Test_Integration_App_ServerErrorHandler_MiddlewareCombinationHeaders() — fiber Function Reference

Source Code

app_integration_test.go lines 134–502

func Test_Integration_App_ServerErrorHandler_MiddlewareCombinationHeaders(t *testing.T) {
	t.Parallel()

	// This integration suite exercises representative middleware stacks to ensure their
	// response headers survive after Fiber's default error handler emits a failure.

	const (
		// Origins used by the CORS stacks in this suite.
		corsHelmetOrigin    = "https://cors-and-helmet.example"
		corsRequestIDOrigin = "https://cors-and-requestid.example"
		corsCSRForigin      = "https://cors-and-csrf.example"
		corsCacheOrigin     = "https://cors-and-cache.example"
		corsSessionOrigin   = "https://cors-and-session.example"
		corsHelmetRequestID = "https://cors-helmet-requestid.example"

		csrfCookieName      = "combo-csrf"
		generatedRequestID  = "generated-combo-request-id"
		helmetLimiterMax    = 7
		helmetLimiterReset  = 60
		requestIDHeader     = "combo-request-id"
		csrfTokenValue      = "csrf-token"
		encryptedCookieName = "combo-encrypted"
		encryptedCookieVal  = "unencrypted"
		envvarAllowHeader   = fiber.MethodGet + ", " + fiber.MethodHead
		basicRealm          = "combo-basic"
		keyAuthRealm        = "combo-key"
		keyAuthErrorDesc    = "missing-key"
	)

	// Each entry wires up a different middleware stack so we can ensure response mutations
	// survive the hop through the default error handler.
	testCases := []middlewareCombinationTestCase{
		// --- CORS-focused stacks keep cross-origin metadata on error responses.
		{
			name: "cors+helmet",
			setup: func(app *fiber.App) {
				app.Use(cors.New(cors.Config{AllowOrigins: []string{corsHelmetOrigin}}))
				app.Use(helmet.New())
			},
			configureRequest: func(req *fasthttp.Request) {
				req.Header.Set(fiber.HeaderOrigin, corsHelmetOrigin)
			},
			assertions: func(t *testing.T, resp *fasthttp.Response) {
				t.Helper()
				require.Equal(t, corsHelmetOrigin, string(resp.Header.Peek(fiber.HeaderAccessControlAllowOrigin)))
				require.Equal(t, "nosniff", string(resp.Header.Peek(fiber.HeaderXContentTypeOptions)))
				require.Equal(t, "same-origin", string(resp.Header.Peek("Cross-Origin-Opener-Policy")))
				require.Equal(t, "same-origin", string(resp.Header.Peek("Cross-Origin-Resource-Policy")))
				require.Equal(t, "require-corp", string(resp.Header.Peek("Cross-Origin-Embedder-Policy")))
			},
		},
		{
			name: "cors+requestid",
			setup: func(app *fiber.App) {
				app.Use(cors.New(cors.Config{AllowOrigins: []string{corsRequestIDOrigin}}))
				app.Use(requestid.New())
			},
			configureRequest: func(req *fasthttp.Request) {
				req.Header.Set(fiber.HeaderOrigin, corsRequestIDOrigin)
				req.Header.Set("X-Request-ID", requestIDHeader)
			},
			assertions: func(t *testing.T, resp *fasthttp.Response) {
				t.Helper()
				require.Equal(t, corsRequestIDOrigin, string(resp.Header.Peek(fiber.HeaderAccessControlAllowOrigin)))
				require.Equal(t, requestIDHeader, string(resp.Header.Peek("X-Request-ID")))
			},
		},
		{
			name: "cors+helmet+requestid",
			setup: func(app *fiber.App) {
				app.Use(cors.New(cors.Config{AllowOrigins: []string{corsHelmetRequestID}}))
				app.Use(helmet.New())
				app.Use(requestid.New(requestid.Config{
					Generator: func() string {
						return generatedRequestID
					},
				}))
			},
			configureRequest: func(req *fasthttp.Request) {
				req.Header.Set(fiber.HeaderOrigin, corsHelmetRequestID)
			},