Merge pull request #6 from deadcheat/feature/fix-issue-5_app_crashes_…

…when_accessing_multiple_endpoints

tries to fix #5

cors.go

@@ -1,6 +1,11 @@
 package goacors
 
 import (
+	"context"
+	"net/http"
+	"strconv"
+	"strings"
+
 	"github.com/goadesign/goa"
 )
 
@@ -26,6 +31,63 @@ func WithConfig(service *goa.Service, conf *GoaCORSConfig) goa.Middleware {
 	if conf.DomainStrategy != AllowIntermediateMatch {
 		conf.DomainStrategy = AllowStrict
 	}
-	factory := NewFactory()
-	return factory.Produce(service, conf)
+	allowMethods := strings.Join(conf.AllowMethods, ",")
+	allowHeaders := strings.Join(conf.AllowHeaders, ",")
+	exposeHeaders := strings.Join(conf.ExposeHeaders, ",")
+	maxAge := strconv.Itoa(conf.MaxAge)
+
+	var om OriginMatcher
+	switch conf.DomainStrategy {
+	case AllowIntermediateMatch:
+		om = newInterMediateMatcher(conf)
+	default:
+		om = newStrictOriginMatcher(conf)
+	}
+	return func(next goa.Handler) goa.Handler {
+		return func(c context.Context, rw http.ResponseWriter, req *http.Request) error {
+			// Skipper
+			if conf.Skipper(c, rw, req) {
+				return next(c, rw, req)
+			}
+			origin := req.Header.Get(HeaderOrigin)
+			// Check allowed origins
+			allowedOrigin, _ := om.FindMatchedOrigin(conf.AllowOrigins, origin)
+
+			// Simple request
+			if req.Method == http.MethodGet || req.Method == http.MethodPost || req.Method == http.MethodHead {
+				rw.Header().Add(HeaderVary, HeaderOrigin)
+				rw.Header().Set(HeaderAccessControlAllowOrigin, allowedOrigin)
+				if conf.AllowCredentials && allowedOrigin != "*" && allowedOrigin != "" {
+					rw.Header().Set(HeaderAccessControlAllowCredentials, "true")
+				}
+				if exposeHeaders != "" {
+					rw.Header().Set(HeaderAccessControlExposeHeaders, exposeHeaders)
+				}
+				return next(c, rw, req)
+			}
+			// Preflight request
+			rw.Header().Add(HeaderVary, HeaderOrigin)
+			rw.Header().Add(HeaderVary, HeaderAccessControlRequestMethod)
+			rw.Header().Add(HeaderVary, HeaderAccessControlRequestHeaders)
+			rw.Header().Set(HeaderAccessControlAllowOrigin, allowedOrigin)
+			rw.Header().Set(HeaderAccessControlAllowMethods, allowMethods)
+			if conf.AllowCredentials && allowedOrigin != "*" && allowedOrigin != "" {
+				rw.Header().Set(HeaderAccessControlAllowCredentials, "true")
+			}
+			if allowHeaders != "" {
+				rw.Header().Set(HeaderAccessControlAllowHeaders, allowHeaders)
+			} else {
+				header := req.Header.Get(HeaderAccessControlRequestHeaders)
+				if header != "" {
+					rw.Header().Set(HeaderAccessControlAllowHeaders, header)
+				}
+			}
+
+			if conf.MaxAge > 0 {
+				rw.Header().Set(HeaderAccessControlMaxAge, maxAge)
+			}
+			return service.Send(c, http.StatusNoContent, http.StatusText(http.StatusNoContent))
+		}
+	}
+
 }

matcher.go

@@ -2,6 +2,7 @@ package goacors
 
 import (
 	"context"
+	"fmt"
 	"net/url"
 	"strings"
 
@@ -25,6 +26,7 @@ func newStrictOriginMatcher(config *GoaCORSConfig) OriginMatcher {
 
 // Filter check if allowedOrigins contain * or completely same origin
 func (s *StrictOriginMatcher) FindMatchedOrigin(allowedOrigins []string, origin string) (foundOne string, found bool) {
+	fmt.Println("fuga", allowedOrigins, origin)
 	for _, o := range allowedOrigins {
 		if foundOne, found = innerMatcher(o, origin, s.config.AllowCredentials); found {
 			return
@@ -51,8 +53,6 @@ type InterMediateMatcher struct {
 	config *GoaCORSConfig
 }
 
-type MatcherBuilder func(config *GoaCORSConfig) OriginMatcher
-
 // newInterMediateMatcher create new OriginMatcher implement
 func newInterMediateMatcher(config *GoaCORSConfig) OriginMatcher {
 	// notify this matcher has weakness for security