| 819 | } |
| 820 | |
| 821 | void RestServer::RegisterRoutes() |
| 822 | { |
| 823 | const std::string apiBase = "/api/v1"; |
| 824 | |
| 825 | // Enable CORS for browser-based clients. When authentication is required, restrict |
| 826 | // the allowed origin to localhost to prevent arbitrary web pages from reading |
| 827 | // authenticated responses. With auth disabled, wildcard is acceptable for a local |
| 828 | // development server. |
| 829 | const std::string corsOrigin = m_PendingConfig.requireAuth ? "http://localhost" : "*"; |
| 830 | m_Server->set_default_headers({ |
| 831 | {"Access-Control-Allow-Origin", corsOrigin}, |
| 832 | {"Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS"}, |
| 833 | {"Access-Control-Allow-Headers", "Content-Type, Accept, Authorization, X-MITK-Transfer-Mode"} |
| 834 | }); |
| 835 | |
| 836 | // Handle preflight OPTIONS requests for any route |
| 837 | m_Server->Options(".*", [](const httplib::Request& /*req*/, httplib::Response& res) { |
| 838 | res.status = 204; |
| 839 | }); |
| 840 | |
| 841 | // Install security middleware as pre-routing handler. |
| 842 | // This runs before any route handler and can short-circuit the request. |
| 843 | m_Server->set_pre_routing_handler( |
| 844 | [this](const httplib::Request& req, httplib::Response& res) -> httplib::Server::HandlerResponse { |
| 845 | // 1. Client IP access check |
| 846 | if (!this->CheckClientAccess(req, res)) |
| 847 | { |
| 848 | return httplib::Server::HandlerResponse::Handled; |
| 849 | } |
| 850 | |
| 851 | // 2. Rate limiting check |
| 852 | if (!this->CheckRateLimit(req, res)) |
| 853 | { |
| 854 | return httplib::Server::HandlerResponse::Handled; |
| 855 | } |
| 856 | |
| 857 | // 3. Authentication check |
| 858 | if (!this->CheckAuthentication(req, res)) |
| 859 | { |
| 860 | return httplib::Server::HandlerResponse::Handled; |
| 861 | } |
| 862 | |
| 863 | // All checks passed - continue to route matching |
| 864 | return httplib::Server::HandlerResponse::Unhandled; |
| 865 | }); |
| 866 | |
| 867 | // Health endpoints |
| 868 | m_Server->Get(apiBase + "/health", |
| 869 | [this](const httplib::Request& req, httplib::Response& res) { |
| 870 | m_HealthController->HandleGET_health(req, res); |
| 871 | this->RecordRequest(req.path, "GET", res.status, req.remote_addr); |
| 872 | }); |
| 873 | |
| 874 | m_Server->Get(apiBase + "/info", |
| 875 | [this](const httplib::Request& req, httplib::Response& res) { |
| 876 | m_HealthController->HandleGET_info(req, res); |
| 877 | this->RecordRequest(req.path, "GET", res.status, req.remote_addr); |
| 878 | }); |
no test coverage detected