From 873148a5c4e4ae1fa18ad1dfd3d8dbe2615b9be5 Mon Sep 17 00:00:00 2001
From: Ben McClelland <ben.mcclelland@versity.com>
Date: Mon, 13 Apr 2026 19:13:58 -0700
Subject: [PATCH] fix: add Host header to HTTP test requests for fasthttp
 v1.70.0 compatibility

fasthttp v1.70.0 now enforces the HTTP/1.1 requirement of exactly
one Host header, rejecting requests that omit it. Fix tests that
were failing due to missing host.
---
 s3api/controllers/cors_default_origin_test.go          | 2 ++
 s3api/middlewares/apply-bucket-cors-preflight_test.go  | 3 +++
 s3api/middlewares/apply-default-cors-preflight_test.go | 1 +
 s3api/middlewares/apply-default-cors_test.go           | 2 ++
 s3api/middlewares/object-post-auth_test.go             | 2 ++
 s3api/router_cors_test.go                              | 7 +++++++
 6 files changed, 17 insertions(+)

diff --git a/s3api/controllers/cors_default_origin_test.go b/s3api/controllers/cors_default_origin_test.go
index 4d198399..91bc7983 100644
--- a/s3api/controllers/cors_default_origin_test.go
+++ b/s3api/controllers/cors_default_origin_test.go
@@ -45,6 +45,7 @@ func TestApplyBucketCORS_FallbackOrigin_NoBucketCors_NoRequestOrigin(t *testing.
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 
 	resp, err := app.Test(req)
 	if err != nil {
@@ -80,6 +81,7 @@ func TestApplyBucketCORS_FallbackOrigin_NotAppliedWhenBucketCorsExists(t *testin
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 
 	resp, err := app.Test(req)
 	if err != nil {
diff --git a/s3api/middlewares/apply-bucket-cors-preflight_test.go b/s3api/middlewares/apply-bucket-cors-preflight_test.go
index 776bfae4..5a4bdca7 100644
--- a/s3api/middlewares/apply-bucket-cors-preflight_test.go
+++ b/s3api/middlewares/apply-bucket-cors-preflight_test.go
@@ -53,6 +53,7 @@ func TestApplyBucketCORSPreflightFallback_NoBucketCors_Responds204(t *testing.T)
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 	req.Header.Set("Origin", "https://request-origin.example")
 	req.Header.Set("Access-Control-Request-Method", "GET")
 	req.Header.Set("Access-Control-Request-Headers", "content-type")
@@ -95,6 +96,7 @@ func TestApplyBucketCORSPreflightFallback_NoSuchBucket_Responds204(t *testing.T)
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 	req.Header.Set("Origin", "https://request-origin.example")
 	req.Header.Set("Access-Control-Request-Method", "PUT")
 	req.Header.Set("Access-Control-Request-Headers", "content-type")
@@ -134,6 +136,7 @@ func TestApplyBucketCORSPreflightFallback_BucketHasCors_CallsNext(t *testing.T)
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 
 	resp, err := app.Test(req)
 	if err != nil {
diff --git a/s3api/middlewares/apply-default-cors-preflight_test.go b/s3api/middlewares/apply-default-cors-preflight_test.go
index ae0ebfff..f3d4d2a3 100644
--- a/s3api/middlewares/apply-default-cors-preflight_test.go
+++ b/s3api/middlewares/apply-default-cors-preflight_test.go
@@ -35,6 +35,7 @@ func TestApplyDefaultCORSPreflight_OptionsSetsPreflightHeaders(t *testing.T) {
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 	req.Header.Set("Origin", "https://request-origin.example")
 	req.Header.Set("Access-Control-Request-Method", "PATCH")
 	req.Header.Set("Access-Control-Request-Headers", "content-type,authorization")
diff --git a/s3api/middlewares/apply-default-cors_test.go b/s3api/middlewares/apply-default-cors_test.go
index df181c2c..0c0474d8 100644
--- a/s3api/middlewares/apply-default-cors_test.go
+++ b/s3api/middlewares/apply-default-cors_test.go
@@ -33,6 +33,7 @@ func TestApplyDefaultCORS_AddsHeaderWhenOriginSet(t *testing.T) {
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 
 	resp, err := app.Test(req)
 	if err != nil {
@@ -62,6 +63,7 @@ func TestApplyDefaultCORS_DoesNotOverrideExistingHeader(t *testing.T) {
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 
 	resp, err := app.Test(req)
 	if err != nil {
diff --git a/s3api/middlewares/object-post-auth_test.go b/s3api/middlewares/object-post-auth_test.go
index 180d12ab..a26cb6d9 100644
--- a/s3api/middlewares/object-post-auth_test.go
+++ b/s3api/middlewares/object-post-auth_test.go
@@ -103,6 +103,7 @@ func makePostRequest(t *testing.T, body []byte, boundary string) *http.Request {
 
