added fetching of origin in auth login

2026-03-05 10:09:12 +08:00
parent 8f51faeb12
commit 30c91cf5c8
6 changed files with 319 additions and 76 deletions
@@ -0,0 +1,44 @@
+package middleware
+
+import (
+	"authentication/helper"
+	"net/http"
+	"os"
+	"strings"
+)
+
+const defaultFrontendOrigin = "http://localhost:5173"
+
+func allowedFrontendOrigins() map[string]struct{} {
+	raw := os.Getenv("FRONTEND_ORIGINS")
+	if strings.TrimSpace(raw) == "" {
+		raw = defaultFrontendOrigin
+	}
+
+	allowed := make(map[string]struct{})
+	for _, origin := range strings.Split(raw, ",") {
+		trimmed := strings.TrimSpace(origin)
+		if trimmed != "" {
+			allowed[trimmed] = struct{}{}
+		}
+	}
+
+	return allowed
+}
+
+func FrontendOriginWhitelist(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		origin := strings.TrimSpace(r.Header.Get("Origin"))
+		if origin == "" {
+			helper.RespondWithError(w, http.StatusBadRequest, "missing origin header")
+			return
+		}
+
+		if _, ok := allowedFrontendOrigins()[origin]; !ok {
+			helper.RespondWithError(w, http.StatusForbidden, "forbidden origin")
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
@@ -0,0 +1,94 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+)
+
+func TestFrontendOriginWhitelist_DefaultAllowedOrigin(t *testing.T) {
+	os.Unsetenv("FRONTEND_ORIGINS")
+
+	called := false
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := FrontendOriginWhitelist(next)
+	req := httptest.NewRequest(http.MethodGet, "/v1/auth/forgot-password", nil)
+	req.Header.Set("Origin", defaultFrontendOrigin)
+	recorder := httptest.NewRecorder()
+
+	handler.ServeHTTP(recorder, req)
+
+	if recorder.Code != http.StatusOK {
+		t.Fatalf("expected status %d, got %d", http.StatusOK, recorder.Code)
+	}
+	if !called {
+		t.Fatal("expected next handler to be called")
+	}
+}
+
+func TestFrontendOriginWhitelist_RejectsMissingOrigin(t *testing.T) {
+	os.Unsetenv("FRONTEND_ORIGINS")
+
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := FrontendOriginWhitelist(next)
+	req := httptest.NewRequest(http.MethodGet, "/v1/auth/forgot-password", nil)
+	recorder := httptest.NewRecorder()
+
+	handler.ServeHTTP(recorder, req)
+
+	if recorder.Code != http.StatusForbidden {
+		t.Fatalf("expected status %d, got %d", http.StatusForbidden, recorder.Code)
+	}
+}
+
+func TestFrontendOriginWhitelist_RejectsNonWhitelistedOrigin(t *testing.T) {
+	os.Unsetenv("FRONTEND_ORIGINS")
+
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := FrontendOriginWhitelist(next)
+	req := httptest.NewRequest(http.MethodGet, "/v1/auth/forgot-password", nil)
+	req.Header.Set("Origin", "http://malicious-site.example")
+	recorder := httptest.NewRecorder()
+
+	handler.ServeHTTP(recorder, req)
+
+	if recorder.Code != http.StatusForbidden {
+		t.Fatalf("expected status %d, got %d", http.StatusForbidden, recorder.Code)
+	}
+}
+
+func TestFrontendOriginWhitelist_UsesConfiguredOrigins(t *testing.T) {
+	os.Setenv("FRONTEND_ORIGINS", "http://localhost:4173, http://localhost:5173")
+	defer os.Unsetenv("FRONTEND_ORIGINS")
+
+	called := false
+	next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := FrontendOriginWhitelist(next)
+	req := httptest.NewRequest(http.MethodGet, "/v1/auth/forgot-password", nil)
+	req.Header.Set("Origin", "http://localhost:4173")
+	recorder := httptest.NewRecorder()
+
+	handler.ServeHTTP(recorder, req)
+
+	if recorder.Code != http.StatusOK {
+		t.Fatalf("expected status %d, got %d", http.StatusOK, recorder.Code)
+	}
+	if !called {
+		t.Fatal("expected next handler to be called")
+	}
+}