commit daca3147e022e36df6dc6e66744d5de80ee6ebea
author Akron <nils@diewald-online.de> Thu May 21 13:00:45 2026 +0200
committer Akron <nils@diewald-online.de> Thu May 21 13:00:45 2026 +0200
tree 4cf73923288acd76e1aaf7edb7691babdb84d6a2
parent f7bba07b41686b21c89cc938fad80bf02e16ea3b

Strip path components from CORS AllowOrigins

Change-Id: I28019e6649a644188a79f0321486cf9d375bd271

config/config_test.go

diff --git a/config/config_test.go b/config/config_test.go
index 0881157..a7d121f 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -1494,6 +1494,33 @@
 		"KORAL_MAPPER_ALLOW_ORIGINS env var should override YAML value")
 }
 
+func TestAllowOriginsDerivedFromServerWithPath(t *testing.T) {
+	cfg := &MappingConfig{
+		Server: "https://korap.ids-mannheim.de/instance/test",
+	}
+	ApplyDefaults(cfg)
+	assert.Equal(t, "https://korap.ids-mannheim.de", cfg.AllowOrigins,
+		"AllowOrigins should be pruned to host-level origin when Server contains a path")
+}
+
+func TestAllowOriginsExplicitWithPathsPruned(t *testing.T) {
+	cfg := &MappingConfig{
+		AllowOrigins: "https://korap.ids-mannheim.de/instance/test,https://other.example.com/app",
+	}
+	ApplyDefaults(cfg)
+	assert.Equal(t, "https://korap.ids-mannheim.de,https://other.example.com", cfg.AllowOrigins,
+		"explicit AllowOrigins entries should be pruned to host-level origins")
+}
+
+func TestAllowOriginsWithPort(t *testing.T) {
+	cfg := &MappingConfig{
+		Server: "https://korap.ids-mannheim.de:8080/instance/test",
+	}
+	ApplyDefaults(cfg)
+	assert.Equal(t, "https://korap.ids-mannheim.de:8080", cfg.AllowOrigins,
+		"AllowOrigins should preserve port but strip path")
+}
+
 func TestSanitizeFilePathRejectsOutsideBase(t *testing.T) {
 	// Set base to a specific directory and verify paths outside are rejected
 	tmpDir, err := os.MkdirTemp("", "koral-base-*")