feat: add CORS support via CORS_ORIGINS env var

- New CORSMiddleware in server/cors.go - Reads comma-separated origins from CORS_ORIGINS env - Empty or "*" allows all origins - Handles preflight OPTIONS requests - Wraps existing LoggingMiddleware chain
2026-03-11 10:07:32 +00:00
parent 0c4a1a4d3f
commit 047f0b8422
3 changed files with 68 additions and 6 deletions
--- a/server/cors.go
+++ b/server/cors.go
@@ -0,0 +1,43 @@
+package server
+
+import (
+	"net/http"
+	"strings"
+)
+
+// CORSMiddleware adds CORS headers based on allowed origins.
+// If allowedOrigins is empty or contains "*", all origins are allowed.
+func CORSMiddleware(allowedOrigins []string, next http.Handler) http.Handler {
+	allowAll := len(allowedOrigins) == 0
+	originSet := make(map[string]bool, len(allowedOrigins))
+	for _, o := range allowedOrigins {
+		o = strings.TrimSpace(o)
+		if o == "*" {
+			allowAll = true
+		}
+		originSet[o] = true
+	}
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		origin := r.Header.Get("Origin")
+		if origin == "" {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		if allowAll || originSet[origin] {
+			w.Header().Set("Access-Control-Allow-Origin", origin)
+			w.Header().Set("Access-Control-Allow-Methods", "GET, PUT, PATCH, POST, DELETE, OPTIONS")
+			w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+			w.Header().Set("Access-Control-Max-Age", "3600")
+			w.Header().Set("Vary", "Origin")
+		}
+
+		if r.Method == http.MethodOptions {
+			w.WriteHeader(http.StatusNoContent)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}