mastodon-glitch/spec/requests/api/v1/csp_spec.rb

# frozen_string_literal: true

require 'rails_helper'

describe 'API namespace minimal Content-Security-Policy' do
  before { stub_tests_controller }

  after { Rails.application.reload_routes! }

  it 'returns the correct CSP headers' do
    get '/api/v1/tests'

    expect(response).to have_http_status(200)
    expect(response.headers['Content-Security-Policy']).to eq(minimal_csp_headers)
  end

  private

  def stub_tests_controller
    stub_const('Api::V1::TestsController', api_tests_controller)

    Rails.application.routes.draw do
      get '/api/v1/tests', to: 'api/v1/tests#index'
    end
  end

  def api_tests_controller
    Class.new(Api::BaseController) do
      def index
        head 200
      end

      private

      def user_signed_in? = false
      def current_user = nil
    end
  end

  def minimal_csp_headers
    "default-src 'none'; frame-ancestors 'none'; form-action 'none'"
  end
end
Specs for minimal CSP policy in `Api::` controllers (#27845) 2023-11-14 14:34:30 +00:00			`# frozen_string_literal: true`

			`require 'rails_helper'`

			`describe 'API namespace minimal Content-Security-Policy' do`
			`before { stub_tests_controller }`

			`after { Rails.application.reload_routes! }`

			`it 'returns the correct CSP headers' do`
			`get '/api/v1/tests'`

			`expect(response).to have_http_status(200)`
			`expect(response.headers['Content-Security-Policy']).to eq(minimal_csp_headers)`
			`end`

			`private`

			`def stub_tests_controller`
			`stub_const('Api::V1::TestsController', api_tests_controller)`

			`Rails.application.routes.draw do`
			`get '/api/v1/tests', to: 'api/v1/tests#index'`
			`end`
			`end`

			`def api_tests_controller`
			`Class.new(Api::BaseController) do`
			`def index`
			`head 200`
			`end`

			`private`

			`def user_signed_in? = false`
			`def current_user = nil`
			`end`
			`end`

			`def minimal_csp_headers`
			`"default-src 'none'; frame-ancestors 'none'; form-action 'none'"`
			`end`
			`end`