Class: RosettAi::Mcp::Middleware::OriginValidation

Inherits:

Object

• Object
• RosettAi::Mcp::Middleware::OriginValidation

Defined in:

lib/rosett_ai/mcp/middleware/origin_validation.rb

Overview

Rack middleware that validates Origin header against an allowlist.

Supports glob patterns (e.g., 'http://localhost:*'). Returns 403 Forbidden for disallowed origins. Localhost-only by default.

Author:

• hugo

• claude

Constant Summary

DEFAULT_ORIGINS =

['http://localhost:*', 'http://127.0.0.1:*'].freeze

Instance Method Summary

• #call(env) ⇒ Array

  Rack response triplet.

• #initialize(app, config: nil) ⇒ OriginValidation constructor

  A new instance of OriginValidation.

Constructor Details

#initialize(app, config: nil) ⇒ OriginValidation

Returns a new instance of OriginValidation.

Parameters:

• app (#call) —

  the next Rack application

• config (#allowed_origins, #strict_mode) (defaults to: nil) —

  origin config

# File 'lib/rosett_ai/mcp/middleware/origin_validation.rb', line 22

def initialize(app, config: nil)
  @app = app
  @allowed_origins = config.respond_to?(:allowed_origins) ? config.allowed_origins : DEFAULT_ORIGINS
  @strict_mode = config.respond_to?(:strict_mode) ? config.strict_mode : false
end

Instance Method Details

#call(env) ⇒ Array

Returns Rack response triplet.

Parameters:

• env (Hash) —

  Rack environment

Returns:

• (Array) —

  Rack response triplet

# File 'lib/rosett_ai/mcp/middleware/origin_validation.rb', line 30

def call(env)
  origin = env['HTTP_ORIGIN']
  return handle_absent_origin(env) unless origin
  return @app.call(env) if origin_allowed?(origin)

  reject_origin(origin)
end