#!/usr/bin/env python3
"""
First-hop origin for GHSA-hg6j-4rv6-33pg.

This is origin A: the origin the victim's per-request cookie is legitimately
scoped to. Its /redirect endpoint issues a 302 cross-origin redirect to the
collector (origin B). Because host differs (firsthop vs collector), the
aiohttp client sees url.origin() != redirect_origin and takes the vulnerable
redirect branch.

This server does NOT need to be the vulnerable version; it is plain HTTP.
"""
import os
from aiohttp import web

REDIRECT_TARGET = os.environ["REDIRECT_TARGET"]


async def redirect_handler(request: web.Request) -> web.Response:
    raise web.HTTPFound(location=REDIRECT_TARGET)


async def health(request: web.Request) -> web.Response:
    return web.Response(text="ok")


def main() -> None:
    app = web.Application()
    app.router.add_get("/redirect", redirect_handler)
    app.router.add_get("/health", health)
    web.run_app(app, host="0.0.0.0", port=80)


if __name__ == "__main__":
    main()