package wshub import ( "net/http" "testing" ) // TestCheckOrigin_NoOriginHeader — non-browser clients (no Origin) are allowed. func TestCheckOrigin_NoOriginHeader(t *testing.T) { r := &http.Request{Header: http.Header{}} if !checkOrigin(r) { t.Fatal("non-browser client (no Origin header) should be allowed") } } // TestCheckOrigin_SameOrigin — Origin host matching Host header is allowed. func TestCheckOrigin_SameOrigin(t *testing.T) { r := &http.Request{ Header: http.Header{ "Origin": []string{"http://localhost:8090"}, }, Host: "localhost:8090", } if !checkOrigin(r) { t.Fatal("same-origin request should be allowed") } } // TestCheckOrigin_CrossOriginBlocked — different Origin host is rejected. func TestCheckOrigin_CrossOriginBlocked(t *testing.T) { r := &http.Request{ Header: http.Header{ "Origin": []string{"http://evil.example.com:8090"}, }, Host: "localhost:8090", } if checkOrigin(r) { t.Fatal("cross-origin request should be blocked") } } // TestCheckOrigin_Allowlist — explicitly allowed origins pass even if cross-origin. func TestCheckOrigin_Allowlist(t *testing.T) { SetAllowedOrigins([]string{"http://evil.example.com:8090"}) defer SetAllowedOrigins(nil) // reset r := &http.Request{ Header: http.Header{ "Origin": []string{"http://evil.example.com:8090"}, }, Host: "localhost:8090", } if !checkOrigin(r) { t.Fatal("allowlisted origin should be allowed") } } // TestCheckOrigin_AllowlistDoesNotMatch — non-allowlisted cross-origin is blocked. func TestCheckOrigin_AllowlistDoesNotMatch(t *testing.T) { SetAllowedOrigins([]string{"http://good.example.com"}) defer SetAllowedOrigins(nil) r := &http.Request{ Header: http.Header{ "Origin": []string{"http://evil.example.com"}, }, Host: "localhost:8090", } if checkOrigin(r) { t.Fatal("non-allowlisted cross-origin should be blocked") } }