move http domain utils from middelware to pkg folder (#1437)

* move http domain utils from middelware to pkg folder

* Update pkg/http/domain.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update pkg/http/domain.go

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: fleandrei

api/domain_restriction.go

@@ -2,9 +2,9 @@ package api
 
 import (
 	"net/http"
-	"net/url"
 	"strings"
 
+	stationHttp "github.com/massalabs/station/pkg/http"
 	"github.com/massalabs/station/pkg/logger"
 )
 
@@ -18,7 +18,7 @@ func DomainRestrictionMiddleware(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != "GET" && IsRestrictedPath(r.URL.Path) {
 			if !isRequestFromAllowedDomain(r) {
-				logger.Warnf("Blocked operation from unauthorized domain: %s", getRequestOrigin(r))
+				logger.Warnf("Blocked operation from unauthorized domain: %s", stationHttp.GetRequestOrigin(r))
 				http.Error(w, "Forbidden: Operations restricted to authorized domains", http.StatusForbidden)
 				return
 			}
@@ -39,8 +39,8 @@ func IsRestrictedPath(path string) bool {
 }
 
 func isRequestFromAllowedDomain(r *http.Request) bool {
-	origin := getRequestOrigin(r)
-	hostname := extractHostname(origin)
+	origin := stationHttp.GetRequestOrigin(r)
+	hostname := stationHttp.ExtractHostname(origin)
 
 	for _, allowedDomain := range allowedDomains() {
 		if hostname == allowedDomain {
@@ -50,80 +50,3 @@ func isRequestFromAllowedDomain(r *http.Request) bool {
 
 	return false
 }
-
-func getRequestOrigin(r *http.Request) string {
-	if origin := r.Header.Get("Origin"); origin != "" {
-		return origin
-	}
-
-	// Check Referer header as fallback
-	if referer := r.Header.Get("Referer"); referer != "" {
-		return referer
-	}
-
-	// Check Host header for local requests
-	if host := r.Header.Get("Host"); host != "" {
-		return host
-	}
-
-	return "unknown"
-}
-
-// extractHostname safely extracts the hostname from a URL string
-func extractHostname(origin string) string {
-	if origin == "" {
-		return ""
-	}
-
-	// Handle cases where the origin might just be a hostname without protocol
-	if !strings.Contains(origin, "://") {
-		if parsed, err := url.Parse("http://" + origin); err == nil {
-			return parsed.Hostname()
-		}
-
-		// Fallback: if parsing fails but origin looks like a simple hostname,
-		// check if it matches any allowed domain directly
-		if isSimpleHostname(origin) {
-			return origin
-		}
-		return ""
-	}
-
-	parsed, err := url.Parse(origin)
-	if err != nil {
-		return ""
-	}
-
-	return parsed.Hostname()
-}
-
-// isSimpleHostname checks if a string looks like a simple hostname
-// (contains only valid hostname characters and no suspicious patterns)
-func isSimpleHostname(s string) bool {
-	if s == "" {
-		return false
-	}
-
-	// Only allow valid hostname characters: letters, digits, hyphens, dots, and colons (for ports)
-	for _, r := range s {
-		isLetter := (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z')
-		isDigit := r >= '0' && r <= '9'
-		isAllowedPunct := r == '-' || r == '.' || r == ':'
-		if !isLetter && !isDigit && !isAllowedPunct {
-			return false
-		}
-	}
-
-	// Must not start or end with hyphen or dot
-	if strings.HasPrefix(s, "-") || strings.HasSuffix(s, "-") ||
-		strings.HasPrefix(s, ".") || strings.HasSuffix(s, ".") {
-		return false
-	}
-
-	// Check for consecutive dots
-	if strings.Contains(s, "..") {
-		return false
-	}
-
-	return true
-}

