test/res.jsonp.js

   1 'use strict'
   2
   3 var express = require('../')
   4   , request = require('supertest')
   5   , assert = require('assert');
   6 var utils = require('./support/utils');
   7
   8 describe('res', function(){
   9   describe('.jsonp(object)', function(){
  10     it('should respond with jsonp', function(done){
  11       var app = express();
  12
  13       app.use(function(req, res){
  14         res.jsonp({ count: 1 });
  15       });
  16
  17       request(app)
  18       .get('/?callback=something')
  19       .expect('Content-Type', 'text/javascript; charset=utf-8')
  20       .expect(200, /something\(\{"count":1\}\);/, done);
  21     })
  22
  23     it('should use first callback parameter with jsonp', function(done){
  24       var app = express();
  25
  26       app.use(function(req, res){
  27         res.jsonp({ count: 1 });
  28       });
  29
  30       request(app)
  31       .get('/?callback=something&callback=somethingelse')
  32       .expect('Content-Type', 'text/javascript; charset=utf-8')
  33       .expect(200, /something\(\{"count":1\}\);/, done);
  34     })
  35
  36     it('should ignore object callback parameter with jsonp', function(done){
  37       var app = express();
  38
  39       app.use(function(req, res){
  40         res.jsonp({ count: 1 });
  41       });
  42
  43       request(app)
  44       .get('/?callback[a]=something')
  45       .expect('Content-Type', 'application/json; charset=utf-8')
  46       .expect(200, '{"count":1}', done)
  47     })
  48
  49     it('should allow renaming callback', function(done){
  50       var app = express();
  51
  52       app.set('jsonp callback name', 'clb');
  53
  54       app.use(function(req, res){
  55         res.jsonp({ count: 1 });
  56       });
  57
  58       request(app)
  59       .get('/?clb=something')
  60       .expect('Content-Type', 'text/javascript; charset=utf-8')
  61       .expect(200, /something\(\{"count":1\}\);/, done);
  62     })
  63
  64     it('should allow []', function(done){
  65       var app = express();
  66
  67       app.use(function(req, res){
  68         res.jsonp({ count: 1 });
  69       });
  70
  71       request(app)
  72       .get('/?callback=callbacks[123]')
  73       .expect('Content-Type', 'text/javascript; charset=utf-8')
  74       .expect(200, /callbacks\[123\]\(\{"count":1\}\);/, done);
  75     })
  76
  77     it('should disallow arbitrary js', function(done){
  78       var app = express();
  79
  80       app.use(function(req, res){
  81         res.jsonp({});
  82       });
  83
  84       request(app)
  85       .get('/?callback=foo;bar()')
  86       .expect('Content-Type', 'text/javascript; charset=utf-8')
  87       .expect(200, /foobar\(\{\}\);/, done);
  88     })
  89
  90     it('should escape utf whitespace', function(done){
  91       var app = express();
  92
  93       app.use(function(req, res){
  94         res.jsonp({ str: '\u2028 \u2029 woot' });
  95       });
  96
  97       request(app)
  98       .get('/?callback=foo')
  99       .expect('Content-Type', 'text/javascript; charset=utf-8')
 100       .expect(200, /foo\(\{"str":"\\u2028 \\u2029 woot"\}\);/, done);
 101     });
 102
 103     it('should not escape utf whitespace for json fallback', function(done){
 104       var app = express();
 105
 106       app.use(function(req, res){
 107         res.jsonp({ str: '\u2028 \u2029 woot' });
 108       });
 109
 110       request(app)
 111       .get('/')
 112       .expect('Content-Type', 'application/json; charset=utf-8')
 113       .expect(200, '{"str":"\u2028 \u2029 woot"}', done);
 114     });
 115
 116     it('should include security header and prologue', function (done) {
 117       var app = express();
 118
 119       app.use(function(req, res){
 120         res.jsonp({ count: 1 });
 121       });
 122
 123       request(app)
 124       .get('/?callback=something')
 125       .expect('Content-Type', 'text/javascript; charset=utf-8')
 126       .expect('X-Content-Type-Options', 'nosniff')
 127       .expect(200, /^\/\*\*\//, done);
 128     })
 129
 130     it('should not override previous Content-Types with no callback', function(done){
 131       var app = express();
 132
 133       app.get('/', function(req, res){
 134         res.type('application/vnd.example+json');
 135         res.jsonp({ hello: 'world' });
 136       });
 137
 138       request(app)
 139       .get('/')
 140       .expect('Content-Type', 'application/vnd.example+json; charset=utf-8')
 141       .expect(utils.shouldNotHaveHeader('X-Content-Type-Options'))
 142       .expect(200, '{"hello":"world"}', done);
 143     })
 144
 145     it('should override previous Content-Types with callback', function(done){
 146       var app = express();
 147
 148       app.get('/', function(req, res){
 149         res.type('application/vnd.example+json');
 150         res.jsonp({ hello: 'world' });
 151       });
 152
 153       request(app)
 154       .get('/?callback=cb')
 155       .expect('Content-Type', 'text/javascript; charset=utf-8')
 156       .expect('X-Content-Type-Options', 'nosniff')
 157       .expect(200, /cb\(\{"hello":"world"\}\);$/, done);
 158     })
 159
 160     describe('when given undefined', function () {
 161       it('should invoke callback with no arguments', function (done) {
 162         var app = express()
 163
 164         app.use(function (req, res) {
 165           res.jsonp(undefined)
 166         })
 167
 168         request(app)
 169           .get('/?callback=cb')
 170           .expect('Content-Type', 'text/javascript; charset=utf-8')
