diff --git a/NEWS.md b/NEWS.md index bb3f40bc..207c1e10 100644 --- a/NEWS.md +++ b/NEWS.md @@ -5,6 +5,7 @@ * Update underscore dependency * Add munin plugin * Make PostgreSQL client pooling settings configurable (#47) +* Do not execute queries on OPTIONS (#94) 1.3.9 ----- diff --git a/app/controllers/app.js b/app/controllers/app.js index 4e838261..6e6bd3e9 100755 --- a/app/controllers/app.js +++ b/app/controllers/app.js @@ -52,6 +52,7 @@ app.use(express.bodyParser()); app.enable('jsonp callback'); // basic routing +app.options('*', function(req,res) { setCrossDomain(res); res.end(); }); app.all(global.settings.base_url+'/sql', function(req, res) { handleQuery(req, res) } ); app.all(global.settings.base_url+'/sql.:f', function(req, res) { handleQuery(req, res) } ); app.get(global.settings.base_url+'/cachestatus', function(req, res) { handleCacheStatus(req, res) } ); diff --git a/test/acceptance/app.test.js b/test/acceptance/app.test.js index f8f01e1c..50203f72 100644 --- a/test/acceptance/app.test.js +++ b/test/acceptance/app.test.js @@ -69,6 +69,37 @@ test('GET /api/whatever/sql', function(done){ }); }); +// Test CORS headers with GET +test('GET /api/whatever/sql', function(done){ + assert.response(app, { + url: '/api/whatever/sql?q=SELECT%201', + headers: {host: 'vizzuality.cartodb.com'}, + method: 'GET' + },{ + }, function(res) { + assert.equal(res.statusCode, 200, res.body); + assert.equal(res.headers['access-control-allow-headers'], 'X-Requested-With, X-Prototype-Version, X-CSRF-Token'); + assert.equal(res.headers['access-control-allow-origin'], '*'); + done(); + }); +}); + +// Test that OPTIONS does not run queries +test('OPTIONS /api/x/sql', function(done){ + assert.response(app, { + url: '/api/x/sql?q=syntax%20error', + headers: {host: 'vizzuality.cartodb.com'}, + method: 'OPTIONS' + },{}, function(res) { + assert.equal(res.statusCode, 200, res.body); + assert.equal(res.body, ''); + assert.equal(res.headers['access-control-allow-headers'], 'X-Requested-With, X-Prototype-Version, X-CSRF-Token'); + assert.equal(res.headers['access-control-allow-origin'], '*'); + done(); + }); +}); + + test('GET /api/v1/sql with SQL parameter on SELECT only. No oAuth included ', function(done){ assert.response(app, { @@ -988,21 +1019,4 @@ test('GET /api/v1/sql with SQL parameter on SELECT only should return CORS heade }); }); -test('OPTIONS /api/v1/sql with SQL parameter on SELECT only should return CORS headers ', function(done){ - assert.response(app, { - url: '/api/v1/sql?q=SELECT%20*%20FROM%20untitle_table_4&database=cartodb_test_user_1_db', - method: 'OPTIONS' - },{ }, function(res) { - assert.equal(res.statusCode, 200, res.body); - // Check cache headers - // See https://github.com/Vizzuality/CartoDB-SQL-API/issues/43 - assert.equal(res.headers['x-cache-channel'], 'cartodb_test_user_1_db:untitle_table_4'); - assert.equal(res.headers['cache-control'], expected_cache_control); - assert.equal(res.headers['access-control-allow-origin'], '*'); - assert.equal(res.headers['access-control-allow-headers'], "X-Requested-With, X-Prototype-Version, X-CSRF-Token"); - done(); - }); -}); - - });