http/origin.ts

Parses ALLOWED_ORIGINS env var into regex matchers for request source verification. Origin allowlisting for locally-running services — not the CSRF layer (that's SameSite: strict on session cookies).

Accepts comma-separated patterns with limited wildcards: - Exact origins: https://api.fuz.dev - Wildcard subdomains: https://*.fuz.dev (matches exactly one subdomain level) - Multiple wildcards: https://*.staging.*.fuz.dev (for deep subdomains) - Wildcard ports: http://localhost:* (matches any port or no port) - IPv6 addresses: http://[::1]:3000, https://[2001:db8::1] - Combined: https://*.fuz.dev:*

Examples: - http://localhost:3000,https://prod.fuz.dev - https://*.api.fuz.dev,http://127.0.0.1:* - http://[::1]:*,https://*.*.corp.fuz.dev:*

Tests if a request source (origin or referer) matches any of the allowed patterns. Pattern matching is case-insensitive for domains (as per web standards).

Middleware that verifies the request source against an allowlist.

Origin allowlisting (not the CSRF layer — that's SameSite: strict cookies) that: - Checks the Origin header first (if present) - Falls back to Referer header (if no Origin) - Allows requests without Origin/Referer headers (direct access, curl, etc.)

This is useful for: - Protecting locally-running services from being called by untrusted websites as the user browses the web - Restricting which domains can make requests to your API - Preventing embedding of your service in unexpected sites - Basic source verification for locally-running services