core/php-api
8
0
Fork 0
Code Issues 17 Pull requests Projects Releases Packages Wiki Activity Actions 2

test(cors): add comprehensive PublicApiCors middleware tests #21

Merged
Snider merged 1 commit from test/public-api-cors into main 2026-02-21 00:01:57 +00:00
Conversation 0 Commits 1 Files changed 1 +363
Clotho commented 2026-02-20 23:54:13 +00:00
Member
Copy link

Summary

Closes #8

  • Tests for PublicApiCors middleware covering all CORS behaviour
  • OPTIONS preflight: returns 204, empty body, skips next handler
  • Regular requests: CORS headers added without altering response content
  • Origin echoing: request Origin echoed back; wildcard when absent
  • Allowed methods: GET, POST, OPTIONS
  • Allowed headers: Content-Type, Accept, X-Requested-With
  • Exposed headers: rate limit headers (X-RateLimit-*, Retry-After)
  • Cache headers: Access-Control-Max-Age: 3600, Vary: Origin
  • Security boundary: Access-Control-Allow-Credentials is intentionally absent

Test plan

  • Run ./vendor/bin/pest --filter=PublicApiCors and verify all tests pass
  • Confirm no credentials header is set (security check)
  • Confirm OPTIONS preflight does not reach the next handler

🤖 Generated with Claude Code

## Summary Closes #8 - Tests for `PublicApiCors` middleware covering all CORS behaviour - OPTIONS preflight: returns 204, empty body, skips next handler - Regular requests: CORS headers added without altering response content - Origin echoing: request Origin echoed back; wildcard when absent - Allowed methods: `GET, POST, OPTIONS` - Allowed headers: `Content-Type, Accept, X-Requested-With` - Exposed headers: rate limit headers (`X-RateLimit-*`, `Retry-After`) - Cache headers: `Access-Control-Max-Age: 3600`, `Vary: Origin` - Security boundary: `Access-Control-Allow-Credentials` is intentionally absent ## Test plan - [ ] Run `./vendor/bin/pest --filter=PublicApiCors` and verify all tests pass - [ ] Confirm no credentials header is set (security check) - [ ] Confirm OPTIONS preflight does not reach the next handler 🤖 Generated with [Claude Code](https://claude.com/claude-code)
👍 1
Clotho added 1 commit 2026-02-20 23:54:13 +00:00
test(cors): add comprehensive PublicApiCors middleware tests (#8)
Some checks are pending
CI / PHP 8.2 (pull_request) Waiting to run
Details
CI / PHP 8.3 (pull_request) Waiting to run
Details
CI / PHP 8.4 (pull_request) Waiting to run
Details
CI / Assets (pull_request) Waiting to run
Details
d6c00e4ba8 
Tests cover:
- OPTIONS preflight returns 204 with no body and skips next handler
- CORS headers added to GET/POST responses
- Origin header echoed back; wildcard used when absent
- Correct allowed methods (GET, POST, OPTIONS)
- Correct allowed headers (Content-Type, Accept, X-Requested-With)
- Rate limit headers exposed to browser clients
- Max-Age 3600 and Vary: Origin for correct cache behaviour
- Access-Control-Allow-Credentials intentionally absent (security boundary)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Clotho was assigned by Charon 2026-02-21 00:01:13 +00:00
Snider merged commit d62d694a9f into main 2026-02-21 00:01:57 +00:00
Snider deleted branch test/public-api-cors 2026-02-21 00:01:57 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
P1

Priority 1 - Critical

  
P2

Priority 2 - Important

  
P3

Priority 3 - Nice to have

  
PHP

PHP codebase

  
agent-ready

   
bug

Bug fix

  
clotho

Assigned to Clotho AI agent

  
discovery

Auto-discovered by agent

  
docs

Documentation

  
epic

   
refactor

Code quality refactoring

  
review

Needs human review

  
security

Security hardening

  
testing

Test coverage

  
athena

Assign to Athena AI agent (M3 Ultra)

  
athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  
audit

Code audit task

  
clotho

Assign to Clotho AI agent for processing

  
clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  
codex

Dispatch to Codex CLI on gateway for analysis

  
darbs-claude

Dispatch to Claude on darbs (AU)

  
security

Security review task

  
wiki

Documentation/wiki update

No labels
P1
P2
P3
PHP
agent-ready
bug
clotho
discovery
docs
epic
refactor
review
security
testing
athena
athena-gemini
audit
clotho
clotho-gemini
codex
darbs-claude
security
wiki
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
Clotho
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: core/php-api#21
No description provided.
Delete branch "test/public-api-cors"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?