@@ -56,4 +56,44 @@ void corsPreflightHandlerReturns204WithExpectedHeadersOnValidPreflight() {
5656 .containsEntry ("Access-Control-Max-Age" , "600" )
5757 .containsEntry ("Vary" , "Origin" );
5858 }
59+
60+ @ Test
61+ void corsPreflightHandlerOmitsAllowCredentialsWhenFalse () {
62+ RequestHandler handler =
63+ Handlers .corsPreflightHandler (ORIGINS , METHODS , HEADERS , false , Duration .ofMinutes (10 ));
64+
65+ Response resp = handler .handle (preflight ("https://app.example.com" , "POST" , "content-type" ));
66+
67+ assertThat (resp .headers ()).doesNotContainKey ("Access-Control-Allow-Credentials" );
68+ }
69+
70+ @ Test
71+ void corsPreflightHandlerOmitsMaxAgeWhenNull () {
72+ RequestHandler handler = Handlers .corsPreflightHandler (ORIGINS , METHODS , HEADERS , true , null );
73+
74+ Response resp = handler .handle (preflight ("https://app.example.com" , "POST" , "content-type" ));
75+
76+ assertThat (resp .headers ()).doesNotContainKey ("Access-Control-Max-Age" );
77+ }
78+
79+ @ Test
80+ void corsPreflightHandlerEmitsMaxAgeInSecondsWhenSet () {
81+ RequestHandler handler =
82+ Handlers .corsPreflightHandler (ORIGINS , METHODS , HEADERS , false , Duration .ofSeconds (75 ));
83+
84+ Response resp = handler .handle (preflight ("https://app.example.com" , "POST" , "content-type" ));
85+
86+ assertThat (resp .headers ()).containsEntry ("Access-Control-Max-Age" , "75" );
87+ }
88+
89+ @ Test
90+ void corsPreflightHandlerOmitsAllowHeadersWhenListEmpty () {
91+ RequestHandler handler =
92+ Handlers .corsPreflightHandler (ORIGINS , METHODS , List .of (), false , null );
93+
94+ Response resp = handler .handle (preflight ("https://app.example.com" , "POST" , "" ));
95+
96+ assertThat (resp .headers ()).doesNotContainKey ("Access-Control-Allow-Headers" );
97+ assertThat (resp .status ()).isEqualTo (HTTP_NO_CONTENT );
98+ }
5999}
0 commit comments