I started with a boilerplate http4k project generated by the kotlinlang #http4k

I started with a boilerplate http4k project genera...

Anthony Whitford

05/27/2023, 5:00 AM

I started with a boilerplate http4k project generated by the Project Wizard. I have a Web App user interface that needs to make REST calls to the http4k backend. This initially failed because CORS is required. As a result, I added the CORS Filter to the http4k project to get the Web App REST calls working. Alas, while CORS enabled the Web App UI to talk to the http4k server, this broke the simple Unit Test. I get an error like:

Copy code

Ping test() FAILED
    org.opentest4j.AssertionFailedError: expected: <HTTP/1.1 200 OK
    access-control-allow-origin: null
    access-control-allow-headers: 
    access-control-allow-methods: GET, POST

    pong> but was: <HTTP/1.1 200 OK


    pong>
        at app//org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151)
        at app//org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132)
        at app//org.junit.jupiter.api.AssertEquals.failNotEqual(AssertEquals.java:197)
        at app//org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:182)
        at app//org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:177)
        at app//org.junit.jupiter.api.Assertions.assertEquals(Assertions.java:1142)
        at app//com.perusal.Perusalhttp4kTest.Ping test(Perusalhttp4kTest.kt:14)

1 test completed, 1 failed

How can I enable CORS but also make the Unit Test work? I tried adding headers like:

Copy code

.header("access-control-request-method", "GET")
              .header("origin", "<http://localhost:3000>"),

but I get a similar failure:

Copy code

Ping test() FAILED
    org.opentest4j.AssertionFailedError: expected: <HTTP/1.1 200 OK
    access-control-allow-origin: null
    access-control-allow-headers: 
    access-control-allow-methods: GET, POST
    access-control-request-method: GET
    origin: <http://localhost:3000>

    pong> but was: <HTTP/1.1 200 OK


    pong>
        at app//org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151)
        at app//org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132)
        at app//org.junit.jupiter.api.AssertEquals.failNotEqual(AssertEquals.java:197)
        at app//org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:182)
        at app//org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:177)
        at app//org.junit.jupiter.api.Assertions.assertEquals(Assertions.java:1142)
        at app//com.perusal.Perusalhttp4kTest.Ping test(Perusalhttp4kTest.kt:14)

1 test completed, 1 failed

dave

05/27/2023, 6:54 AM

Hi! Can you just post the content of your app and test (maybe in a gist so it can be reached asoly recreated?

dave

05/27/2023, 6:56 AM

I think for a start that the expected and actual are the wrong way around in the test case. We can definitely fix that easily if it's the case in the toolbox ( it would be our error) But also the cors filter would be interesting to see how you have set it up

dave

05/27/2023, 6:58 AM

(because the header values look a little weird)

Anthony Whitford

05/27/2023, 7:12 AM

Cors setup like:

Copy code

val corsPolicy = CorsPolicy(
    originPolicy = OriginPolicy.Only("<http://localhost:3000>"), // TODO Replace with the appropriate client origin(s)
    headers = emptyList(), // listOf("Content-Type", "Authorization"), // TODO Consider adding back Authorization
    methods = listOf(GET, POST /*, Method.PUT, Method.DELETE */) // TODO Double Check Completeness
)

val corsMiddleware = Cors(corsPolicy)

val app: HttpHandler = corsMiddleware.then(
    routes(
    "/ping" bind GET to {
        Response(OK).body("pong")
    },

Anthony Whitford

05/27/2023, 7:13 AM

Then, the test looks like:

Copy code

@Test
    fun `Ping test`() {
        assertEquals(app(
            Request(GET, "/ping"))
              .header("access-control-request-method", "GET")
              .header("origin", "<http://localhost:3000>"),
            Response(OK).body("pong"))
    }

(I added the header thinking I was consistent with CORS, but perhaps not.)

Anthony Whitford

05/27/2023, 7:14 AM

Note that in this simple case, the web app runs on localhost port 3000 talking to an http4k server on port 9000.

dave

05/27/2023, 8:23 AM

@Anthony Whitford Ah - I can see the problem. What's happening is that you're adding the headers in the wrong place. You should add the headers to the response and not the request

dave

05/27/2023, 8:24 AM

Copy code

@Test
    fun `Ping test`() {
        assertEquals(app(Request(GET, "/ping")),
            Response(OK).body("pong")
              .header("access-control-request-method", "GET")
              .header("origin", "<http://localhost:3000>")
           )
    }

Anthony Whitford

05/27/2023, 2:48 PM

Hmm... That seems to fail too:

Copy code

Ping test() FAILED
    org.opentest4j.AssertionFailedError: expected: <HTTP/1.1 200 OK
    access-control-allow-origin: null
    access-control-allow-headers: 
    access-control-allow-methods: GET, POST

    pong> but was: <HTTP/1.1 200 OK
    access-control-request-method: GET
    origin: <http://localhost:3000>

    pong>
        at app//org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151)
        at app//org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132)
        at app//org.junit.jupiter.api.AssertEquals.failNotEqual(AssertEquals.java:197)
        at app//org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:182)
        at app//org.junit.jupiter.api.AssertEquals.assertEquals(AssertEquals.java:177)
        at app//org.junit.jupiter.api.Assertions.assertEquals(Assertions.java:1142)
        at app//com.perusal.Perusalhttp4kTest.Ping test(Perusalhttp4kTest.kt:13)

