Class: ActionMCP::Middleware::OriginValidation
- Inherits:
-
Object
- Object
- ActionMCP::Middleware::OriginValidation
- Defined in:
- lib/action_mcp/middleware/origin_validation.rb
Overview
Rack middleware that validates the Origin header on MCP requests to
prevent DNS rebinding attacks per the MCP Streamable HTTP security
section. Non-browser clients (Claude Desktop, curl) never send Origin
and are always allowed. Present Origins must match the explicitly trusted
hosts in ActionMCP.configuration.allowed_origins.
Runs as middleware — same layer as ActionDispatch::HostAuthorization —
so invalid requests are rejected before they reach routing.
Constant Summary collapse
- INVALID_REQUEST_CODE =
-32_600
Instance Method Summary collapse
- #call(env) ⇒ Object
-
#initialize(app, paths = nil) ⇒ OriginValidation
constructor
A new instance of OriginValidation.
Constructor Details
#initialize(app, paths = nil) ⇒ OriginValidation
Returns a new instance of OriginValidation.
21 22 23 24 |
# File 'lib/action_mcp/middleware/origin_validation.rb', line 21 def initialize(app, paths = nil) @app = app @paths = Array(paths) end |
Instance Method Details
#call(env) ⇒ Object
26 27 28 29 30 31 32 33 34 35 |
# File 'lib/action_mcp/middleware/origin_validation.rb', line 26 def call(env) return @app.call(env) unless guard_path?(env["PATH_INFO"]) request = ActionDispatch::Request.new(env) origin = request.origin return @app.call(env) if origin.nil? return @app.call(env) if origin_allowed?(origin, request) forbidden_response end |