var httpErrors = require('./errors');
var authentication = require('./auth');
// CORS permission for paths.
var HEADERS = {
 "img": [
 "GET"
 ]
};
function _requestAcceptedMethods(requestMethod, requestPath) {
 var headers = [];
 for (var path in HEADERS) {
 if (path == requestPath) {
 HEADERS[path].forEach(function(method) {
 if (method == requestMethod) {
  headers = HEADERS[path];
}
 });
 }
 }

 return headers.join();
};
function _getCorsRequest(req) {
 return {
 preflight: ("OPTIONS" == req.method),
 endpoint: (req.originalUrl.split('/')[2] || null)
 };
}
var crossOriginRequest = function(req, res, next) {
 if (req.headers['origin']) {
 req.cors = false;
 var cors = _getCorsRequest(req);
 log.debug({
 originalUrl: req.originalUrl,
 state: cors.preflight ? 'preflight' : 'flight'
 }, 'crossOriginRequest');

 // Access-Control-Allow-Origin needs to be set in preflight and flight. res.header('Access-Control-Allow-Origin', req.headers['origin']);

 if (cors.preflight && cors.endpoint) {
 var methods = _requestAcceptedMethods(req.method, cors.endpoint);
 res.header('Access-Control-Allow-Methods', methods);
 res.header('Access-Control-Allow-Headers', req.headers['access-control-request-headers']);
 }
 if (!cors.preflight) {
 req.authentication = authentication.getAuthParameters(req);
 var auth = req.authentication;
  authentication.corsAuth(auth.endpoint, auth.auth, auth.cors)
 .then(function(user) {
 user = JSON.parse(user);
 if (user.data.cors) {
 log.debug({
 originalUrl: auth.endpoint.path,
 }, 'CORS Authorization GRANTED.');
 req.cors = true;
 next();
 } else {
 next(httpErrors.forbidden('Access denied with CORS.', {
 error: user.data.cors
 }));
 return;
 }
 }).catch(function deniedAuth(err) {
 next(httpErrors.forbidden('Access denied.', err));
 return;
 }).done();
 } else {
 // Send empty body as to not overwrite "OK".
 res.status(200).send('');
 }
 } else {
 next();
 }
}
module.exports = crossOriginRequest;

EDITED: 3-28-16 @ 3:40pm PST

var httpErrors = require('./errors');
var authentication = require('./auth');
// CORS permission for paths.
var HEADERS = {
 "img": [
 "GET"
 ]
};
function _acceptsMethod(requestMethod, requestPath) {
 return HEADERS[requestPath].indexOf(requestMethod) >= 0;
};
function _getMethods(requestPath) {
 return HEADERS[requestPath].join();
};
function _getCorsRequest(req) {
 return {
 preflight: ("OPTIONS" == req.method),
 endpoint: (req.originalUrl.split('/')[2] || null)
 };
}
var crossOriginRequest = function(req, res, next) {
 if (req.headers['origin']) {
 req.cors = false;
 var cors = _getCorsRequest(req);
 // Access-Control-Allow-Origin needs to be set in preflight and flight.
 res.header('Access-Control-Allow-Origin', req.headers['origin']);
 if (cors.preflight && cors.endpoint) {
 if(!_acceptsMethod(req.headers["access-control-request-method"], cors.endpoint)){
 next(httpErrors.badRequest('Failed endpoint method requirments.'))
 return;
 }
 res.header('Access-Control-Allow-Methods', _getMethods(cors.endpoint));
 res.header('Access-Control-Allow-Headers', req.headers['access-control-request-headers']);
 }
 if (!cors.preflight) {
 var auth = req.authentication = authentication.getAuthParameters(req);
 authentication.check(auth.endpoint, auth.auth, auth.cors)
 .then(function(user) {
 user = JSON.parse(user);
 if (user.data.cors) {
 req.cors = true;
 next();
 } else {
 next(httpErrors.forbidden('Access denied with CORS.', {
 error: user.data.cors
 }));
 return;
 }
 }).catch(function deniedAuth(err) {
 next(httpErrors.forbidden('Access denied.', err));
 return;
 }).done();
 } else {
 // Send empty body as to not overwrite "OK".
 res.status(200).send('');
 }
 } else {
 next();
 }
}
module.exports = crossOriginRequest;

How should one break this component down to better perform unit test?

How should one break this component down to better perform unit test on its behaviors?