1 test completed, 1 failed

dave

05/27/2023, 2:57 PM

Both access-control-request-method and origin are request headers. they will never be issued by the server. I think you have copied the headers from the request instead of the response,

dave

05/27/2023, 3:05 PM

This works - not sure what you meant about the 3000/8000 difference though 🙂

Copy code

package org.http4k.connect.openai.auth.user

import org.http4k.core.HttpHandler
import org.http4k.core.Method.GET
import org.http4k.core.Request
import org.http4k.core.Response
import org.http4k.core.Status.Companion.OK
import org.http4k.core.then
import org.http4k.filter.CorsPolicy
import org.http4k.filter.Only
import org.http4k.filter.OriginPolicy
import org.http4k.filter.ServerFilters
import org.http4k.routing.bind
import org.http4k.routing.routes
import org.junit.jupiter.api.Assertions.assertEquals
import org.junit.jupiter.api.Test

class FooTest {

    @Test
    fun `test`() {
        val corsPolicy = CorsPolicy(
            originPolicy = OriginPolicy.Only("localhost:3000"), // TODO Replace with the appropriate client origin(s)
            headers = emptyList(), // listOf("Content-Type", "Authorization"), // TODO Consider adding back Authorization
            methods = listOf(GET /*, Method.PUT, Method.DELETE */) // TODO Double Check Completeness
        )

        val corsMiddleware = ServerFilters.Cors(corsPolicy)

        val app: HttpHandler = corsMiddleware.then(
            routes(
                "/ping" bind GET to { Response(OK).body("pong") }
            )
        )

        val expected: Response = Response(OK).body("pong")
            .header("access-control-allow-origin", "localhost:3000")
            .header("access-control-allow-headers", "")
            .header("access-control-allow-methods", "GET")

        val actual: Response = app(
            Request(GET, "/ping").header("origin", "localhost:3000")
        )

        assertEquals(expected, actual)

    }
}

Anthony Whitford

05/27/2023, 3:29 PM

Thank you @dave! I think I figured out a few issues with your help. Final code looks like:

Copy code

fun `Ping test`() {
        assertEquals(
          Response(OK).body("pong")
            .header("access-control-allow-origin", "localhost:3000")
            .header("access-control-allow-headers", "")
            .header("access-control-allow-methods", "GET")
          ,          
          app(
            Request(GET, "/ping")
              .header("origin", "localhost:3000")
          )
        )
    }

dave

05/27/2023, 3:31 PM

no worries. we've already fixed the toolbox so the Junit assertEquals (expected/actual) mix up shouldn't happen again for anyone else... it's a stupid API TBH 😂

Anthony Whitford

05/27/2023, 3:35 PM

Now the unit test is working, but my app is failing (from Chrome)...

Access to fetch at 'http://localhost:9000/jdbc' from origin 'http://localhost:3000' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'null' that is not equal to the supplied origin. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Why would Chrome be sending null? 🤔

Anthony Whitford

05/27/2023, 3:45 PM

Fixed it.. Apparently I need to say http in the origin policy.

Anthony Whitford

05/27/2023, 3:51 PM

Spoke too soon... Had to make another tweak to the test:

Copy code

fun `Ping test`() {
        assertEquals(
          Response(OK).body("pong")
            .header("access-control-allow-origin", "null")
            .header("access-control-allow-headers", "")
            .header("access-control-allow-methods", "GET")
          ,          
          app(
            Request(GET, "/ping")
              .header("origin", "localhost:3000")
          )
        )
    }

Anthony Whitford

05/27/2023, 3:52 PM

Had to specify:

Copy code

.header("access-control-allow-origin", "null")

for expected.

Anthony Whitford

05/27/2023, 3:59 PM

Reflecting on this experience, this whole approach seems flawed. For example, if I add a

POST

entry point to my server, then the

access-control-allow-methods

value changes from

GET

GET, POST

-- this will require adjustment to the tests. Is it best practice to include the CORS policy for Unit Testing? I wonder if unit tests should simply circumvent the CORS policy.

dave

05/27/2023, 4:15 PM

well if depends on the level you are testing at. The nice thing about the model is that it gives you options - you can test at the endpoint or the in-memory server or the live server level. You can layer your app so your API is a "unit" and then just layer on filters or other levels on the outside for the runtime environment. For instance if you want to have your API accessed from several different ways with difference requirements:

Copy code

fun main() {
    val endpoint = "/foo" bind GET to { req: Request -> Response(OK).body("foobar") }
    val api = routes(endpoint)

    val app = routes(
        "/web" bind Cors(UnsafeGlobalPermissive).then(api),
        "/api" bind ServerFilters.BearerAuth("apiKey").then(api)
    )
    
    endpoint(Request(GET, "/foo"))
    api(Request(GET, "/foo"))
    
    app(Request(GET, "/web/foo"))
    app(Request(GET, "/app/foo"))

    JavaHttpClient()(Request(GET, "<http://localhost:9000>"))
}

dave

05/27/2023, 4:16 PM

everything is about layering, and you're in total control of what happens and how things are expsoed.

dave

05/27/2023, 4:18 PM

you should never circumvent any layers of security for testing - you just ned to pick the appopiiate kind of test! 🙂

dave

05/27/2023, 4:21 PM

because it's just composition, you can also just extract out the filter stack and test it separately:

Copy code

val incomingStack: Filter = DebuggingFilters.PrintRequestAndResponse()
        .then(Cors(UnsafeGlobalPermissive))
        .then(ResponseFilters.ReportHttpTransaction {
            println("${it.request} took ${it.duration}")
        })

    val forTestingStack = incomingStack.then { req: Request -> Response(OK) }
    val appWithStack = incomingStack.then(app)

277 Views

Open in Slack

Previous Next