(t *testing.T)
| 784 | } |
| 785 | |
| 786 | func TestCrossOriginProtection(t *testing.T) { |
| 787 | jsonRPCBody := `{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"0.1"}}}` |
| 788 | |
| 789 | apiHost, err := utils.NewAPIHost("https://api.githubcopilot.com") |
| 790 | require.NoError(t, err) |
| 791 | |
| 792 | handler := NewHTTPMcpHandler( |
| 793 | context.Background(), |
| 794 | &ServerConfig{ |
| 795 | Version: "test", |
| 796 | }, |
| 797 | nil, |
| 798 | translations.NullTranslationHelper, |
| 799 | slog.Default(), |
| 800 | apiHost, |
| 801 | WithInventoryFactory(func(_ *http.Request) (*inventory.Inventory, error) { |
| 802 | return inventory.NewBuilder().Build() |
| 803 | }), |
| 804 | WithGitHubMCPServerFactory(func(_ *http.Request, _ github.ToolDependencies, _ *inventory.Inventory, _ *github.MCPServerConfig) (*mcp.Server, error) { |
| 805 | return mcp.NewServer(&mcp.Implementation{Name: "test", Version: "0.0.1"}, nil), nil |
| 806 | }), |
| 807 | WithScopeFetcher(allScopesFetcher{}), |
| 808 | ) |
| 809 | |
| 810 | r := chi.NewRouter() |
| 811 | handler.RegisterMiddleware(r) |
| 812 | handler.RegisterRoutes(r) |
| 813 | |
| 814 | tests := []struct { |
| 815 | name string |
| 816 | secFetchSite string |
| 817 | origin string |
| 818 | }{ |
| 819 | { |
| 820 | name: "cross-site request with bearer token succeeds", |
| 821 | secFetchSite: "cross-site", |
| 822 | origin: "https://example.com", |
| 823 | }, |
| 824 | { |
| 825 | name: "same-origin request succeeds", |
| 826 | secFetchSite: "same-origin", |
| 827 | }, |
| 828 | { |
| 829 | name: "native client without Sec-Fetch-Site succeeds", |
| 830 | secFetchSite: "", |
| 831 | }, |
| 832 | } |
| 833 | |
| 834 | for _, tt := range tests { |
| 835 | t.Run(tt.name, func(t *testing.T) { |
| 836 | req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(jsonRPCBody)) |
| 837 | req.Header.Set("Content-Type", "application/json") |
| 838 | req.Header.Set("Accept", "application/json, text/event-stream") |
| 839 | req.Header.Set(headers.AuthorizationHeader, "Bearer github_pat_xyz") |
| 840 | if tt.secFetchSite != "" { |
| 841 | req.Header.Set("Sec-Fetch-Site", tt.secFetchSite) |
| 842 | } |
| 843 | if tt.origin != "" { |
nothing calls this directly
no test coverage detected