@inso_web/els-mcp/dist/http/middleware/originGuard.js

MCP-сервер поверх INSO Error Logs Service. Read-only tools (search, analytics, fingerprinting, correlations) для подключения Claude Desktop/Code и ChatGPT к логам ошибок. Streamable HTTP transport + stdio для npx-запуска.

import { recordAuthRejection } from '../../observability/metrics.js';
export function createOriginGuard(opts) {
    const exact = new Set();
    let wildcard = false;
    for (const o of opts.allowed) {
        if (o === '*') {
            if (opts.allowWildcard)
                wildcard = true;
            continue;
        }
        if (o === 'http://localhost' || o === 'http://127.0.0.1')
            continue;
        exact.add(o);
    }
    // dev fallback — допускаем любой localhost-порт если http://localhost есть в списке.
    const allowLocalhost = opts.allowed.includes('http://localhost');
    return function originGuard(req, res, next) {
        const origin = readOrigin(req);
        // Нет origin — пропускаем (server-to-server).
        if (!origin) {
            next();
            return;
        }
        if (wildcard) {
            next();
            return;
        }
        if (exact.has(origin)) {
            next();
            return;
        }
        if (allowLocalhost && /^http:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin)) {
            next();
            return;
        }
        try {
            recordAuthRejection('forbidden_origin');
        }
        catch {
            // не блокируем основной flow
        }
        opts.log?.warn?.({ origin, path: req.path }, 'originGuard rejection');
        res.status(403).json({
            error: 'forbidden_origin',
            error_description: `Origin "${origin}" is not allowed`,
        });
    };
}
function readOrigin(req) {
    const raw = req.headers.origin;
    if (typeof raw === 'string' && raw.length > 0)
        return raw;
    return null;
}
//# sourceMappingURL=originGuard.js.map