auth providers

pytorrent/services/auth.py

@@ -16,6 +16,7 @@ from ..config import (
     AUTH_PROXY_AUTO_CREATE_PERMISSION,
     AUTH_PROXY_AUTO_CREATE_ROLE,
     AUTH_PROXY_USER_HEADER,
+    API_ALLOWED_ORIGINS,
 )
 from ..db import connect, default_user_id, utcnow
 
@@ -171,14 +172,29 @@ def visible_profile_ids(user_id: int | None = None) -> set[int] | None:
 
 
 
+def _origin_key(value: str) -> str:
+    parsed = urlparse(str(value or "").strip())
+    if not parsed.scheme or not parsed.netloc:
+        return ""
+    return f"{parsed.scheme.lower()}://{parsed.netloc.lower()}"
+
+
+def _request_origin() -> str:
+    return _origin_key(f"{request.scheme}://{request.host}")
+
+
 def same_origin_request() -> bool:
-    """Return False only when an unsafe request clearly comes from another origin."""
+    """Return False only when an unsafe API request clearly comes from an untrusted origin."""
     origin = request.headers.get("Origin") or request.headers.get("Referer")
     if not origin:
         return True
     try:
-        parsed = urlparse(origin)
-        return parsed.scheme == request.scheme and parsed.netloc == request.host
+        source_origin = _origin_key(origin)
+        if not source_origin:
+            return False
+        if source_origin == _request_origin():
+            return True
+        return source_origin in set(API_ALLOWED_ORIGINS)
     except Exception:
         return False