refactor(mcp): compose origin allowlist as middleware, remove duplication

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-04 20:58:08 +02:00
parent 36765b8360
commit ba5068648b
3 changed files with 23 additions and 28 deletions
--- a/internal/mcp/server.go
+++ b/internal/mcp/server.go
@@ -11,9 +11,8 @@ import (
 const ProtocolVersion = "2025-06-18"

 type ServerOptions struct {
-	Registry        *registry.Registry
-	OriginAllowlist []string
-	Sessions        *SessionStore
+	Registry *registry.Registry
+	Sessions *SessionStore
 }

 type Server struct {
@@ -28,24 +27,6 @@ func NewServer(opts ServerOptions) *Server {
 }

 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	// Origin allowlist (no-op when allowlist empty or Origin missing)
-	if len(s.opts.OriginAllowlist) > 0 {
-		origin := r.Header.Get("Origin")
-		if origin != "" {
-			ok := false
-			for _, a := range s.opts.OriginAllowlist {
-				if a == origin {
-					ok = true
-					break
-				}
-			}
-			if !ok {
-				http.Error(w, "origin not allowed", http.StatusForbidden)
-				return
-			}
-		}
-	}
-
 	switch r.Method {
 	case http.MethodGet:
 		s.handleGET(w, r)