checkSameOrigin

Description

Checks that request comes from the same origin. Extracts the Origin header value and verifies that allowed range contains the obtained value. In the case of absent of the Origin header rejects with a MissingHeaderRejection. If the origin value is not in the allowed range rejects with an InvalidOriginHeaderRejection and StatusCodes.FORBIDDEN status.

Example

Checking the Origin header:

final HttpOrigin validOriginHeader =
  HttpOrigin.create("http://localhost", Host.create("8080"));

final HttpOriginRange validOriginRange = HttpOriginRange.create(validOriginHeader);

final TestRoute route = testRoute(
  checkSameOrigin(validOriginRange,
    () -> complete("Result")));

route
  .run(HttpRequest.create().addHeader(Origin.create(validOriginHeader)))
  .assertStatusCode(StatusCodes.OK)
  .assertEntity("Result");

route
  .run(HttpRequest.create())
  .assertStatusCode(StatusCodes.BAD_REQUEST);

final HttpOrigin invalidOriginHeader =
  HttpOrigin.create("http://invalid.com", Host.create("8080"));

route
  .run(HttpRequest.create().addHeader(Origin.create(invalidOriginHeader)))
  .assertStatusCode(StatusCodes.FORBIDDEN);
The source code for this page can be found here.