oatpp-authkit/test/test_origin_check.cpp

// Tests for oatpp-authkit/util/OriginCheck.hpp (authkit#16 M-4 / M-10).

#include "oatpp-authkit/util/OriginCheck.hpp"

#include <cstdio>
#include <string>
#include <vector>

namespace {

int g_failures = 0;
#define REQUIRE(expr) do {                                                   \
    if (!(expr)) {                                                           \
        std::fprintf(stderr, "FAIL %s:%d  %s\n", __FILE__, __LINE__, #expr); \
        ++g_failures;                                                        \
    }                                                                        \
} while (0)

using namespace oatpp_authkit;

void test_origin_hostname() {
    REQUIRE(originHostname("https://app.example.com") == "app.example.com");
    REQUIRE(originHostname("https://app.example.com:8443/x?y=1") == "app.example.com");
    REQUIRE(originHostname("app.example.com:443") == "app.example.com");
    REQUIRE(originHostname("HTTP://App.Example.COM") == "app.example.com");
    REQUIRE(originHostname("example.com") == "example.com");
}

void test_same_origin() {
    // Origin host matches Host (port/scheme ignored).
    REQUIRE(sameOrigin("https://example.com", "example.com"));
    REQUIRE(sameOrigin("https://example.com:8443", "example.com"));
    REQUIRE(sameOrigin("https://example.com/page", "example.com"));      // Referer form
    REQUIRE(sameOrigin("https://example.com", "example.com:443"));
    // Cross-host → blocked.
    REQUIRE(!sameOrigin("https://evil.com", "example.com"));
    REQUIRE(!sameOrigin("https://example.com.evil.com", "example.com"));
    // Empty inputs → can't decide → don't block (caller falls back).
    REQUIRE(sameOrigin("", "example.com"));
    REQUIRE(sameOrigin("https://example.com", ""));
}

void test_origin_allowed() {
    std::vector<std::string> allow = {"app.example.com", "https://admin.example.com"};
    REQUIRE(originAllowed("https://app.example.com", allow));
    REQUIRE(originAllowed("https://admin.example.com:8443/x", allow));
    REQUIRE(!originAllowed("https://evil.com", allow));
    REQUIRE(!originAllowed("", allow));     // fail closed
}

} // namespace

int main() {
    test_origin_hostname();
    test_same_origin();
    test_origin_allowed();
    std::printf("%s (%d failures)\n", g_failures ? "FAIL" : "OK", g_failures);
    return g_failures ? 1 : 0;
}