Merge pull request #17 from UpstateRuby/16-test-preflight-cors

Test CORS requests

config/application.rb

@@ -23,10 +23,13 @@ class Application < Rails::Application
     # Do not swallow errors in after_commit/after_rollback callbacks.
     config.active_record.raise_in_transactional_callbacks = true
     config.assets.enabled = false
-    config.middleware.insert_before 0, "Rack::Cors" do
+    config.middleware.insert_before 0, "Rack::Cors", :debug => true, :logger => (-> { Rails.logger }) do
       allow do
         origins '*'
-        resource '*', :headers => :any, :methods => [:get, :post, :options]
+        resource '*',
+          :headers => :any,
+          :methods => [:get, :post, :put, :patch, :delete, :options, :head],
+          :max_age => 0
       end
     end
   end

spec/requests/things_spec.rb

@@ -2,6 +2,15 @@
 
 describe "Things API" do
 
+  describe "OPTIONS /things" do
+    it "reponds with CORS Preflight headers" do
+
+      options "/things", {}, authorized_preflight_headers
+
+      expect(response.status).to eq 200
+    end
+  end
+
   describe "GET /things" do
     it "returns all the things" do
       FactoryGirl.create :thing, name: "HVAC"

spec/support/request_helper.rb

@@ -8,10 +8,9 @@ def authorized_headers
 
   def authorized_preflight_headers
     {
-      'HTTP_ACCEPT' => 'application/vnd.api+json',
-      'HTTP_AUTHORIZATION' => 'Token openworksauthtoken',
-      'HTTP_ACCESS_CONTROL_REQUEST_HEADERS' => 'accept, authorization',
-      'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'GET'
+      'HTTP_ACCESS_CONTROL_REQUEST_HEADER' => 'accept, authorization, origin',
+      'HTTP_ACCESS_CONTROL_REQUEST_METHOD' => 'GET',
+      'ORIGIN' => 'http://otherdomain.test/'
     }
   end
 end