Merge 1721e5a into 3478384

cors_intermediate_test.go

@@ -257,3 +257,32 @@ func TestOriginNotAllowsSubDomainWildcardFailWithInvalidAllowOriginURL(t *testin
 
 	t.Error("test should be panic")
 }
+
+func TestOriginNotAllowsSubDomainSuccessWithMultipleAllowOrigin(t *testing.T) {
+	service := newService(nil)
+	req, _ := http.NewRequest(http.MethodGet, "/", nil)
+	req.Header.Set(goacors.HeaderOrigin, "http://sample02.domain.com")
+	rw := newTestResponseWriter()
+	ctx := newContext(service, rw, req, nil)
+
+	h := func(ctx context.Context, rw http.ResponseWriter, req *http.Request) error {
+		return service.Send(ctx, http.StatusOK, "ok")
+	}
+	testee := goacors.WithConfig(service, &goacors.GoaCORSConfig{
+		AllowOrigins: []string{
+			"http://sample01*.domain.com",
+			"http://sample02*.domain.com",
+		},
+		AllowCredentials: true,
+		DomainStrategy:   goacors.AllowIntermediateMatch,
+	})(h)
+	err := testee(ctx, rw, req)
+	if err != nil {
+		t.Error("it should not return any error but ", err)
+		t.Fail()
+	}
+	if rw.Header().Get(goacors.HeaderAccessControlAllowOrigin) != req.Header.Get(goacors.HeaderOrigin) {
+		t.Errorf("allow origin should be %s but [%s]", req.Header.Get(goacors.HeaderOrigin), rw.Header().Get(goacors.HeaderAccessControlAllowOrigin))
+		t.Fail()
+	}
+}

matcher.go

@@ -69,35 +69,33 @@ func newInterMediateMatcher(config *GoaCORSConfig) OriginMatcher {
 // second, wild card is enabled only in their host name
 func (i *InterMediateMatcher) FindMatchedOrigin(allowedOrigins []string, origin string) (foundOne string, found bool) {
 
+	originUrl, err := url.Parse(origin)
+	if err != nil {
+		return "", false
+	}
+
 	for _, o := range allowedOrigins {
 		if foundOne, found = i.baseMatcher(o, origin, i.config.AllowCredentials); found {
 			return
 		}
 
-		originUrl, err := url.Parse(origin)
-		if err != nil {
-			return "", false
-		}
-		allowedUrl, err := url.Parse(o)
+		allowedURL, err := url.Parse(o)
 		if err != nil {
 			panic(err)
 		}
-		if !strings.Contains(allowedUrl.Host, "*") {
-			return "", false
-		}
-
-		parts := strings.SplitN(allowedUrl.Host, "*", 2)
-		if !strings.HasPrefix(originUrl.Host, parts[0]) {
-			return "", false
+		if !strings.Contains(allowedURL.Host, "*") {
+			continue
 		}
-		if !strings.HasSuffix(origin, parts[1]) {
-			return "", false
-		}
-
-		if originUrl.Scheme != allowedUrl.Scheme || originUrl.Path != allowedUrl.Path || originUrl.RawQuery != allowedUrl.RawQuery {
-			return "", false
+		parts := strings.SplitN(allowedURL.Host, "*", 2)
+		if !strings.HasPrefix(originUrl.Host, parts[0]) ||
+			!strings.HasSuffix(origin, parts[1]) ||
+			originUrl.Scheme != allowedURL.Scheme ||
+			originUrl.Path != allowedURL.Path ||
+			originUrl.RawQuery != allowedURL.RawQuery {
+			continue
 		}
+		// return origin, true
+		return origin, true
 	}
-
-	return origin, true
+	return
 }