Set cors headers when using fixtures as mocks (#545)

Co-authored-by: J3utter <j3utter@gmail.com>

Author: J3utter

stoobly_agent/app/proxy/mock/eval_fixtures_service.py

@@ -25,7 +25,12 @@ def eval_fixtures(request: 'MitmproxyRequest', **options: MockOptions) -> Union[
   from requests.structures import CaseInsensitiveDict
 
   fixture_path = request.headers.get(MOCK_FIXTURE_PATH)
-  headers = CaseInsensitiveDict()
+  # Default CORS-style headers for all mock fixture responses
+  headers = CaseInsensitiveDict({
+    'Access-Control-Allow-Origin': '*',
+    'Access-Control-Allow-Methods': 'GET, OPTIONS, POST, PATCH, PUT, DELETE',
+    'Access-Control-Allow-Headers': '*',
+  })
   status_code = 200
 
   if fixture_path:
@@ -95,8 +100,12 @@ def eval_fixtures(request: 'MitmproxyRequest', **options: MockOptions) -> Union[
       if not os.path.isfile(fixture_path):
         return
 
+      # If fixture specifies headers, merge them into the defaults.
+      # Fixture-provided values override the defaults on conflict.
       _headers = fixture.get('headers')
-      headers = CaseInsensitiveDict(_headers if isinstance(_headers, dict) else {}) 
+      if isinstance(_headers, dict):
+        for k, v in _headers.items():
+          headers[k] = v
 
       if fixture.get('status_code'):
         status_code = fixture.get('status_code')

stoobly_agent/test/app/proxy/mock/eval_fixtures_service_test.py

@@ -151,6 +151,48 @@ def test_it_sets_response(
     def test_it_sets_headers(self, fixtures_response: requests.Response):
       assert fixtures_response.headers['test'] == '1'
       assert fixtures_response.headers['Content-Type'] == 'text/html'
+      # Default CORS headers should always be present
+      assert fixtures_response.headers['Access-Control-Allow-Origin'] == '*'
+      assert fixtures_response.headers['Access-Control-Allow-Methods'] == 'GET, OPTIONS, POST, PATCH, PUT, DELETE'
+      assert fixtures_response.headers['Access-Control-Allow-Headers'] == '*'
+
+    def test_fixture_headers_merge_with_cors_defaults(
+      self,
+      mitmproxy_request: MitmproxyRequest,
+      not_found_file_path: str,
+    ):
+      """Fixture headers should override defaults but preserve CORS keys."""
+      tmp_dir_path = DataDir.instance().tmp_dir_path
+      fixtures_file = os.path.join(tmp_dir_path, 'override_cors_headers.yml')
+
+      override_fixtures: Fixtures = {
+        'POST': {
+          '/404.html': {
+            'headers': {
+              'Access-Control-Allow-Origin': 'https://example.com',
+              'X-Custom-Header': 'abc',
+            },
+            'path': not_found_file_path,
+            'status_code': 200,
+          },
+        },
+      }
+
+      with open(fixtures_file, 'w') as f:
+        yaml.dump(override_fixtures, f, sort_keys=False)
+
+      res: requests.Response = eval_fixtures(
+        mitmproxy_request, response_fixtures_path=fixtures_file
+      )
+
+      assert res is not None
+      # Overridden origin
+      assert res.headers['Access-Control-Allow-Origin'] == 'https://example.com'
+      # Defaults preserved
+      assert res.headers['Access-Control-Allow-Methods'] == 'GET, OPTIONS, POST, PATCH, PUT, DELETE'
+      assert res.headers['Access-Control-Allow-Headers'] == '*'
+      # Custom header merged
+      assert res.headers['X-Custom-Header'] == 'abc'
 
     def test_it_sets_status_code(self,  fixtures_response: requests.Response):
       assert fixtures_response.status_code == 404
@@ -683,6 +725,14 @@ def test_custom_fixture_path_header(self, mitmproxy_request: MitmproxyRequest, t
       assert res is not None
       assert res.raw.read() == test_file_contents
 
+    def test_custom_fixture_path_header_sets_cors(self, mitmproxy_request: MitmproxyRequest):
+      """CORS defaults should be applied even when using custom fixture path header."""
+      res = eval_fixtures(mitmproxy_request)
+      assert res is not None
+      assert res.headers['Access-Control-Allow-Origin'] == '*'
+      assert res.headers['Access-Control-Allow-Methods'] == 'GET, OPTIONS, POST, PATCH, PUT, DELETE'
+      assert res.headers['Access-Control-Allow-Headers'] == '*'
+
     def test_custom_fixture_path_header_nonexistent_file(self, mitmproxy_request: MitmproxyRequest):
       """Test custom fixture path header pointing to nonexistent file."""
       from stoobly_agent.config.constants.custom_headers import MOCK_FIXTURE_PATH