verify the :authority pseudo-header when parsing request (#68)

request.go

@@ -3,6 +3,7 @@ package masque
 import (
 	"fmt"
 	"net/http"
+	"net/url"
 	"reflect"
 	"strconv"
 	"strings"
@@ -46,6 +47,14 @@ func (e *RequestParseError) Unwrap() error { return e.Err }
 // ParseRequest parses a CONNECT-UDP request.
 // The template is the URI template that clients will use to configure this UDP proxy.
 func ParseRequest(r *http.Request, template *uritemplate.Template) (*Request, error) {
+	u, err := url.Parse(template.Raw())
+	if err != nil {
+		return nil, &RequestParseError{
+			HTTPStatus: http.StatusInternalServerError,
+			Err:        fmt.Errorf("failed to parse template: %w", err),
+		}
+	}
+
 	if r.Method != http.MethodConnect {
 		return nil, &RequestParseError{
 			HTTPStatus: http.StatusMethodNotAllowed,
@@ -58,7 +67,12 @@ func ParseRequest(r *http.Request, template *uritemplate.Template) (*Request, er
 			Err:        fmt.Errorf("unexpected protocol: %s", r.Proto),
 		}
 	}
-	// TODO: check :authority
+	if r.Host != u.Host {
+		return nil, &RequestParseError{
+			HTTPStatus: http.StatusBadRequest,
+			Err:        fmt.Errorf("host in :authority (%s) does not match template host (%s)", r.Host, u.Host),
+		}
+	}
 	capsuleHeaderValues, ok := r.Header[capsuleHeader]
 	if !ok {
 		return nil, &RequestParseError{

request_test.go

@@ -50,6 +50,13 @@ func TestRequestParsing(t *testing.T) {
 		require.Equal(t, http.StatusNotImplemented, err.(*RequestParseError).HTTPStatus)
 	})
 
+	t.Run("wrong :authority", func(t *testing.T) {
+		req := newRequest("https://quic-go.net:1234/masque")
+		_, err := ParseRequest(req, template)
+		require.EqualError(t, err, "host in :authority (quic-go.net:1234) does not match template host (localhost:1234)")
+		require.Equal(t, http.StatusBadRequest, err.(*RequestParseError).HTTPStatus)
+	})
+
 	t.Run("missing Capsule-Protocol header", func(t *testing.T) {
 		req := newRequest("https://localhost:1234/masque")
 		req.Header.Del("Capsule-Protocol")