28 lines
772 B
Go
28 lines
772 B
Go
package mcp
|
|
|
|
import "net/http"
|
|
|
|
// OriginAllowlist returns middleware that rejects requests whose Origin header
|
|
// is not in the allowlist. Empty Origin (e.g. server-side curl) is allowed
|
|
// because Origin is browser-only by design.
|
|
func OriginAllowlist(allowed []string) func(http.Handler) http.Handler {
|
|
set := make(map[string]struct{}, len(allowed))
|
|
for _, a := range allowed {
|
|
set[a] = struct{}{}
|
|
}
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
origin := r.Header.Get("Origin")
|
|
if origin == "" {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
if _, ok := set[origin]; !ok {
|
|
http.Error(w, "origin not allowed", http.StatusForbidden)
|
|
return
|
|
}
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|