MCPcopy
hub / github.com/github/github-mcp-server / TestCrossOriginProtection

Function TestCrossOriginProtection

pkg/http/handler_test.go:786–853  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

784}
785
786func TestCrossOriginProtection(t *testing.T) {
787 jsonRPCBody := `{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"test","version":"0.1"}}}`
788
789 apiHost, err := utils.NewAPIHost("https://api.githubcopilot.com")
790 require.NoError(t, err)
791
792 handler := NewHTTPMcpHandler(
793 context.Background(),
794 &ServerConfig{
795 Version: "test",
796 },
797 nil,
798 translations.NullTranslationHelper,
799 slog.Default(),
800 apiHost,
801 WithInventoryFactory(func(_ *http.Request) (*inventory.Inventory, error) {
802 return inventory.NewBuilder().Build()
803 }),
804 WithGitHubMCPServerFactory(func(_ *http.Request, _ github.ToolDependencies, _ *inventory.Inventory, _ *github.MCPServerConfig) (*mcp.Server, error) {
805 return mcp.NewServer(&mcp.Implementation{Name: "test", Version: "0.0.1"}, nil), nil
806 }),
807 WithScopeFetcher(allScopesFetcher{}),
808 )
809
810 r := chi.NewRouter()
811 handler.RegisterMiddleware(r)
812 handler.RegisterRoutes(r)
813
814 tests := []struct {
815 name string
816 secFetchSite string
817 origin string
818 }{
819 {
820 name: "cross-site request with bearer token succeeds",
821 secFetchSite: "cross-site",
822 origin: "https://example.com",
823 },
824 {
825 name: "same-origin request succeeds",
826 secFetchSite: "same-origin",
827 },
828 {
829 name: "native client without Sec-Fetch-Site succeeds",
830 secFetchSite: "",
831 },
832 }
833
834 for _, tt := range tests {
835 t.Run(tt.name, func(t *testing.T) {
836 req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(jsonRPCBody))
837 req.Header.Set("Content-Type", "application/json")
838 req.Header.Set("Accept", "application/json, text/event-stream")
839 req.Header.Set(headers.AuthorizationHeader, "Bearer github_pat_xyz")
840 if tt.secFetchSite != "" {
841 req.Header.Set("Sec-Fetch-Site", tt.secFetchSite)
842 }
843 if tt.origin != "" {

Callers

nothing calls this directly

Calls 11

NewAPIHostFunction · 0.92
NewBuilderFunction · 0.92
NewHTTPMcpHandlerFunction · 0.85
WithInventoryFactoryFunction · 0.85
WithScopeFetcherFunction · 0.85
BuildMethod · 0.80
RegisterMiddlewareMethod · 0.80
ServeHTTPMethod · 0.80
RegisterRoutesMethod · 0.45
StringMethod · 0.45

Tested by

no test coverage detected