zhi
047f0b8422
- New CORSMiddleware in server/cors.go - Reads comma-separated origins from CORS_ORIGINS env - Empty or "*" allows all origins - Handles preflight OPTIONS requests - Wraps existing LoggingMiddleware chain
44 lines
1.1 KiB
Go
44 lines
1.1 KiB
Go
package server
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
)
|
|
|
|
// CORSMiddleware adds CORS headers based on allowed origins.
|
|
// If allowedOrigins is empty or contains "*", all origins are allowed.
|
|
func CORSMiddleware(allowedOrigins []string, next http.Handler) http.Handler {
|
|
allowAll := len(allowedOrigins) == 0
|
|
originSet := make(map[string]bool, len(allowedOrigins))
|
|
for _, o := range allowedOrigins {
|
|
o = strings.TrimSpace(o)
|
|
if o == "*" {
|
|
allowAll = true
|
|
}
|
|
originSet[o] = true
|
|
}
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
origin := r.Header.Get("Origin")
|
|
if origin == "" {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
|
|
if allowAll || originSet[origin] {
|
|
w.Header().Set("Access-Control-Allow-Origin", origin)
|
|
w.Header().Set("Access-Control-Allow-Methods", "GET, PUT, PATCH, POST, DELETE, OPTIONS")
|
|
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
|
|
w.Header().Set("Access-Control-Max-Age", "3600")
|
|
w.Header().Set("Vary", "Origin")
|
|
}
|
|
|
|
if r.Method == http.MethodOptions {
|
|
w.WriteHeader(http.StatusNoContent)
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|