n8n/packages/cli/test/unit/WebhookHelpers.test.ts

import { type Response } from 'express';
import { mock } from 'jest-mock-extended';
import type { IHttpRequestMethods } from 'n8n-workflow';
import type { IWebhookManager, WebhookCORSRequest, WebhookRequest } from '@/Interfaces';
import { webhookRequestHandler } from '@/WebhookHelpers';

describe('WebhookHelpers', () => {
	describe('webhookRequestHandler', () => {
		const webhookManager = mock<Required<IWebhookManager>>();
		const handler = webhookRequestHandler(webhookManager);

		beforeEach(() => {
			jest.resetAllMocks();
		});

		it('should throw for unsupported methods', async () => {
			const req = mock<WebhookRequest | WebhookCORSRequest>({
				method: 'CONNECT' as IHttpRequestMethods,
			});
			const res = mock<Response>();
			res.status.mockReturnValue(res);

			await handler(req, res);

			expect(res.status).toHaveBeenCalledWith(500);
			expect(res.json).toHaveBeenCalledWith({
				code: 0,
				message: 'The method CONNECT is not supported.',
			});
		});

		describe('preflight requests', () => {
			it('should handle missing header for requested method', async () => {
				const req = mock<WebhookRequest | WebhookCORSRequest>({
					method: 'OPTIONS',
					headers: {
						origin: 'https://example.com',
						'access-control-request-method': undefined,
					},
					params: { path: 'test' },
				});
				const res = mock<Response>();
				res.status.mockReturnValue(res);

				webhookManager.getWebhookMethods.mockResolvedValue(['GET', 'PATCH']);

				await handler(req, res);

				expect(res.status).toHaveBeenCalledWith(204);
				expect(res.header).toHaveBeenCalledWith(
					'Access-Control-Allow-Methods',
					'OPTIONS, GET, PATCH',
				);
			});

			it('should handle default origin and max-age', async () => {
				const req = mock<WebhookRequest | WebhookCORSRequest>({
					method: 'OPTIONS',
					headers: {
						origin: 'https://example.com',
						'access-control-request-method': 'GET',
					},
					params: { path: 'test' },
				});
				const res = mock<Response>();
				res.status.mockReturnValue(res);

				webhookManager.getWebhookMethods.mockResolvedValue(['GET', 'PATCH']);

				await handler(req, res);

				expect(res.status).toHaveBeenCalledWith(204);
				expect(res.header).toHaveBeenCalledWith(
					'Access-Control-Allow-Methods',
					'OPTIONS, GET, PATCH',
				);
				expect(res.header).toHaveBeenCalledWith(
					'Access-Control-Allow-Origin',
					'https://example.com',
				);
				expect(res.header).toHaveBeenCalledWith('Access-Control-Max-Age', '300');
			});

			it('should handle wildcard origin', async () => {
				const randomOrigin = (Math.random() * 10e6).toString(16);
				const req = mock<WebhookRequest | WebhookCORSRequest>({
					method: 'OPTIONS',
					headers: {
						origin: randomOrigin,
						'access-control-request-method': 'GET',
					},
					params: { path: 'test' },
				});
				const res = mock<Response>();
				res.status.mockReturnValue(res);

				webhookManager.getWebhookMethods.mockResolvedValue(['GET', 'PATCH']);
				webhookManager.findAccessControlOptions.mockResolvedValue({
					allowedOrigins: '*',
				});

				await handler(req, res);

				expect(res.status).toHaveBeenCalledWith(204);
				expect(res.header).toHaveBeenCalledWith(
					'Access-Control-Allow-Methods',
					'OPTIONS, GET, PATCH',
				);
				expect(res.header).toHaveBeenCalledWith('Access-Control-Allow-Origin', randomOrigin);
			});

			it('should handle custom origin', async () => {
				const req = mock<WebhookRequest | WebhookCORSRequest>({
					method: 'OPTIONS',
					headers: {
						origin: 'https://example.com',
						'access-control-request-method': 'GET',
					},
					params: { path: 'test' },
				});
				const res = mock<Response>();
				res.status.mockReturnValue(res);

				webhookManager.getWebhookMethods.mockResolvedValue(['GET', 'PATCH']);
				webhookManager.findAccessControlOptions.mockResolvedValue({
					allowedOrigins: 'https://test.com',
				});

				await handler(req, res);

				expect(res.status).toHaveBeenCalledWith(204);
				expect(res.header).toHaveBeenCalledWith(
					'Access-Control-Allow-Methods',
					'OPTIONS, GET, PATCH',
				);
				expect(res.header).toHaveBeenCalledWith('Access-Control-Allow-Origin', 'https://test.com');
			});
		});
	});
});
feat(core): Add Support for custom CORS origins for webhooks (#7455) node-850 https://community.n8n.io/t/add-ability-to-set-cors-allow-list-in-n8n-webhooks/7610 https://community.n8n.io/t/configure-cors-pre-flight-request-option-method-in-the-roadmap/32189 --------- Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in> 2023-11-22 08:49:56 -08:00			`import { type Response } from 'express';`
			`import { mock } from 'jest-mock-extended';`
			`import type { IHttpRequestMethods } from 'n8n-workflow';`
			`import type { IWebhookManager, WebhookCORSRequest, WebhookRequest } from '@/Interfaces';`
			`import { webhookRequestHandler } from '@/WebhookHelpers';`

