|
| 1 | +using System.Net; |
| 2 | +using FSH.Framework.Core.Exceptions; |
| 3 | +using Microsoft.AspNetCore.Http; |
| 4 | +using Microsoft.Extensions.Logging; |
| 5 | +using Microsoft.Extensions.Options; |
| 6 | + |
| 7 | +namespace FSH.Framework.Web.Frontend; |
| 8 | + |
| 9 | +internal sealed class FrontendOriginResolver( |
| 10 | + IHttpContextAccessor httpContextAccessor, |
| 11 | + IOptions<FrontendOptions> options, |
| 12 | + ILogger<FrontendOriginResolver> logger) : IFrontendOriginResolver |
| 13 | +{ |
| 14 | + // Normalize the allow-list once at construction: parse to Uri so matching is component-wise |
| 15 | + // (scheme + host + port) instead of a raw string compare that an entry like ":443" or an IDN |
| 16 | + // form would silently fail. |
| 17 | + private readonly Uri[] _allowed = Normalize(options.Value.AllowedOrigins); |
| 18 | + private readonly string? _default = options.Value.DefaultOrigin?.TrimEnd('/'); |
| 19 | + |
| 20 | + public string ResolveForCurrentRequest() |
| 21 | + { |
| 22 | + var header = httpContextAccessor.HttpContext?.Request.Headers.Origin.ToString(); |
| 23 | + if (string.IsNullOrWhiteSpace(header)) |
| 24 | + { |
| 25 | + // Non-browser caller (curl, Scalar try-it, mobile, server-to-server) sends no Origin. |
| 26 | + // Fall back to the configured default rather than failing an otherwise valid flow. |
| 27 | + return ResolveDefault(); |
| 28 | + } |
| 29 | + |
| 30 | + var canonical = MatchAllowed(header); |
| 31 | + if (canonical is not null) |
| 32 | + { |
| 33 | + return canonical; |
| 34 | + } |
| 35 | + |
| 36 | + // A present-but-unlisted Origin is a forged or misconfigured client, not a server fault: |
| 37 | + // surface a 4xx so error-rate alerting doesn't page on bot traffic to anonymous endpoints. |
| 38 | + logger.LogWarning("Rejected front-end origin {Origin}: not in FrontendOptions:AllowedOrigins", header); |
| 39 | + throw new CustomException( |
| 40 | + "The request origin is not an allowed front-end origin.", |
| 41 | + errors: null, |
| 42 | + HttpStatusCode.BadRequest); |
| 43 | + } |
| 44 | + |
| 45 | + public string ResolveDefault() |
| 46 | + { |
| 47 | + if (string.IsNullOrEmpty(_default)) |
| 48 | + { |
| 49 | + // Startup validation should prevent this; guard anyway so a misconfig surfaces as a |
| 50 | + // clear 500 rather than an empty link silently shipped into an e-mail. |
| 51 | + throw new CustomException( |
| 52 | + "No default front-end origin is configured (FrontendOptions:DefaultOrigin).", |
| 53 | + errors: null, |
| 54 | + HttpStatusCode.InternalServerError); |
| 55 | + } |
| 56 | + |
| 57 | + return _default; |
| 58 | + } |
| 59 | + |
| 60 | + private string? MatchAllowed(string header) |
| 61 | + { |
| 62 | + if (!Uri.TryCreate(header.TrimEnd('/'), UriKind.Absolute, out var candidate)) |
| 63 | + { |
| 64 | + return null; |
| 65 | + } |
| 66 | + |
| 67 | + // Return the canonical configured entry, never the client-supplied casing. |
| 68 | + return _allowed |
| 69 | + .FirstOrDefault(allowed => Uri.Compare( |
| 70 | + candidate, allowed, UriComponents.SchemeAndServer, UriFormat.Unescaped, StringComparison.OrdinalIgnoreCase) == 0) |
| 71 | + ?.GetLeftPart(UriPartial.Authority); |
| 72 | + } |
| 73 | + |
| 74 | + private static Uri[] Normalize(string[] origins) |
| 75 | + { |
| 76 | + var list = new List<Uri>(origins.Length); |
| 77 | + foreach (var origin in origins) |
| 78 | + { |
| 79 | + if (Uri.TryCreate(origin.TrimEnd('/'), UriKind.Absolute, out var uri)) |
| 80 | + { |
| 81 | + list.Add(uri); |
| 82 | + } |
| 83 | + } |
| 84 | + |
| 85 | + return [.. list]; |
| 86 | + } |
| 87 | +} |
0 commit comments