderSnapshot();
});
it('Does not allow CORS with when no origin is present in the request', async function () {
await contentAPIAgent
.options('site', {
headers: {
origin: null
}
})
.expectStatus(204)
.matchHeaderSnapshot();
});
it('Responds with no referer vary header value when different referer', async function () {
await contentAPIAgent
.options('site', {
headers: {
origin: 'https://otherdomain.tld/'
}
})
.expectStatus(204)
.matchHeaderSnapshot();
});
});
});

109
ghost/core/test/e2e-server/__snapshots__/1-options-requests.test.js.snap Normal file
View file

@ -0,0 +1,109 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP
exports[`OPTIONS requests CORS headers in Admin API Handles same origin request 1: [headers] 1`] = `
Object {
"access-control-allow-methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
"access-control-allow-origin": "http://127.0.0.1:2369",
"access-control-max-age": "86400",
"cache-control": "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0",
"content-length": "0",
"vary": "Accept-Version, Origin, Access-Control-Request-Headers",
"x-powered-by": "Express",
}
`;
exports[`OPTIONS requests CORS headers in Admin API Rejects no origin header request 1: [headers] 1`] = `
Object {
"allow": "GET,HEAD",
"cache-control": "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0",
"content-length": "8",
"content-type": "text/html; charset=utf-8",
"etag": "W/\\"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg\\"",
"vary": "Accept-Version, Accept-Encoding",
"x-powered-by": "Express",
}
`;
exports[`OPTIONS requests CORS headers in Admin API Rejects unsupported origin header request 1: [headers] 1`] = `
Object {
"allow": "GET,HEAD",
"cache-control": "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0",
"content-length": "8",
"content-type": "text/html; charset=utf-8",
"etag": "W/\\"8-ZRAf8oNBS3Bjb/SU2GYZCmbtmXg\\"",
"vary": "Accept-Version, Accept-Encoding",
"x-powered-by": "Express",
}
`;
exports[`OPTIONS requests CORS headers in Content API Does not allow CORS with when no origin is present in the request 1: [headers] 1`] = `
Object {
"access-control-allow-methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
"access-control-allow-origin": "*",
"access-control-max-age": "86400",
"cache-control": "public, max-age=0",
"content-length": "0",
"vary": "Accept-Version, Access-Control-Request-Headers",
"x-powered-by": "Express",
}
`;
exports[`OPTIONS requests CORS headers in Content API Responds with no referer vary header value when different referer 1: [headers] 1`] = `
Object {
"access-control-allow-methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
"access-control-allow-origin": "*",
"access-control-max-age": "86400",
"cache-control": "public, max-age=0",
"content-length": "0",
"vary": "Accept-Version, Access-Control-Request-Headers",
"x-powered-by": "Express",
}
`;
exports[`OPTIONS requests CORS headers in Content API Responds with no referer vary header value when same referer 1: [headers] 1`] = `
Object {
"access-control-allow-methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
"access-control-allow-origin": "*",
"access-control-max-age": "86400",
"cache-control": "public, max-age=0",
"content-length": "0",
"vary": "Accept-Version, Access-Control-Request-Headers",
"x-powered-by": "Express",
}
`;
exports[`OPTIONS requests CORS headers in Members API Does not allow CORS with when no origin is present in the request 1: [headers] 1`] = `
Object {
"access-control-allow-methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
"access-control-allow-origin": "*",
"access-control-max-age": "86400",
"cache-control": "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0",
"content-length": "0",
"vary": "Access-Control-Request-Headers",
"x-powered-by": "Express",
}
`;
exports[`OPTIONS requests CORS headers in Members API Responds with no referer vary header value when different referer 1: [headers] 1`] = `
Object {
"access-control-allow-methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
"access-control-allow-origin": "*",
"access-control-max-age": "86400",
"cache-control": "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0",
"content-length": "0",
"vary": "Access-Control-Request-Headers",
"x-powered-by": "Express",
}
`;
exports[`OPTIONS requests CORS headers in Members API Responds with no referer vary header value when same referer 1: [headers] 1`] = `
Object {
"access-control-allow-methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
"access-control-allow-origin": "*",
"access-control-max-age": "86400",
"cache-control": "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0",
"content-length": "0",
"vary": "Access-Control-Request-Headers",
"x-powered-by": "Express",
}
`;

2
ghost/core/test/e2e-server/click-tracking.test.js
View file

@ -3,6 +3,8 @@ const fetch = require('node-fetch').default;
const {agentProvider, mockManager, fixtureManager} = require('../utils/e2e-framework');
const urlUtils = require('../../core/shared/url-utils');
// @NOTE: this test suite cannot be run in isolation - most likely because it needs
// to have full frontend part of Ghost initialized, not just the backend
describe('Click Tracking', function () {
let agent;

13
ghost/core/test/utils/e2e-framework.js
View file

@ -293,10 +293,11 @@ const getAgentsForMembers = async () => {
/**
* @NOTE: for now method returns a supertest agent for Frontend instead of test agent with snapshot support.
* frontendAgent should be returning an instance of TestAgent.
* @returns {Promise<{adminAgent: InstanceType<AdminAPITestAgent>, membersAgent: InstanceType<MembersAPITestAgent>, frontendAgent: InstanceType<supertest.SuperAgentTest>, contentAPIAgent: InstanceType<ContentAPITestAgent>}>} agents
* frontendAgent should be returning an instance of TestAgent (related: https://github.com/TryGhost/Toolbox/issues/471)
* @returns {Promise<{adminAgent: InstanceType<AdminAPITestAgent>, membersAgent: InstanceType<MembersAPITestAgent>, frontendAgent: InstanceType<supertest.SuperAgentTest>, contentAPIAgent: InstanceType<ContentAPITestAgent>, ghostServer: Express.Application}>} agents
*/
const getAgentsWithFrontend = async () => {
let ghostServer;
let membersAgent;
let adminAgent;
let frontendAgent;
@ -307,7 +308,9 @@ const getAgentsWithFrontend = async () => {
server: true
};
try {
const app = (await startGhost(bootOptions)).rootApp;
ghostServer = await startGhost(bootOptions);
const app = ghostServer.rootApp;
const originURL = configUtils.config.get('url');
membersAgent = new MembersAPITestAgent(app, {
@ -332,7 +335,9 @@ const getAgentsWithFrontend = async () => {
adminAgent,
membersAgent,
frontendAgent,
contentAPIAgent
contentAPIAgent,
// @NOTE: ghost server should not be exposed ideally, it's a hack (see commit message)
ghostServer
};
};