GetEffectiveHostAndScheme returns the effective host and scheme for a request. X-Forwarded-Host and X-Forwarded-Proto are only honored when cfg.TrustProxyHeaders is true. Without that opt-in, an untrusted client could otherwise influence the OAuth resource metadata URL advertised to MCP clients.
(r *http.Request, cfg *Config)
| 216 | // is true. Without that opt-in, an untrusted client could otherwise influence the |
| 217 | // OAuth resource metadata URL advertised to MCP clients. |
| 218 | func GetEffectiveHostAndScheme(r *http.Request, cfg *Config) (host, scheme string) { //nolint:revive |
| 219 | trustProxy := cfg != nil && cfg.TrustProxyHeaders |
| 220 | |
| 221 | if trustProxy { |
| 222 | if fh := r.Header.Get(headers.ForwardedHostHeader); fh != "" { |
| 223 | host = fh |
| 224 | } |
| 225 | } |
| 226 | if host == "" { |
| 227 | host = r.Host |
| 228 | } |
| 229 | if host == "" { |
| 230 | host = "localhost" |
| 231 | } |
| 232 | |
| 233 | if trustProxy { |
| 234 | if fp := r.Header.Get(headers.ForwardedProtoHeader); fp != "" { |
| 235 | scheme = strings.ToLower(fp) |
| 236 | } |
| 237 | } |
| 238 | if scheme == "" { |
| 239 | if r.TLS != nil { |
| 240 | scheme = "https" |
| 241 | } else { |
| 242 | scheme = "http" |
| 243 | } |
| 244 | } |
| 245 | return |
| 246 | } |
| 247 | |
| 248 | // BuildResourceMetadataURL constructs the full URL to the OAuth protected resource metadata endpoint. |
| 249 | func BuildResourceMetadataURL(r *http.Request, cfg *Config, resourcePath string) string { |
no outgoing calls