diff options
author | Theron Luhn <theron@luhn.com> | 2022-02-15 16:33:41 -0800 |
---|---|---|
committer | Theron Luhn <theron@luhn.com> | 2022-02-15 16:33:41 -0800 |
commit | 47c229c5ae0803eae08233f60f846bd401f9543b (patch) | |
tree | 9180fb7edd8e65fb4d66b9a4120fceab720ea6b2 /tests | |
parent | 6b1f5db98d464c31db807b7ab0e0fe43ebca46d0 (diff) | |
download | oauthlib-47c229c5ae0803eae08233f60f846bd401f9543b.tar.gz |
Add CORS support for Refresh Token Grant.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/oauth2/rfc6749/grant_types/test_refresh_token.py | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/tests/oauth2/rfc6749/grant_types/test_refresh_token.py b/tests/oauth2/rfc6749/grant_types/test_refresh_token.py index 1d3e77a..581f2a4 100644 --- a/tests/oauth2/rfc6749/grant_types/test_refresh_token.py +++ b/tests/oauth2/rfc6749/grant_types/test_refresh_token.py @@ -18,6 +18,7 @@ class RefreshTokenGrantTest(TestCase): self.request = Request('http://a.b/path') self.request.grant_type = 'refresh_token' self.request.refresh_token = 'lsdkfhj230' + self.request.client_id = 'abcdef' self.request.client = mock_client self.request.scope = 'foo' self.mock_validator = mock.MagicMock() @@ -168,3 +169,43 @@ class RefreshTokenGrantTest(TestCase): del self.request.scope self.auth.validate_token_request(self.request) self.assertEqual(self.request.scopes, 'foo bar baz'.split()) + + # CORS + + def test_create_cors_headers(self): + bearer = BearerToken(self.mock_validator) + self.request.headers['origin'] = 'https://foo.bar' + self.mock_validator.is_origin_allowed.return_value = True + + headers = self.auth.create_token_response(self.request, bearer)[0] + self.assertEqual( + headers['Access-Control-Allow-Origin'], 'https://foo.bar' + ) + self.mock_validator.is_origin_allowed.assert_called_once_with( + 'abcdef', 'https://foo.bar', self.request + ) + + def test_create_cors_headers_no_origin(self): + bearer = BearerToken(self.mock_validator) + headers = self.auth.create_token_response(self.request, bearer)[0] + self.assertNotIn('Access-Control-Allow-Origin', headers) + self.mock_validator.is_origin_allowed.assert_not_called() + + def test_create_cors_headers_insecure_origin(self): + bearer = BearerToken(self.mock_validator) + self.request.headers['origin'] = 'http://foo.bar' + + headers = self.auth.create_token_response(self.request, bearer)[0] + self.assertNotIn('Access-Control-Allow-Origin', headers) + self.mock_validator.is_origin_allowed.assert_not_called() + + def test_create_cors_headers_invalid_origin(self): + bearer = BearerToken(self.mock_validator) + self.request.headers['origin'] = 'https://foo.bar' + self.mock_validator.is_origin_allowed.return_value = False + + headers = self.auth.create_token_response(self.request, bearer)[0] + self.assertNotIn('Access-Control-Allow-Origin', headers) + self.mock_validator.is_origin_allowed.assert_called_once_with( + 'abcdef', 'https://foo.bar', self.request + ) |