backend/api/websocket/server_test.go

package websocket

import (
	"net/http/httptest"
	"testing"
)

func TestWebsocketOriginAllowedDefaultsToSameHost(t *testing.T) {
	t.Setenv("WEBSOCKET_ALLOWED_ORIGINS", "")

	req := httptest.NewRequest("GET", "http://example.com/ws", nil)
	req.Host = "example.com:8080"
	req.Header.Set("Origin", "https://example.com")

	if !websocketOriginAllowed(req) {
		t.Fatal("expected same-host websocket origin to be allowed by default")
	}
}

func TestWebsocketOriginAllowedRejectsCrossOriginByDefault(t *testing.T) {
	t.Setenv("WEBSOCKET_ALLOWED_ORIGINS", "")

	req := httptest.NewRequest("GET", "http://example.com/ws", nil)
	req.Host = "example.com:8080"
	req.Header.Set("Origin", "https://attacker.example")

	if websocketOriginAllowed(req) {
		t.Fatal("expected cross-origin websocket request to be rejected by default")
	}
}

func TestWebsocketOriginAllowedHonorsExplicitAllowlist(t *testing.T) {
	t.Setenv("WEBSOCKET_ALLOWED_ORIGINS", "https://app.example, https://ops.example")

	req := httptest.NewRequest("GET", "http://example.com/ws", nil)
	req.Host = "example.com:8080"
	req.Header.Set("Origin", "https://ops.example")

	if !websocketOriginAllowed(req) {
		t.Fatal("expected allowlisted websocket origin to be accepted")
	}
}
feat: explorer API, wallet, CCIP scripts, and config refresh - Backend REST/gateway/track routes, analytics, Blockscout proxy paths. - Frontend wallet and liquidity surfaces; MetaMask token list alignment. - Deployment docs, verification scripts, address inventory updates. Check: go build ./... under backend/ (pass). Made-with: Cursor 2026-04-07 23:22:12 -07:00			`package websocket`

			`import (`
			`"net/http/httptest"`
			`"testing"`
			`)`

			`func TestWebsocketOriginAllowedDefaultsToSameHost(t *testing.T) {`
			`t.Setenv("WEBSOCKET_ALLOWED_ORIGINS", "")`

			`req := httptest.NewRequest("GET", "http://example.com/ws", nil)`
			`req.Host = "example.com:8080"`
			`req.Header.Set("Origin", "https://example.com")`

			`if !websocketOriginAllowed(req) {`
			`t.Fatal("expected same-host websocket origin to be allowed by default")`
			`}`
			`}`

			`func TestWebsocketOriginAllowedRejectsCrossOriginByDefault(t *testing.T) {`
			`t.Setenv("WEBSOCKET_ALLOWED_ORIGINS", "")`

			`req := httptest.NewRequest("GET", "http://example.com/ws", nil)`
			`req.Host = "example.com:8080"`
			`req.Header.Set("Origin", "https://attacker.example")`

			`if websocketOriginAllowed(req) {`
			`t.Fatal("expected cross-origin websocket request to be rejected by default")`
			`}`
			`}`

			`func TestWebsocketOriginAllowedHonorsExplicitAllowlist(t *testing.T) {`
			`t.Setenv("WEBSOCKET_ALLOWED_ORIGINS", "https://app.example, https://ops.example")`

			`req := httptest.NewRequest("GET", "http://example.com/ws", nil)`
			`req.Host = "example.com:8080"`
			`req.Header.Set("Origin", "https://ops.example")`

			`if !websocketOriginAllowed(req) {`
			`t.Fatal("expected allowlisted websocket origin to be accepted")`
			`}`
			`}`