// Tests for oatpp-authkit/util/OriginCheck.hpp (authkit#16 M-4 / M-10). #include "oatpp-authkit/util/OriginCheck.hpp" #include #include #include namespace { int g_failures = 0; #define REQUIRE(expr) do { \ if (!(expr)) { \ std::fprintf(stderr, "FAIL %s:%d %s\n", __FILE__, __LINE__, #expr); \ ++g_failures; \ } \ } while (0) using namespace oatpp_authkit; void test_origin_hostname() { REQUIRE(originHostname("https://app.example.com") == "app.example.com"); REQUIRE(originHostname("https://app.example.com:8443/x?y=1") == "app.example.com"); REQUIRE(originHostname("app.example.com:443") == "app.example.com"); REQUIRE(originHostname("HTTP://App.Example.COM") == "app.example.com"); REQUIRE(originHostname("example.com") == "example.com"); } void test_same_origin() { // Origin host matches Host (port/scheme ignored). REQUIRE(sameOrigin("https://example.com", "example.com")); REQUIRE(sameOrigin("https://example.com:8443", "example.com")); REQUIRE(sameOrigin("https://example.com/page", "example.com")); // Referer form REQUIRE(sameOrigin("https://example.com", "example.com:443")); // Cross-host → blocked. REQUIRE(!sameOrigin("https://evil.com", "example.com")); REQUIRE(!sameOrigin("https://example.com.evil.com", "example.com")); // Empty inputs → can't decide → don't block (caller falls back). REQUIRE(sameOrigin("", "example.com")); REQUIRE(sameOrigin("https://example.com", "")); } void test_origin_allowed() { std::vector allow = {"app.example.com", "https://admin.example.com"}; REQUIRE(originAllowed("https://app.example.com", allow)); REQUIRE(originAllowed("https://admin.example.com:8443/x", allow)); REQUIRE(!originAllowed("https://evil.com", allow)); REQUIRE(!originAllowed("", allow)); // fail closed } } // namespace int main() { test_origin_hostname(); test_same_origin(); test_origin_allowed(); std::printf("%s (%d failures)\n", g_failures ? "FAIL" : "OK", g_failures); return g_failures ? 1 : 0; }