CLDSRV-881: refactor unit test file a bit

tcarmet · tcarmet · commit 5ce3f67f5bd2 · 2026-04-23T11:25:13.000-07:00
diff --git a/tests/unit/api/corsErrorHeaders.js b/tests/unit/api/corsErrorHeaders.js
@@ -15,9 +15,6 @@ const {
     makeAuthInfo,
 } = require('../helpers');
 
-// Endpoints exercised through api.callApiMethod. Each entry describes a
-// request that, once auth is denied, should still return CORS headers when
-// an Origin header is present and the bucket has a matching CORS rule.
 const endpoints = [
     { apiMethod: 'bucketGet', httpMethod: 'GET', url: '/', query: {} },
     { apiMethod: 'bucketHead', httpMethod: 'HEAD', url: '/', query: {} },
@@ -109,9 +106,6 @@ function buildResponseSpy(sandbox) {
         headers,
         setHeader: sandbox.spy((k, v) => { headers[k.toLowerCase()] = v; }),
         getHeader: k => headers[k.toLowerCase()],
-        writeHead: sandbox.stub(),
-        write: sandbox.stub(),
-        end: sandbox.stub(),
     };
 }
 
@@ -218,20 +212,14 @@ describe('CORS headers on 403 auth failures (api.callApiMethod)', () => {
 });
 
 describe('CORS headers on 403 via handler (fast path)', () => {
-    // Verifies the wrapper's fast path: when auth succeeds but the
-    // handler's own ACL/policy check denies, the handler has already
-    // loaded the bucket and passed corsHeaders through its callback.
-    // The wrapper should forward them without calling metadata.getBucket
-    // itself.
     let sandbox;
 
     before(done => setupBucketWithCors(done));
 
     beforeEach(() => {
         sandbox = sinon.createSandbox();
-        // Stub auth to succeed as a *different* account. The handler then
-        // runs standardMetadataValidateBucket which denies because the
-        // bucket is owned by accessKey1.
+        // Auth succeeds as accessKey2 so the handler runs and then
+        // denies at its own ACL check (bucket is owned by accessKey1).
         const otherAuth = makeAuthInfo('accessKey2');
         const authServer = {
             doAuth: sandbox.stub().callsArgWith(2, null, otherAuth,
@@ -259,27 +247,18 @@ describe('CORS headers on 403 via handler (fast path)', () => {
                 assert(corsHeaders,
                     'handler should have supplied corsHeaders');
                 assert.strictEqual(
-                    corsHeaders['access-control-allow-origin'], origin,
-                    'corsHeaders should include access-control-allow-origin');
-                // Fast path: the wrapper did not setHeader on the response.
-                // The route-level transport is what would ultimately call
-                // setCommonResponseHeaders in production.
+                    corsHeaders['access-control-allow-origin'], origin);
+                // Fast path: wrapper forwards corsHeaders via the callback
+                // instead of setting them on the response directly.
                 assert.strictEqual(
                     response.getHeader('access-control-allow-origin'),
-                    undefined,
-                    'wrapper should not set CORS headers directly when the '
-                    + 'handler already provided them');
+                    undefined);
                 done();
             });
     });
 });
 
 describe('CORS headers on 200 successful responses (per-handler)', () => {
-    // Sanity-check that the existing per-handler path continues to work.
-    // Pass-through tests: a request with matching CORS should receive
-    // CORS headers on 200. This guards against regressions when we change
-    // the error path.
-
     before(done => setupBucketWithCors(done));
 
     it('bucketGet returns corsHeaders to callback on 200', done => {