api/middleware_test.go

@@ -234,85 +234,3 @@ func TestIsRequestFromAllowedDomain(t *testing.T) {
 		})
 	}
 }
-
-func TestExtractHostname(t *testing.T) {
-	tests := []struct {
-		name     string
-		origin   string
-		expected string
-	}{
-		{"HTTPS URL", "https://station.massa", "station.massa"},
-		{"HTTP URL", "http://localhost:3000", "localhost"},
-		{"URL with port", "https://127.0.0.1:8080", "127.0.0.1"},
-		{"Just hostname", "station.massa", "station.massa"},
-		{"Just localhost", "localhost", "localhost"},
-		{"Just IP", "127.0.0.1", "127.0.0.1"},
-		{"Empty string", "", ""},
-		{"Malformed URL", "not-a-url", "not-a-url"},
-		{"Invalid control chars", string([]byte{0x7f, 0x80, 0x81}), ""},
-		{"URL with path", "https://station.massa/path", "station.massa"},
-		{"URL with query", "https://station.massa?query=value", "station.massa"},
-		{"Malicious domain", "https://malicious-station.massa.com", "malicious-station.massa.com"},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := extractHostname(tt.origin)
-			if result != tt.expected {
-				t.Errorf("extractHostname(%s) = %s, expected %s", tt.origin, result, tt.expected)
-			}
-		})
-	}
-}
-
-func TestIsSimpleHostname(t *testing.T) {
-	tests := []struct {
-		name     string
-		hostname string
-		expected bool
-	}{
-		{"Valid hostname", "station.massa", true},
-		{"Valid localhost", "localhost", true},
-		{"Valid IP", "127.0.0.1", true},
-		{"Valid with port", "localhost:3000", true},
-		{"Empty string", "", false},
-		{"With spaces", "station massa", false},
-		{"With tabs", "station\tmassa", false},
-		{"With newlines", "station\nmassa", false},
-		{"With angle brackets", "station<massa", false},
-		{"With quotes", "station\"massa", false},
-		{"With backticks", "station`massa", false},
-		{"With braces", "station{massa", false},
-		{"With control chars", string([]byte{0x7f, 0x80, 0x81}), false},
-		{"Starting with hyphen", "-station.massa", false},
-		{"Ending with hyphen", "station.massa-", false},
-		{"Starting with dot", ".station.massa", false},
-		{"Ending with dot", "station.massa.", false},
-		{"Consecutive dots", "station..massa", false},
-		{"Valid subdomain", "api.station.massa", true},
-		{"Valid with numbers", "station1.massa2", true},
-		// Additional security tests for new restrictive validation
-		{"With at symbol", "station@massa", false},
-		{"With hash", "station#massa", false},
-		{"With dollar", "station$massa", false},
-		{"With percent", "station%massa", false},
-		{"With ampersand", "station&massa", false},
-		{"With asterisk", "station*massa", false},
-		{"With plus", "station+massa", false},
-		{"With equals", "station=massa", false},
-		{"With question mark", "station?massa", false},
-		{"With underscore", "station_massa", false},
-		{"With tilde", "station~massa", false},
-		{"With pipe", "station|massa", false},
-		{"With backslash", "station\\massa", false},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := isSimpleHostname(tt.hostname)
-			if result != tt.expected {
-				t.Errorf("isSimpleHostname(%s) = %v, expected %v", tt.hostname, result, tt.expected)
-			}
-		})
-	}
-}

pkg/http/domain.go

@@ -0,0 +1,84 @@
+package http
+
+import (
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+func GetRequestOrigin(r *http.Request) string {
+	if origin := r.Header.Get("Origin"); origin != "" {
+		return origin
+	}
+
+	// Check Referer header as fallback
+	if referer := r.Header.Get("Referer"); referer != "" {
+		return referer
+	}
+
+	// Check Host header for local requests
+	if host := r.Header.Get("Host"); host != "" {
+		return host
+	}
+
+	return "unknown"
+}
+
+// ExtractHostname safely extracts the hostname from a URL string
+func ExtractHostname(origin string) string {
+	if origin == "" {
+		return ""
+	}
+
+	// Handle cases where the origin might just be a hostname without protocol
+	if !strings.Contains(origin, "://") {
+		if parsed, err := url.Parse("http://" + origin); err == nil {
+			return parsed.Hostname()
+		}
+
+		// Fallback: if parsing fails but origin looks like a simple hostname,
+		// check if it matches any allowed domain directly
+		if IsSimpleHostname(origin) {
+			return origin
+		}
+		return ""
+	}
+
+	parsed, err := url.Parse(origin)
+	if err != nil {
+		return ""
+	}
+
+	return parsed.Hostname()
+}
+
+// IsSimpleHostname checks if a string looks like a simple hostname
+// (contains only valid hostname characters and no suspicious patterns)
+func IsSimpleHostname(s string) bool {
+	if s == "" {
+		return false
+	}
+
+	// Only allow valid hostname characters: letters, digits, hyphens, dots, and colons (for ports)
+	for _, r := range s {
+		isLetter := (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z')
+		isDigit := r >= '0' && r <= '9'
+		isAllowedPunct := r == '-' || r == '.' || r == ':'
+		if !isLetter && !isDigit && !isAllowedPunct {
+			return false
+		}
+	}
+
+	// Must not start or end with hyphen or dot
+	if strings.HasPrefix(s, "-") || strings.HasSuffix(s, "-") ||
+		strings.HasPrefix(s, ".") || strings.HasSuffix(s, ".") {
+		return false
+	}
+
+	// Check for consecutive dots
+	if strings.Contains(s, "..") {
+		return false
+	}
+
+	return true
+}

