Include VaryByOrigin when there are multiple Origins configured (#84)

Fixes #97 * Added negative test and updated origin to valid origin url * Fixed tabs and spaces
2016-12-22 00:49:50 +01:00 · 2016-12-22 00:49:50 +01:00 · 2dbfb8839b
--- a/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsService.cs
+++ b/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsService.cs
@ -271,6 +271,11 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
            else if (policy.IsOriginAllowed(origin))
            {
                result.AllowedOrigin = origin;
+
+                if(policy.Origins.Count > 1)
+                {
+                    result.VaryByOrigin = true;
+                }
            }
        }

--- a/test/Microsoft.AspNetCore.Cors.Test/CorsServiceTests.cs
+++ b/test/Microsoft.AspNetCore.Cors.Test/CorsServiceTests.cs
@ -1080,6 +1080,41 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
            Assert.Equal("30", httpContext.Response.Headers["Access-Control-Max-Age"]);
        }

+        [Fact]
+        public void EvaluatePolicy_MultiOriginsPolicy_ReturnsVaryByOriginHeader()
+        {
+            // Arrange
+            var corsService = new CorsService(new TestCorsOptions());
+            var requestContext = GetHttpContext(origin: "http://example.com");
+            var policy = new CorsPolicy();
+            policy.Origins.Add("http://example.com");
+            policy.Origins.Add("http://example-two.com");
+
+            // Act
+            var result = corsService.EvaluatePolicy(requestContext, policy);
+
+            // Assert
+            Assert.NotNull(result.AllowedOrigin);
+            Assert.True(result.VaryByOrigin);
+        }
+
+        [Fact]
+        public void EvaluatePolicy_MultiOriginsPolicy_NoMatchingOrigin_ReturnsInvalidResult()
+        {
+            // Arrange
+            var corsService = new CorsService(new TestCorsOptions());
+            var requestContext = GetHttpContext(origin: "http://example.com");
+            var policy = new CorsPolicy();
+            policy.Origins.Add("http://example-two.com");
+            policy.Origins.Add("http://example-three.com");
+
+            // Act
+            var result = corsService.EvaluatePolicy(requestContext, policy);
+
+            // Assert
+            Assert.Null(result.AllowedOrigin);
+            Assert.False(result.VaryByOrigin);
+        }


        private static HttpContext GetHttpContext(