feat: add WebSocket origin checker

2026-02-23 04:35:06 -05:00
parent 72f60054ed
commit 6981a38b72
2 changed files with 163 additions and 0 deletions
--- a/tests/NATS.Server.Tests/WebSocket/WsOriginCheckerTests.cs
+++ b/tests/NATS.Server.Tests/WebSocket/WsOriginCheckerTests.cs
@@ -0,0 +1,82 @@
+using NATS.Server.WebSocket;
+using Shouldly;
+
+namespace NATS.Server.Tests.WebSocket;
+
+public class WsOriginCheckerTests
+{
+    [Fact]
+    public void NoOriginHeader_Accepted()
+    {
+        var checker = new WsOriginChecker(sameOrigin: true, allowedOrigins: null);
+        checker.CheckOrigin(origin: null, requestHost: "localhost:4222", isTls: false)
+            .ShouldBeNull();
+    }
+
+    [Fact]
+    public void NeitherSameNorList_AlwaysAccepted()
+    {
+        var checker = new WsOriginChecker(sameOrigin: false, allowedOrigins: null);
+        checker.CheckOrigin("https://evil.com", "localhost:4222", false)
+            .ShouldBeNull();
+    }
+
+    [Fact]
+    public void SameOrigin_Match()
+    {
+        var checker = new WsOriginChecker(sameOrigin: true, allowedOrigins: null);
+        checker.CheckOrigin("http://localhost:4222", "localhost:4222", false)
+            .ShouldBeNull();
+    }
+
+    [Fact]
+    public void SameOrigin_Mismatch()
+    {
+        var checker = new WsOriginChecker(sameOrigin: true, allowedOrigins: null);
+        checker.CheckOrigin("http://other:4222", "localhost:4222", false)
+            .ShouldNotBeNull();
+    }
+
+    [Fact]
+    public void SameOrigin_DefaultPort_Http()
+    {
+        var checker = new WsOriginChecker(sameOrigin: true, allowedOrigins: null);
+        checker.CheckOrigin("http://localhost", "localhost:80", false)
+            .ShouldBeNull();
+    }
+
+    [Fact]
+    public void SameOrigin_DefaultPort_Https()
+    {
+        var checker = new WsOriginChecker(sameOrigin: true, allowedOrigins: null);
+        checker.CheckOrigin("https://localhost", "localhost:443", true)
+            .ShouldBeNull();
+    }
+
+    [Fact]
+    public void AllowedOrigins_Match()
+    {
+        var checker = new WsOriginChecker(sameOrigin: false,
+            allowedOrigins: ["https://app.example.com"]);
+        checker.CheckOrigin("https://app.example.com", "localhost:4222", false)
+            .ShouldBeNull();
+    }
+
+    [Fact]
+    public void AllowedOrigins_Mismatch()
+    {
+        var checker = new WsOriginChecker(sameOrigin: false,
+            allowedOrigins: ["https://app.example.com"]);
+        checker.CheckOrigin("https://evil.example.com", "localhost:4222", false)
+            .ShouldNotBeNull();
+    }
+
+    [Fact]
+    public void AllowedOrigins_SchemeMismatch()
+    {
+        var checker = new WsOriginChecker(sameOrigin: false,
+            allowedOrigins: ["https://app.example.com"]);
+        checker.CheckOrigin("http://app.example.com", "localhost:4222", false)
+            .ShouldNotBeNull();
+    }
+}