 171           .expect(200, /cb\(\)/, done)
 172       })
 173     })
 174
 175     describe('when given null', function () {
 176       it('should invoke callback with null', function (done) {
 177         var app = express()
 178
 179         app.use(function (req, res) {
 180           res.jsonp(null)
 181         })
 182
 183         request(app)
 184           .get('/?callback=cb')
 185           .expect('Content-Type', 'text/javascript; charset=utf-8')
 186           .expect(200, /cb\(null\)/, done)
 187       })
 188     })
 189
 190     describe('when given a string', function () {
 191       it('should invoke callback with a string', function (done) {
 192         var app = express()
 193
 194         app.use(function (req, res) {
 195           res.jsonp('tobi')
 196         })
 197
 198         request(app)
 199           .get('/?callback=cb')
 200           .expect('Content-Type', 'text/javascript; charset=utf-8')
 201           .expect(200, /cb\("tobi"\)/, done)
 202       })
 203     })
 204
 205     describe('when given a number', function () {
 206       it('should invoke callback with a number', function (done) {
 207         var app = express()
 208
 209         app.use(function (req, res) {
 210           res.jsonp(42)
 211         })
 212
 213         request(app)
 214           .get('/?callback=cb')
 215           .expect('Content-Type', 'text/javascript; charset=utf-8')
 216           .expect(200, /cb\(42\)/, done)
 217       })
 218     })
 219
 220     describe('when given an array', function () {
 221       it('should invoke callback with an array', function (done) {
 222         var app = express()
 223
 224         app.use(function (req, res) {
 225           res.jsonp(['foo', 'bar', 'baz'])
 226         })
 227
 228         request(app)
 229           .get('/?callback=cb')
 230           .expect('Content-Type', 'text/javascript; charset=utf-8')
 231           .expect(200, /cb\(\["foo","bar","baz"\]\)/, done)
 232       })
 233     })
 234
 235     describe('when given an object', function () {
 236       it('should invoke callback with an object', function (done) {
 237         var app = express()
 238
 239         app.use(function (req, res) {
 240           res.jsonp({ name: 'tobi' })
 241         })
 242
 243         request(app)
 244           .get('/?callback=cb')
 245           .expect('Content-Type', 'text/javascript; charset=utf-8')
 246           .expect(200, /cb\(\{"name":"tobi"\}\)/, done)
 247       })
 248     })
 249
 250     describe('"json escape" setting', function () {
 251       it('should be undefined by default', function () {
 252         var app = express()
 253         assert.strictEqual(app.get('json escape'), undefined)
 254       })
 255
 256       it('should unicode escape HTML-sniffing characters', function (done) {
 257         var app = express()
 258
 259         app.enable('json escape')
 260
 261         app.use(function (req, res) {
 262           res.jsonp({ '&': '\u2028<script>\u2029' })
 263         })
 264
 265         request(app)
 266         .get('/?callback=foo')
 267         .expect('Content-Type', 'text/javascript; charset=utf-8')
 268         .expect(200, /foo\({"\\u0026":"\\u2028\\u003cscript\\u003e\\u2029"}\)/, done)
 269       })
 270
 271       it('should not break undefined escape', function (done) {
 272         var app = express()
 273
 274         app.enable('json escape')
 275
 276         app.use(function (req, res) {
 277           res.jsonp(undefined)
 278         })
 279
 280         request(app)
 281           .get('/?callback=cb')
 282           .expect('Content-Type', 'text/javascript; charset=utf-8')
 283           .expect(200, /cb\(\)/, done)
 284       })
 285     })
 286
 287     describe('"json replacer" setting', function(){
 288       it('should be passed to JSON.stringify()', function(done){
 289         var app = express();
 290
 291         app.set('json replacer', function(key, val){
 292           return key[0] === '_'
 293             ? undefined
 294             : val;
 295         });
 296
 297         app.use(function(req, res){
 298           res.jsonp({ name: 'tobi', _id: 12345 });
 299         });
 300
 301         request(app)
 302         .get('/')
 303         .expect('Content-Type', 'application/json; charset=utf-8')
 304         .expect(200, '{"name":"tobi"}', done)
 305       })
 306     })
 307
 308     describe('"json spaces" setting', function(){
 309       it('should be undefined by default', function(){
 310         var app = express();
 311         assert(undefined === app.get('json spaces'));
 312       })
 313
 314       it('should be passed to JSON.stringify()', function(done){
 315         var app = express();
 316
 317         app.set('json spaces', 2);
 318
 319         app.use(function(req, res){
 320           res.jsonp({ name: 'tobi', age: 2 });
 321         });
 322
 323         request(app)
 324         .get('/')
 325         .expect('Content-Type', 'application/json; charset=utf-8')
 326         .expect(200, '{\n  "name": "tobi",\n  "age": 2\n}', done)
 327       })
 328     })
 329   })
 330
 331   it('should not override previous Content-Types', function(done){
 332     var app = express();
 333
 334     app.get('/', function(req, res){
 335       res.type('application/vnd.example+json');
 336       res.jsonp({ hello: 'world' });
 337     });
 338
 339     request(app)
 340     .get('/')
 341     .expect('content-type', 'application/vnd.example+json; charset=utf-8')
 342     .expect(200, '{"hello":"world"}', done)
 343   })
 344 })