11"""Base classes for request handlers"""
22
33import json
4+ import urllib .parse
45
56import jwt
67from http .client import responses
@@ -46,6 +47,22 @@ def check_request_ip(self):
4647 )
4748 raise web .HTTPError (403 , f"Requests from { message } )
4849
50+ def token_origin (self ):
51+ """Compute the origin used by build tokens
52+
53+ For build tokens we check the Origin and then the Host header to
54+ compute the "origin" of a build token.
55+ """
56+ origin_or_host = self .request .headers .get ("origin" , None )
57+ if origin_or_host is not None :
58+ # the origin header includes the scheme, which the host header
59+ # doesn't so we normalize Origin to the format of Host
60+ origin_or_host = urllib .parse .urlparse (origin_or_host ).netloc
61+ else :
62+ origin_or_host = self .request .headers .get ("host" , "" )
63+
64+ return origin_or_host
65+
4966 def check_build_token (self , build_token , provider_spec ):
5067 """Validate that a build token is valid for the current request
5168
@@ -69,9 +86,7 @@ def check_build_token(self, build_token, provider_spec):
6986 app_log .error (f"Failure to validate build token for { provider_spec } { e } )
7087 raise web .HTTPError (403 , "Invalid build token" )
7188
72- origin = self .request .headers .get (
73- "origin" , self .request .headers .get ("host" , "" )
74- )
89+ origin = self .token_origin ()
7590 if decoded ["origin" ] != origin :
7691 app_log .error (f"Rejecting build token from mismatched origin { decoded } )
7792 raise web .HTTPError (403 , "Invalid build token" )
0 commit comments