 	req, err := http.NewRequest(http.MethodPost, "/mybucket", bytes.NewReader(body))
 	assert.NoError(t, err)
+	req.Host = "localhost"
 	req.Header.Set("Content-Type", fmt.Sprintf("multipart/form-data; boundary=%s", boundary))
 	// Set both the header and the int64 field: app.Test() serialises the
 	// request via req.Write() which uses req.ContentLength; fasthttp then
@@ -283,6 +284,7 @@ func TestAuthorizePostObject_InvalidContentType_ReturnsError(t *testing.T) {
 
 	req, err := http.NewRequest(http.MethodPost, "/mybucket", strings.NewReader("body"))
 	assert.NoError(t, err)
+	req.Host = "localhost"
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("Content-Length", "4")
 
diff --git a/s3api/router_cors_test.go b/s3api/router_cors_test.go
index b7da5765..3b1f5b4f 100644
--- a/s3api/router_cors_test.go
+++ b/s3api/router_cors_test.go
@@ -71,6 +71,7 @@ func TestS3ApiRouter_ListBuckets_DefaultCORSAllowOrigin(t *testing.T) {
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 
 	resp, err := app.Test(req)
 	if err != nil {
@@ -101,6 +102,7 @@ func TestS3ApiRouter_ListBuckets_OptionsPreflight_DefaultCORS(t *testing.T) {
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 	req.Header.Set("Origin", "https://client.example")
 	req.Header.Set("Access-Control-Request-Method", "GET")
 	req.Header.Set("Access-Control-Request-Headers", "authorization")
@@ -134,6 +136,7 @@ func TestS3ApiRouter_PutBucketTagging_ErrorStillIncludesFallbackCORS(t *testing.
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 	req.Header.Set("Origin", origin)
 
 	resp, err := app.Test(req)
@@ -162,6 +165,7 @@ func TestS3ApiRouter_PutObjectTagging_ErrorStillIncludesFallbackCORS(t *testing.
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 	req.Header.Set("Origin", origin)
 
 	resp, err := app.Test(req)
@@ -190,6 +194,7 @@ func TestS3ApiRouter_CopyObject_ErrorStillIncludesFallbackCORS(t *testing.T) {
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 	req.Header.Set("Origin", origin)
 	req.Header.Set("X-Amz-Copy-Source", "srcbucket/srckey")
 
@@ -219,6 +224,7 @@ func TestS3ApiRouter_PutObject_ErrorStillIncludesFallbackCORS(t *testing.T) {
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 	req.Header.Set("Origin", origin)
 
 	resp, err := app.Test(req)
@@ -263,6 +269,7 @@ func TestS3ApiRouter_OptionsWithBucketCORS_NoDuplicateHeaders(t *testing.T) {
 	if err != nil {
 		t.Fatalf("new request: %v", err)
 	}
+	req.Host = "localhost"
 	req.Header.Set("Origin", bucketOrigin)
 	req.Header.Set("Access-Control-Request-Method", "PUT")
 	req.Header.Set("Access-Control-Request-Headers", "content-type")