From 15a745f1689aebaad91cbee920c8db6ee70ac980 Mon Sep 17 00:00:00 2001 From: Artur Shiriev Date: Fri, 26 Jun 2026 21:16:02 +0300 Subject: [PATCH] test: lock CORS preflight allows write methods MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The CORS defaults already ship correct (`["*"]`), but nothing guarded the preflight contract. Add a regression test that sends an `OPTIONS /api/decks/` preflight from the shipped dev origin (`http://localhost:5173`) and asserts `POST`/`PUT` appear in `Access-Control-Allow-Methods`, exercising the real settings → lite-bootstrap → Starlette CORS middleware wiring. Ported from modern-python/litestar-sqlalchemy-template#34. Verified it fails (preflight 400, POST absent) if the methods default regresses to `[""]`. Co-Authored-By: Claude Opus 4.8 (1M context) --- tests/test_cors.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 tests/test_cors.py diff --git a/tests/test_cors.py b/tests/test_cors.py new file mode 100644 index 0000000..02565e7 --- /dev/null +++ b/tests/test_cors.py @@ -0,0 +1,19 @@ +from typing import TYPE_CHECKING + + +if TYPE_CHECKING: + from httpx import AsyncClient + + +async def test_cors_preflight_allows_write_methods(client: AsyncClient) -> None: + response = await client.options( + "/api/decks/", + headers={ + "Origin": "http://localhost:5173", + "Access-Control-Request-Method": "POST", + }, + ) + + allow_methods = response.headers.get("access-control-allow-methods", "") + assert "POST" in allow_methods + assert "PUT" in allow_methods