diff options
Diffstat (limited to 'spec/requests/oauth/tokens_controller_spec.rb')
-rw-r--r-- | spec/requests/oauth/tokens_controller_spec.rb | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/spec/requests/oauth/tokens_controller_spec.rb b/spec/requests/oauth/tokens_controller_spec.rb index e4cb28cc42b..507489d92cf 100644 --- a/spec/requests/oauth/tokens_controller_spec.rb +++ b/spec/requests/oauth/tokens_controller_spec.rb @@ -7,6 +7,7 @@ RSpec.describe Oauth::TokensController do let(:other_headers) { {} } let(:headers) { cors_request_headers.merge(other_headers) } let(:allowed_methods) { 'POST, OPTIONS' } + let(:authorization_methods) { %w[Authorization X-CSRF-Token X-Requested-With] } shared_examples 'cross-origin POST request' do it 'allows cross-origin requests' do @@ -25,7 +26,7 @@ RSpec.describe Oauth::TokensController do it 'allows cross-origin requests' do expect(response.headers['Access-Control-Allow-Origin']).to eq '*' expect(response.headers['Access-Control-Allow-Methods']).to eq allowed_methods - expect(response.headers['Access-Control-Allow-Headers']).to eq 'Authorization' + expect(response.headers['Access-Control-Allow-Headers']).to eq authorization_methods expect(response.headers['Access-Control-Allow-Credentials']).to be_nil end end @@ -39,7 +40,7 @@ RSpec.describe Oauth::TokensController do end describe 'OPTIONS /oauth/token' do - let(:other_headers) { { 'Access-Control-Request-Headers' => 'Authorization', 'Access-Control-Request-Method' => 'POST' } } + let(:other_headers) { { 'Access-Control-Request-Headers' => authorization_methods, 'Access-Control-Request-Method' => 'POST' } } before do options '/oauth/token', headers: headers @@ -63,7 +64,7 @@ RSpec.describe Oauth::TokensController do end describe 'OPTIONS /oauth/revoke' do - let(:other_headers) { { 'Access-Control-Request-Headers' => 'Authorization', 'Access-Control-Request-Method' => 'POST' } } + let(:other_headers) { { 'Access-Control-Request-Headers' => authorization_methods, 'Access-Control-Request-Method' => 'POST' } } before do options '/oauth/revoke', headers: headers |