package main import ( "net/http" "net/http/httptest" "testing" ) func TestRequestHostOriginAllowedAcceptsHTTPSFQDN(t *testing.T) { r := httptest.NewRequest(http.MethodPost, "https://l14pbbk95100006.tegdssd.de:9999/api/auth/passkey/login/options", nil) if !requestHostOriginAllowed("https://l14pbbk95100006.tegdssd.de:9999", r) { t.Fatal("expected matching HTTPS request host origin to be allowed") } } func TestRequestHostOriginAllowedRejectsDifferentHost(t *testing.T) { r := httptest.NewRequest(http.MethodPost, "https://l14pbbk95100006.tegdssd.de:9999/api/auth/passkey/login/options", nil) if requestHostOriginAllowed("https://evil.example:9999", r) { t.Fatal("expected different origin host to be rejected") } } func TestAuthAllowedRPOriginsIncludesConfiguredPublicURL(t *testing.T) { t.Setenv("APP_PUBLIC_URL", "https://l14pbbk95100006.tegdssd.de:9999") origins := authAllowedRPOrigins() if !originIsAllowed("https://l14pbbk95100006.tegdssd.de:9999", origins) { t.Fatalf("expected configured public URL in allowed origins: %#v", origins) } }