Php-Template/tests/Http/Middleware/CorsMiddlewareTest.php

<?php

declare(strict_types=1);

namespace Siteworxpro\Tests\Http\Middleware;

use Nyholm\Psr7\Response;
use Nyholm\Psr7\ServerRequest;
use Psr\Http\Server\RequestHandlerInterface;
use Siteworxpro\App\Http\Middleware\CorsMiddleware;
use Siteworxpro\App\Services\Facades\Config;
use Siteworxpro\Tests\Unit;

class CorsMiddlewareTest extends Unit
{
    public function testAllowsConfiguredOrigin(): void
    {
        Config::shouldReceive('get')
            ->with('cors.allowed_origins')
            ->andReturn('https://example.com,https://another.com');

        Config::shouldReceive('get')->with('cors.allow_credentials')->andReturn(false);
        Config::shouldReceive('get')->with('cors.max_age')->andReturn('');

        $middleware = new CorsMiddleware();
        $request = new ServerRequest('GET', '/')->withHeader('Origin', 'https://example.com');
        $handler = $this->mockHandler(new Response(200));

        $response = $middleware->process($request, $handler);

        $this->assertEquals('https://example.com', $response->getHeaderLine('Access-Control-Allow-Origin'));
    }

    public function testBlocksUnconfiguredOrigin(): void
    {
        Config::shouldReceive('get')
            ->with('cors.allowed_origins')
            ->andReturn('https://example.com,https://another.com');

        $middleware = new CorsMiddleware();
        $request = new ServerRequest('GET', '/')->withHeader('Origin', 'https://unauthorized.com');
        $handler = $this->mockHandler(new Response(200));

        $response = $middleware->process($request, $handler);

        $this->assertEmpty($response->getHeaderLine('Access-Control-Allow-Origin'));
    }

    public function testHandlesOptionsRequest(): void
    {
        Config::shouldReceive('get')->with('cors.allowed_origins')->andReturn('https://example.com');
        Config::shouldReceive('get')->with('cors.allow_credentials')->andReturn(false);
        Config::shouldReceive('get')->with('cors.max_age')->andReturn('86400');

        $middleware = new CorsMiddleware();
        $request = new ServerRequest('OPTIONS', '/')->withHeader('Origin', 'https://example.com');
        $handler = $this->mockHandler(new Response(200));

        $response = $middleware->process($request, $handler);

        $this->assertEquals(204, $response->getStatusCode());
        $this->assertEquals('86400', $response->getHeaderLine('Access-Control-Max-Age'));
    }

    public function testAddsAllowCredentialsHeader(): void
    {
        Config::shouldReceive('get')
            ->with('cors.allowed_origins')
            ->andReturn('https://example.com');

        Config::shouldReceive('get')->with('cors.allowed_origins')->andReturn('https://example.com');
        Config::shouldReceive('get')->with('cors.allow_credentials')->andReturn(true);
        Config::shouldReceive('get')->with('cors.max_age')->andReturn('86400');

        $middleware = new CorsMiddleware();
        $request = new ServerRequest('GET', '/')->withHeader('Origin', 'https://example.com');
        $handler = $this->mockHandler(new Response(200));

        $response = $middleware->process($request, $handler);

        $this->assertEquals('true', $response->getHeaderLine('Access-Control-Allow-Credentials'));
    }

    private function mockHandler(Response $response): RequestHandlerInterface
    {
        return new class ($response) implements RequestHandlerInterface {
            private Response $response;

            public function __construct(Response $response)
            {
                $this->response = $response;
            }

            public function handle(
                \Psr\Http\Message\ServerRequestInterface $request
            ): \Psr\Http\Message\ResponseInterface {
                return $this->response;
            }
        };
    }
}