gitea/vendor/github.com/go-macaron/cors/cors.go

140 lines
3.8 KiB
Go

package cors
import (
"fmt"
"log"
"net/http"
"net/url"
"strconv"
"strings"
macaron "gopkg.in/macaron.v1"
)
const _VERSION = "0.1.0"
func Version() string {
return _VERSION
}
// Options represents a struct for specifying configuration options for the CORS middleware.
type Options struct {
Section string
Scheme string
AllowDomain string
AllowSubdomain bool
Methods []string
MaxAgeSeconds int
AllowCredentials bool
}
func prepareOptions(options []Options) Options {
var opt Options
if len(options) > 0 {
opt = options[0]
}
if len(opt.Section) == 0 {
opt.Section = "cors"
}
sec := macaron.Config().Section(opt.Section)
if len(opt.Scheme) == 0 {
opt.Scheme = sec.Key("SCHEME").MustString("http")
}
if len(opt.AllowDomain) == 0 {
opt.AllowDomain = sec.Key("ALLOW_DOMAIN").MustString("*")
}
if !opt.AllowSubdomain {
opt.AllowSubdomain = sec.Key("ALLOW_SUBDOMAIN").MustBool(false)
}
if len(opt.Methods) == 0 {
opt.Methods = sec.Key("METHODS").Strings(",")
if len(opt.Methods) == 0 {
opt.Methods = []string{
http.MethodGet,
http.MethodHead,
http.MethodPost,
http.MethodPut,
http.MethodPatch,
http.MethodDelete,
http.MethodOptions,
}
}
}
if opt.MaxAgeSeconds <= 0 {
// cache options response for 600 secs
// ref: https://stackoverflow.com/questions/54300997/is-it-possible-to-cache-http-options-response?noredirect=1#comment95790277_54300997
// ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
opt.MaxAgeSeconds = sec.Key("MAX_AGE_SECONDS").MustInt(600)
}
if !opt.AllowCredentials {
opt.AllowCredentials = sec.Key("ALLOW_CREDENTIALS").MustBool(true)
}
return opt
}
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
// https://fetch.spec.whatwg.org/#cors-protocol-and-credentials
// For requests without credentials, the server may specify "*" as a wildcard, thereby allowing any origin to access the resource.
func CORS(options ...Options) macaron.Handler {
opt := prepareOptions(options)
return func(ctx *macaron.Context, log *log.Logger) {
reqOptions := ctx.Req.Method == http.MethodOptions
headers := map[string]string{
"access-control-allow-methods": strings.Join(opt.Methods, ","),
"access-control-allow-headers": ctx.Req.Header.Get("access-control-request-headers"),
"access-control-max-age": strconv.Itoa(opt.MaxAgeSeconds),
}
if opt.AllowDomain == "*" {
headers["access-control-allow-origin"] = "*"
} else if opt.AllowDomain != "" {
origin := ctx.Req.Header.Get("Origin")
if reqOptions && origin == "" {
respErrorf(ctx, log, http.StatusBadRequest, "missing origin header in CORS request")
return
}
u, err := url.Parse(origin)
if err != nil {
respErrorf(ctx, log, http.StatusBadRequest, "Failed to parse CORS origin header. Reason: %v", err)
return
}
ok := u.Hostname() == opt.AllowDomain ||
(opt.AllowSubdomain && strings.HasSuffix(u.Hostname(), "."+opt.AllowDomain))
if ok {
u.Scheme = opt.Scheme
headers["access-control-allow-origin"] = u.String()
headers["access-control-allow-credentials"] = strconv.FormatBool(opt.AllowCredentials)
headers["vary"] = "Origin"
}
if reqOptions && !ok {
respErrorf(ctx, log, http.StatusBadRequest, "CORS request from prohibited domain %v", origin)
return
}
}
ctx.Resp.Before(func(w macaron.ResponseWriter) {
for k, v := range headers {
w.Header().Set(k, v)
}
})
if reqOptions {
ctx.Status(200) // return response
}
}
}
func respErrorf(ctx *macaron.Context, log *log.Logger, statusCode int, format string, a ...interface{}) {
msg := fmt.Sprintf(format, a...)
log.Println(msg)
ctx.WriteHeader(statusCode)
_, err := ctx.Write([]byte(msg))
if err != nil {
panic(err)
}
return
}