Merge pull request #66 from prime-framework/degroff/usefullRefererInS…

…imulator add full Referer header in the simulator.
prime-framework · Nov 20, 2024 · 967640f · 967640f
2 parents 7030013 + 0fb7aee
commit 967640f
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 5 deletions.
diff --git a/build.savant b/build.savant
@@ -29,7 +29,7 @@ logbackVersion = "1.4.14"
 slf4jVersion = "2.0.13"
 testngVersion = "7.8.0"
 
-project(group: "org.primeframework", name: "prime-mvc", version: "4.27.0", licenses: ["ApacheV2_0"]) {
+project(group: "org.primeframework", name: "prime-mvc", version: "4.28.0", licenses: ["ApacheV2_0"]) {
   workflow {
     fetch {
       // Dependency resolution order:

diff --git a/pom.xml b/pom.xml
@@ -1,11 +1,12 @@
 <!--
   ~ Copyright (c) 2023, FusionAuth, All Rights Reserved
-  --><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
   <modelVersion>4.0.0</modelVersion>
 
   <groupId>org.primeframework</groupId>
   <artifactId>prime-mvc</artifactId>
-  <version>4.27.0</version>
+  <version>4.28.0</version>
   <packaging>jar</packaging>
 
   <name>FusionAuth App</name>
@@ -212,4 +213,4 @@
       </plugin>
     </plugins>
   </build>
-</project>
+</project>
diff --git a/src/test/java/org/primeframework/mvc/GlobalTest.java b/src/test/java/org/primeframework/mvc/GlobalTest.java
@@ -2288,6 +2288,11 @@ public void post_savedRequest_sameOriginAllowed() throws Exception {
 
         // Redirected to login
         .followRedirect(result -> result
+            // assert the request that was made included the correct Referer header
+            // - We could make this configurable, but for now, it is sending the full header, simulating a Refer policy of same-origin.
+            //   See RequestResult._followRedirect notes.
+            .custom(() -> assertEquals(result.request.getHeader("Referer"),
+                                       "http://localhost:9080/store/allow-post-purchase"))
             .assertStatusCode(200)
             .assertHeaderContains("Cache-Control", "no-cache")
             .assertBodyContains("Login"))

diff --git a/src/test/java/org/primeframework/mvc/test/RequestResult.java b/src/test/java/org/primeframework/mvc/test/RequestResult.java
@@ -1718,7 +1718,14 @@ private RequestResult _followRedirect(ThrowingConsumer<RequestResult> consumer)
 
     // Copy them to the new request. This is essentially what curl does when you follow redirects I think.
     // - Add in a Referer header for the current URL
-    rb.withHeader("Referer", request.getBaseURL());
+    // - Note that this is a full Referer that includes path and query string. We could make this configurable or allow a
+    //   Referer function to be specified given the current request object.
+    // - In practice we are not making requests cross-origin, or mixing http and https here, so functionally this is
+    //   equivalent to Referrer-Policy of same-origin
+    //   https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+    rb.withHeader("Referer", request.getBaseURL() +
+                             (request.getPath() == null || request.getPath().equals("/") ? "" : request.getPath()) +
+                             (request.getQueryString() == null || request.getQueryString().isEmpty() ? "" : "?" + request.getQueryString()));
     headersCopy.forEach((name, value) -> value.forEach(v -> rb.withHeader(name, v)));
 
     RequestResult result = rb.get();