			`describe('WebhookHelpers', () => {`
			`describe('webhookRequestHandler', () => {`
			`const webhookManager = mock<Required<IWebhookManager>>();`
			`const handler = webhookRequestHandler(webhookManager);`

			`beforeEach(() => {`
			`jest.resetAllMocks();`
			`});`

			`it('should throw for unsupported methods', async () => {`
			`const req = mock<WebhookRequest \| WebhookCORSRequest>({`
			`method: 'CONNECT' as IHttpRequestMethods,`
			`});`
			`const res = mock<Response>();`
			`res.status.mockReturnValue(res);`

			`await handler(req, res);`

			`expect(res.status).toHaveBeenCalledWith(500);`
			`expect(res.json).toHaveBeenCalledWith({`
			`code: 0,`
			`message: 'The method CONNECT is not supported.',`
			`});`
			`});`

			`describe('preflight requests', () => {`
			`it('should handle missing header for requested method', async () => {`
			`const req = mock<WebhookRequest \| WebhookCORSRequest>({`
			`method: 'OPTIONS',`
			`headers: {`
			`origin: 'https://example.com',`
			`'access-control-request-method': undefined,`
			`},`
			`params: { path: 'test' },`
			`});`
			`const res = mock<Response>();`
			`res.status.mockReturnValue(res);`

			`webhookManager.getWebhookMethods.mockResolvedValue(['GET', 'PATCH']);`

			`await handler(req, res);`

			`expect(res.status).toHaveBeenCalledWith(204);`
			`expect(res.header).toHaveBeenCalledWith(`
			`'Access-Control-Allow-Methods',`
			`'OPTIONS, GET, PATCH',`
			`);`
			`});`

			`it('should handle default origin and max-age', async () => {`
			`const req = mock<WebhookRequest \| WebhookCORSRequest>({`
			`method: 'OPTIONS',`
			`headers: {`
			`origin: 'https://example.com',`
			`'access-control-request-method': 'GET',`
			`},`
			`params: { path: 'test' },`
			`});`
			`const res = mock<Response>();`
			`res.status.mockReturnValue(res);`

			`webhookManager.getWebhookMethods.mockResolvedValue(['GET', 'PATCH']);`

			`await handler(req, res);`

			`expect(res.status).toHaveBeenCalledWith(204);`
			`expect(res.header).toHaveBeenCalledWith(`
			`'Access-Control-Allow-Methods',`
			`'OPTIONS, GET, PATCH',`
			`);`
			`expect(res.header).toHaveBeenCalledWith(`
			`'Access-Control-Allow-Origin',`
			`'https://example.com',`
			`);`
			`expect(res.header).toHaveBeenCalledWith('Access-Control-Max-Age', '300');`
			`});`

			`it('should handle wildcard origin', async () => {`
			`const randomOrigin = (Math.random() * 10e6).toString(16);`
			`const req = mock<WebhookRequest \| WebhookCORSRequest>({`
			`method: 'OPTIONS',`
			`headers: {`
			`origin: randomOrigin,`
			`'access-control-request-method': 'GET',`
			`},`
			`params: { path: 'test' },`
			`});`
			`const res = mock<Response>();`
			`res.status.mockReturnValue(res);`

			`webhookManager.getWebhookMethods.mockResolvedValue(['GET', 'PATCH']);`
			`webhookManager.findAccessControlOptions.mockResolvedValue({`
			`allowedOrigins: '*',`
			`});`

			`await handler(req, res);`

			`expect(res.status).toHaveBeenCalledWith(204);`
			`expect(res.header).toHaveBeenCalledWith(`
			`'Access-Control-Allow-Methods',`
			`'OPTIONS, GET, PATCH',`
			`);`
			`expect(res.header).toHaveBeenCalledWith('Access-Control-Allow-Origin', randomOrigin);`
			`});`

			`it('should handle custom origin', async () => {`
			`const req = mock<WebhookRequest \| WebhookCORSRequest>({`
			`method: 'OPTIONS',`
			`headers: {`
			`origin: 'https://example.com',`
			`'access-control-request-method': 'GET',`
			`},`
			`params: { path: 'test' },`
			`});`
			`const res = mock<Response>();`
			`res.status.mockReturnValue(res);`

			`webhookManager.getWebhookMethods.mockResolvedValue(['GET', 'PATCH']);`
			`webhookManager.findAccessControlOptions.mockResolvedValue({`
			`allowedOrigins: 'https://test.com',`
			`});`

			`await handler(req, res);`

			`expect(res.status).toHaveBeenCalledWith(204);`
			`expect(res.header).toHaveBeenCalledWith(`
			`'Access-Control-Allow-Methods',`
			`'OPTIONS, GET, PATCH',`
			`);`
			`expect(res.header).toHaveBeenCalledWith('Access-Control-Allow-Origin', 'https://test.com');`
			`});`
			`});`
			`});`
			`});`