Class: ActionMCP::Middleware::OriginValidation

Inherits:

Object

Object
ActionMCP::Middleware::OriginValidation

show all

Defined in:: lib/action_mcp/middleware/origin_validation.rb

Overview

Rack middleware that validates the Origin header on MCP requests to prevent DNS rebinding attacks per the MCP Streamable HTTP security section. Non-browser clients (Claude Desktop, curl) never send Origin and are always allowed. Present Origins must match either ‘ActionMCP.configuration.allowed_origins` or the server’s own host.

Runs as middleware — same layer as ‘ActionDispatch::HostAuthorization` —so invalid requests are rejected before they reach routing.

Constant Summary collapse

INVALID_REQUEST_CODE =

-32_600

Instance Method Summary collapse

#call(env) ⇒ Object
#initialize(app, paths = nil) ⇒ OriginValidation constructor

A new instance of OriginValidation.

Constructor Details

#initialize(app, paths = nil) ⇒ `OriginValidation`

Returns a new instance of OriginValidation.

Parameters:

app (#call)
paths (Array<String, Regexp, Proc>, nil) (defaults to: nil) —

paths to guard. Nil or empty means every request is guarded.

# File 'lib/action_mcp/middleware/origin_validation.rb', line 21

def initialize(app, paths = nil)
  @app = app
  @paths = Array(paths)
end

Instance Method Details

#call(env) ⇒ `Object`

# File 'lib/action_mcp/middleware/origin_validation.rb', line 26

def call(env)
  return @app.call(env) unless guard_path?(env["PATH_INFO"])

  request = ActionDispatch::Request.new(env)
  origin = request.origin
  return @app.call(env) if origin.nil? || origin.empty?
  return @app.call(env) if origin_allowed?(origin, request)

  forbidden_response
end