Always set flag in CorsMiddleware once it executes (#9440)

Fixes https://github.com/aspnet/AspNetCore/issues/9348
2019-04-16 16:28:27 -07:00 · 2019-04-16 16:28:27 -07:00 · e2477706b6
parent 51028dd129
commit e2477706b6
3 changed files with 46 additions and 8 deletions
--- a/src/Middleware/CORS/src/Infrastructure/CorsMiddleware.cs
+++ b/src/Middleware/CORS/src/Infrastructure/CorsMiddleware.cs
@ -7,7 +7,6 @@ using Microsoft.AspNetCore.Cors.Internal;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Endpoints;
 using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Logging.Abstractions;

 namespace Microsoft.AspNetCore.Cors.Infrastructure
 {
@ -119,6 +118,9 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
        /// <inheritdoc />
        public Task Invoke(HttpContext context, ICorsPolicyProvider corsPolicyProvider)
        {
+            // Flag to indicate to other systems, that CORS middleware was run for this request
+            context.Items[CorsMiddlewareInvokedKey] = CorsMiddlewareInvokedValue;
+
            if (!context.Request.Headers.ContainsKey(CorsConstants.Origin))
            {
                return _next(context);
@ -137,9 +139,6 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
            //    fetch policy by name, prioritizing it above policy on middleware
            // 3. If there is no policy on middleware then use name on middleware

-            // Flag to indicate to other systems, e.g. MVC, that CORS middleware was run for this request
-            context.Items[CorsMiddlewareInvokedKey] = CorsMiddlewareInvokedValue;
-
            var endpoint = context.GetEndpoint();

            // Get the most significant CORS metadata for the endpoint
--- a/src/Middleware/CORS/test/UnitTests/CorsMiddlewareTests.cs
+++ b/src/Middleware/CORS/test/UnitTests/CorsMiddlewareTests.cs
@ -876,5 +876,28 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
            // Assert
            Assert.Contains(httpContext.Items, item => string.Equals(item.Key as string, "__CorsMiddlewareInvoked"));
        }
+
+        [Fact]
+        public async Task Invoke_WithoutOrigin_InvokeFlagSet()
+        {
+            // Arrange
+            var corsService = Mock.Of<ICorsService>();
+            var mockProvider = Mock.Of<ICorsPolicyProvider>();
+            var loggerFactory = NullLoggerFactory.Instance;
+
+            var middleware = new CorsMiddleware(
+                Mock.Of<RequestDelegate>(),
+                corsService,
+                loggerFactory,
+                "DefaultPolicyName");
+
+            var httpContext = new DefaultHttpContext();
+
+            // Act
+            await middleware.Invoke(httpContext, mockProvider);
+
+            // Assert
+            Assert.Contains(httpContext.Items, item => string.Equals(item.Key as string, "__CorsMiddlewareInvoked"));
+        }
    }
 }
--- a/src/Mvc/test/Mvc.FunctionalTests/CorsTestsBase.cs
+++ b/src/Mvc/test/Mvc.FunctionalTests/CorsTestsBase.cs
@ -282,7 +282,7 @@ namespace Microsoft.AspNetCore.Mvc.FunctionalTests
        }

        [Fact]
-        public async Task CorsFilter_RunsBeforeOtherAuthorizationFilters_UsesPolicySpecifiedOnController()
+        public async Task Cors_RunsBeforeOtherAuthorizationFilters_UsesPolicySpecifiedOnController()
        {
            // Arrange
            var url = "http://localhost/api/store/actionusingcontrollercorssettings";
@ -314,7 +314,7 @@ namespace Microsoft.AspNetCore.Mvc.FunctionalTests
        }

        [Fact]
-        public async Task CorsFilter_RunsBeforeOtherAuthorizationFilters_UsesPolicySpecifiedOnAction()
+        public async Task Cors_RunsBeforeOtherAuthorizationFilters_UsesPolicySpecifiedOnAction()
        {
            // Arrange
            var url = "http://localhost/api/store/actionwithcorssettings";
@ -349,7 +349,7 @@ namespace Microsoft.AspNetCore.Mvc.FunctionalTests
        }

        [Fact]
-        public async Task DisableCorsFilter_RunsBeforeOtherAuthorizationFilters()
+        public async Task DisableCors_RunsBeforeOtherAuthorizationFilters()
        {
            // Controller enables authorization and Cors, the action has a DisableCorsAttribute.
            // We expect the CorsMiddleware to execute and no-op
@ -377,7 +377,7 @@ namespace Microsoft.AspNetCore.Mvc.FunctionalTests
        }

        [Fact]
-        public async Task CorsFilter_OnAction_PreferredOverController_AndAuthorizationFiltersRunAfterCors()
+        public async Task Cors_OnAction_PreferredOverController_AndAuthorizationFiltersRunAfterCors()
        {
            // Arrange
            var request = new HttpRequestMessage(
@ -398,5 +398,21 @@ namespace Microsoft.AspNetCore.Mvc.FunctionalTests
            var content = await response.Content.ReadAsStringAsync();
            Assert.Empty(content);
        }
+
+        [Fact]
+        public async Task Cors_WithoutOriginHeader_Works()
+        {
+            // Arrange
+            var request = new HttpRequestMessage(
+                HttpMethod.Put,
+                "http://localhost/Cors/EditUserComment?userComment=abcd");
+
+            // Act
+            var response = await Client.SendAsync(request);
+
+            // Assert
+            await response.AssertStatusCodeAsync(HttpStatusCode.OK);
+            Assert.Empty(response.Headers);
+        }
    }
 }