accept.go: Improve unauthorized origin error message

Closes #247
nhooyr · Jan 9, 2021 · 29251d0 · 29251d0
1 parent 482f584
commit 29251d0
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/accept.go b/accept.go
@@ -215,7 +215,10 @@ func authenticateOrigin(r *http.Request, originHosts []string) error {
 			return nil
 		}
 	}
-	return fmt.Errorf("request Origin %q is not authorized for Host %q", origin, r.Host)
+	if u.Host == "" {
+		return fmt.Errorf("request Origin %q is not a valid URL with a host", origin)
+	}
+	return fmt.Errorf("request Origin %q is not authorized for Host %q", u.Host, r.Host)
 }
 
 func match(pattern, s string) (bool, error) {

diff --git a/accept_test.go b/accept_test.go
@@ -39,7 +39,23 @@ func TestAccept(t *testing.T) {
 		r.Header.Set("Origin", "harhar.com")
 
 		_, err := Accept(w, r, nil)
-		assert.Contains(t, err, `request Origin "harhar.com" is not authorized for Host`)
+		assert.Contains(t, err, `request Origin "harhar.com" is not a valid URL with a host`)
+	})
+
+	// #247
+	t.Run("unauthorizedOriginErrorMessage", func(t *testing.T) {
+		t.Parallel()
+
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "/", nil)
+		r.Header.Set("Connection", "Upgrade")
+		r.Header.Set("Upgrade", "websocket")
+		r.Header.Set("Sec-WebSocket-Version", "13")
+		r.Header.Set("Sec-WebSocket-Key", "meow123")
+		r.Header.Set("Origin", "https://harhar.com")
+
+		_, err := Accept(w, r, nil)
+		assert.Contains(t, err, `request Origin "harhar.com" is not authorized for Host "example.com"`)
 	})
 
 	t.Run("badCompression", func(t *testing.T) {