pkg/http/domain_test.go

@@ -0,0 +1,85 @@
+package http
+
+import "testing"
+
+func TestExtractHostname(t *testing.T) {
+	tests := []struct {
+		name     string
+		origin   string
+		expected string
+	}{
+		{"HTTPS URL", "https://station.massa", "station.massa"},
+		{"HTTP URL", "http://localhost:3000", "localhost"},
+		{"URL with port", "https://127.0.0.1:8080", "127.0.0.1"},
+		{"Just hostname", "station.massa", "station.massa"},
+		{"Just localhost", "localhost", "localhost"},
+		{"Just IP", "127.0.0.1", "127.0.0.1"},
+		{"Empty string", "", ""},
+		{"Malformed URL", "not-a-url", "not-a-url"},
+		{"Invalid control chars", string([]byte{0x7f, 0x80, 0x81}), ""},
+		{"URL with path", "https://station.massa/path", "station.massa"},
+		{"URL with query", "https://station.massa?query=value", "station.massa"},
+		{"Malicious domain", "https://malicious-station.massa.com", "malicious-station.massa.com"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := ExtractHostname(tt.origin)
+			if result != tt.expected {
+				t.Errorf("extractHostname(%s) = %s, expected %s", tt.origin, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestIsSimpleHostname(t *testing.T) {
+	tests := []struct {
+		name     string
+		hostname string
+		expected bool
+	}{
+		{"Valid hostname", "station.massa", true},
+		{"Valid localhost", "localhost", true},
+		{"Valid IP", "127.0.0.1", true},
+		{"Valid with port", "localhost:3000", true},
+		{"Empty string", "", false},
+		{"With spaces", "station massa", false},
+		{"With tabs", "station\tmassa", false},
+		{"With newlines", "station\nmassa", false},
+		{"With angle brackets", "station<massa", false},
+		{"With quotes", "station\"massa", false},
+		{"With backticks", "station`massa", false},
+		{"With braces", "station{massa", false},
+		{"With control chars", string([]byte{0x7f, 0x80, 0x81}), false},
+		{"Starting with hyphen", "-station.massa", false},
+		{"Ending with hyphen", "station.massa-", false},
+		{"Starting with dot", ".station.massa", false},
+		{"Ending with dot", "station.massa.", false},
+		{"Consecutive dots", "station..massa", false},
+		{"Valid subdomain", "api.station.massa", true},
+		{"Valid with numbers", "station1.massa2", true},
+		// Additional security tests for new restrictive validation
+		{"With at symbol", "station@massa", false},
+		{"With hash", "station#massa", false},
+		{"With dollar", "station$massa", false},
+		{"With percent", "station%massa", false},
+		{"With ampersand", "station&massa", false},
+		{"With asterisk", "station*massa", false},
+		{"With plus", "station+massa", false},
+		{"With equals", "station=massa", false},
+		{"With question mark", "station?massa", false},
+		{"With underscore", "station_massa", false},
+		{"With tilde", "station~massa", false},
+		{"With pipe", "station|massa", false},
+		{"With backslash", "station\\massa", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := IsSimpleHostname(tt.hostname)
+			if result != tt.expected {
+				t.Errorf("isSimpleHostname(%s) = %v, expected %v", tt.hostname, result, tt.expected)
+			}
+		})
+	}
+}