Do not execute queries on OPTIONS. Closes #94

2013-05-24 14:21:13 +02:00 · 2013-05-24 14:21:13 +02:00 · 3f98cab09a
commit 3f98cab09a
parent 985631092b
3 changed files with 33 additions and 17 deletions
--- a/NEWS.md
+++ b/NEWS.md
@ -5,6 +5,7 @@
 * Update underscore dependency 
 * Add munin plugin
 * Make PostgreSQL client pooling settings configurable (#47)
+* Do not execute queries on OPTIONS (#94)

 1.3.9
 -----
--- a/app/controllers/app.js
+++ b/app/controllers/app.js
@ -52,6 +52,7 @@ app.use(express.bodyParser());
 app.enable('jsonp callback');

 // basic routing
+app.options('*', function(req,res) { setCrossDomain(res); res.end(); });
 app.all(global.settings.base_url+'/sql',     function(req, res) { handleQuery(req, res) } );
 app.all(global.settings.base_url+'/sql.:f',  function(req, res) { handleQuery(req, res) } );
 app.get(global.settings.base_url+'/cachestatus',  function(req, res) { handleCacheStatus(req, res) } );
--- a/test/acceptance/app.test.js
+++ b/test/acceptance/app.test.js
@ -69,6 +69,37 @@ test('GET /api/whatever/sql', function(done){
    });
 });

+// Test CORS headers with GET
+test('GET /api/whatever/sql', function(done){
+    assert.response(app, {
+        url: '/api/whatever/sql?q=SELECT%201',
+        headers: {host: 'vizzuality.cartodb.com'},
+        method: 'GET'
+    },{
+    }, function(res) {
+        assert.equal(res.statusCode, 200, res.body);
+        assert.equal(res.headers['access-control-allow-headers'], 'X-Requested-With, X-Prototype-Version, X-CSRF-Token');
+        assert.equal(res.headers['access-control-allow-origin'], '*');
+        done();
+    });
+});
+
+// Test that OPTIONS does not run queries 
+test('OPTIONS /api/x/sql', function(done){
+    assert.response(app, {
+        url: '/api/x/sql?q=syntax%20error',
+        headers: {host: 'vizzuality.cartodb.com'},
+        method: 'OPTIONS'
+    },{}, function(res) {
+        assert.equal(res.statusCode, 200, res.body);
+        assert.equal(res.body, '');
+        assert.equal(res.headers['access-control-allow-headers'], 'X-Requested-With, X-Prototype-Version, X-CSRF-Token');
+        assert.equal(res.headers['access-control-allow-origin'], '*');
+        done();
+    });
+});
+
+

 test('GET /api/v1/sql with SQL parameter on SELECT only. No oAuth included ', function(done){
    assert.response(app, {
@ -988,21 +1019,4 @@ test('GET /api/v1/sql with SQL parameter on SELECT only should return CORS heade
    });
 });

-test('OPTIONS /api/v1/sql with SQL parameter on SELECT only should return CORS headers ', function(done){
-    assert.response(app, {
-        url: '/api/v1/sql?q=SELECT%20*%20FROM%20untitle_table_4&database=cartodb_test_user_1_db',
-        method: 'OPTIONS'
-    },{ }, function(res) {
-        assert.equal(res.statusCode, 200, res.body);
-        // Check cache headers
-        // See https://github.com/Vizzuality/CartoDB-SQL-API/issues/43
-        assert.equal(res.headers['x-cache-channel'], 'cartodb_test_user_1_db:untitle_table_4');
-        assert.equal(res.headers['cache-control'], expected_cache_control);
-        assert.equal(res.headers['access-control-allow-origin'], '*');
-        assert.equal(res.headers['access-control-allow-headers'], "X-Requested-With, X-Prototype-Version, X-CSRF-Token");
-        done();
-    });
-});
-
-
 });