login/logout only valid from some origin as host (and host is already checked by hypercorn)

setup.cfg

@@ -21,8 +21,8 @@ packages = find:
 python_requires = >=3.9
 install_requires =
     trio
-    quart-trio
     quart
+    quart-trio
     hypercorn[trio]
     PyYAML
     protobuf

src/capport/api/app.py

@@ -1,9 +1,9 @@
+from __future__ import annotations
+
 from .app_cls import MyQuartApp
 
-
 app = MyQuartApp(__name__)
 
-
 __import__('capport.api.setup')
 __import__('capport.api.lang')
 __import__('capport.api.views')

src/capport/api/views.py

@@ -96,6 +96,23 @@ async def user_lookup() -> cptypes.MacPublicState:
 #     return app.my_hub.database.as_json()
 
 
+def check_self_origin():
+    origin = quart.request.headers.get('Origin', None)
+    if origin is None:
+        # not a request by a modern browser - probably curl or something similar. don't care.
+        return
+    origin_parts = origin.split('/')
+    # Origin should look like: protocol://hostname  (possibly a /path suffix?)
+    if len(origin_parts) < 3:
+        quart.abort(400, 'Broken Origin header')
+    origin_host = origin_parts[2].lower()
+    host = quart.request.headers.get('Host', None)
+    if host is None:
+        quart.abort(400, 'Missing Host header')
+    if host.lower() != origin_host:
+        quart.abort(400, 'Origin mismatch')
+
+
 @app.route('/', methods=['GET'])
 async def index(missing_accept: bool=False):
     state = await user_lookup()
@@ -109,6 +126,7 @@ async def index(missing_accept: bool=False):
 
 @app.route('/login', methods=['POST'])
 async def login():
+    check_self_origin()
     with trio.fail_after(5.0):
         form = await quart.request.form
     if form.get('accept') != '1':
@@ -126,6 +144,7 @@ async def login():
 
 @app.route('/logout', methods=['POST'])
 async def logout():
+    check_self_origin()
     with trio.fail_after(5.0):
         form = await quart.request.form
     req_mac = form.get('mac')