..py:function:: test_cors
Scenario: An API consumer submitting a request with an ‘Origin’ header receives the expected cors headers in response
CORS allows the API to be used whilst within a web browser, from websites that are hosted on a different domain to that of the API. This is important as users utilising our API documentation must be able to send test requests from that page using the ‘try it now’ functionality.
Given the API consumer provides an Origin header
When the request is submitted
Then the response contains CORS headers to allow the request
Asserts
- Response contains ‘Access-Control-Allow-Origin’ header matching the provided value
- Response contains ‘Access-Control-Expose-Headers’ header matching ‘x-correlation-id’
- Response contains ‘Cross-Origin-Resource-Policy’ header matching ‘cross-origin’
Methods
This test makes use of different HTTP methods, if the method is either HEAD or OPTIONS the test will not assert against the body of the response as none is returned.
| Value |
|---|
| GET |
| POST |
| PUT |
| PATCH |
| DELETE |
| HEAD |
| OPTIONS |
..py:function:: test_cors_options
Scenario: An API consumer submitting a request with cors headers receives a response reflecting the cors headers values
CORS allows the API to be used whilst within a web browser, from websites that are hosted on a different domain to that of the API. This is important as users utilising our API documentation must be able to send test requests from that page using the ‘try it now’ functionality.
Given the API consumer wants to make a request using CORS
When a browser is used to send the initial OPTIONS request
Then the response allows the request proper to be sent
Asserts
- Response returns 200 status code
- Response contains ‘Access-Control-Allow-Origin’ header matching the provided value
- Response contains ‘Access-Control-Allow-Methods’ header matching the provided HTTP method supplied
- Response contains ‘Access-Control-Max-Age’ headers matching the maximum age allow methods and headers can be cached (42 days)
- Response contains ‘Access-Control-Allow-Headers’ headers matching the API’s allowed headers
- Response contains ‘Cross-Origin-Resource-Policy’ header matching ‘cross-origin’
Scenario: An API consumer submitting a request with x-amz headers does not have x-amz headers returned
Given the API consumer provides an x-amz header
When the request is submitted
Then the response is does not contains an x-amz header
Asserts
- Response does not contain x-amz headers
..py:function:: test_request_with_x_correlation_id
Scenario: An API consumer submitting a request with to a request with an ‘X-Correlation-Id’ header receives a response reflecting the X-Correlation-Id value
Given the API consumer provides an x-correlation-id header
When the request is submitted
Then the response is contains an x-correlation-id header
Asserts
- Response returns a 504 status code
- Response returns the expected error message body
- Response returns the ‘X-Correlation-Id’ header if provided
Methods
This test makes use of different HTTP methods, if the method is either HEAD or OPTIONS the test will not assert against the body of the response as none is returned.
| Value |
|---|
| GET |
| POST |
| PUT |
| PATCH |
| DELETE |
| HEAD |
| OPTIONS |
Correlation IDs
This test uses the ‘X-Correlation-Id’ header, when provided in a request it is returned in the response.
| Value | Description |
|---|---|
| None | Is tested to ensure that we do not send back a correlation identifier if one was not provided in the request. |
| 76491414-d0cf-4655-ae20-a4d1368472f3 | Is tested to ensure that when a correlation identifier is sent, we respond with the same value. |