test(cors): add comprehensive PublicApiCors middleware tests #21

Merged
Snider merged 1 commit from test/public-api-cors into main 2026-02-21 00:01:57 +00:00
Member

Summary

Closes #8

  • Tests for PublicApiCors middleware covering all CORS behaviour
  • OPTIONS preflight: returns 204, empty body, skips next handler
  • Regular requests: CORS headers added without altering response content
  • Origin echoing: request Origin echoed back; wildcard when absent
  • Allowed methods: GET, POST, OPTIONS
  • Allowed headers: Content-Type, Accept, X-Requested-With
  • Exposed headers: rate limit headers (X-RateLimit-*, Retry-After)
  • Cache headers: Access-Control-Max-Age: 3600, Vary: Origin
  • Security boundary: Access-Control-Allow-Credentials is intentionally absent

Test plan

  • Run ./vendor/bin/pest --filter=PublicApiCors and verify all tests pass
  • Confirm no credentials header is set (security check)
  • Confirm OPTIONS preflight does not reach the next handler

🤖 Generated with Claude Code

## Summary Closes #8 - Tests for `PublicApiCors` middleware covering all CORS behaviour - OPTIONS preflight: returns 204, empty body, skips next handler - Regular requests: CORS headers added without altering response content - Origin echoing: request Origin echoed back; wildcard when absent - Allowed methods: `GET, POST, OPTIONS` - Allowed headers: `Content-Type, Accept, X-Requested-With` - Exposed headers: rate limit headers (`X-RateLimit-*`, `Retry-After`) - Cache headers: `Access-Control-Max-Age: 3600`, `Vary: Origin` - Security boundary: `Access-Control-Allow-Credentials` is intentionally absent ## Test plan - [ ] Run `./vendor/bin/pest --filter=PublicApiCors` and verify all tests pass - [ ] Confirm no credentials header is set (security check) - [ ] Confirm OPTIONS preflight does not reach the next handler 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Clotho added 1 commit 2026-02-20 23:54:13 +00:00
test(cors): add comprehensive PublicApiCors middleware tests (#8)
Some checks are pending
CI / PHP 8.2 (pull_request) Waiting to run
CI / PHP 8.3 (pull_request) Waiting to run
CI / PHP 8.4 (pull_request) Waiting to run
CI / Assets (pull_request) Waiting to run
d6c00e4ba8
Tests cover:
- OPTIONS preflight returns 204 with no body and skips next handler
- CORS headers added to GET/POST responses
- Origin header echoed back; wildcard used when absent
- Correct allowed methods (GET, POST, OPTIONS)
- Correct allowed headers (Content-Type, Accept, X-Requested-With)
- Rate limit headers exposed to browser clients
- Max-Age 3600 and Vary: Origin for correct cache behaviour
- Access-Control-Allow-Credentials intentionally absent (security boundary)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Clotho was assigned by Charon 2026-02-21 00:01:13 +00:00
Snider merged commit d62d694a9f into main 2026-02-21 00:01:57 +00:00
Snider deleted branch test/public-api-cors 2026-02-21 00:01:57 +00:00
Sign in to join this conversation.
No description provided.