-
Notifications
You must be signed in to change notification settings - Fork 0
/
cors.go
127 lines (101 loc) · 3.39 KB
/
cors.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
// Kiebitz - Privacy-Friendly Appointment Scheduling
// Copyright (C) 2021-2021 The Kiebitz Authors
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
// published by the Free Software Foundation, either version 3 of the
// License, or (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package jsonrpc
import (
"fmt"
"github.com/kiebitz-oss/services"
"github.com/kiebitz-oss/services/http"
"regexp"
"strings"
)
func uniques(list []string) []string {
us := make([]string, 0)
found := make(map[string]bool)
for _, s := range list {
s = strings.ToLower(s)
if _, ok := found[s]; ok {
continue
}
us = append(us, s)
}
return us
}
func Cors(settings *services.CorsSettings, defaultRoute bool) http.Handler {
if settings == nil {
services.Log.Debugf("No CORS settings defined, returning empty handler...")
return func(c *http.Context) {
}
}
allowedHostPatterns := make([]*regexp.Regexp, len(settings.AllowedHosts))
for i, allowedHost := range settings.AllowedHosts {
if pattern, err := regexp.Compile(allowedHost); err != nil {
// this should not happen...
panic(err)
} else {
allowedHostPatterns[i] = pattern
}
}
decorator := func(c *http.Context) {
services.Log.Tracef("Checking CORS for request...")
allAllowedHeaders := strings.Join(
uniques(append([]string{c.Request.Header.Get("Access-Control-Request-Headers")},
settings.AllowedHeaders...)), ", ")
origin := c.Request.Header.Get("Origin")
found := false
for _, pattern := range allowedHostPatterns {
services.Log.Tracef("Pattern: %s, origin: %s", pattern, origin)
if pattern.MatchString(origin) {
c.Writer.Header().Set("Access-Control-Allow-Origin", origin)
found = true
break
}
}
if found {
c.Writer.Header().Set("Access-Control-Max-Age", fmt.Sprintf("%d", 60))
c.Writer.Header().Set("Access-Control-Allow-Headers", allAllowedHeaders)
c.Writer.Header().Set("Access-Control-Allow-Methods", strings.Join(settings.AllowedMethods, ", "))
// for OPTIONS calls we set the status code explicitly
if c.Request.Method == "OPTIONS" {
c.AbortWithStatus(200)
return
}
}
if defaultRoute {
c.JSON(404, http.H{"message": "route not found"})
return
}
}
return decorator
}
func CorsFromEverywhere(settings *services.CorsSettings) http.Handler {
if settings == nil {
return func(c *http.Context) {
}
}
decorator := func(c *http.Context) {
origin := c.Request.Header.Get("Origin")
c.Writer.Header().Set("Access-Control-Allow-Origin", origin)
c.Writer.Header().Set("Access-Control-Max-Age", fmt.Sprintf("%d", 60))
c.Writer.Header().Set("Access-Control-Allow-Headers", c.Request.Header.Get("Access-Control-Request-Headers"))
c.Writer.Header().Set("Access-Control-Allow-Methods", strings.Join([]string{"POST", "GET"}, ", "))
// for OPTIONS calls we set the status code explicitly
if c.Request.Method == "OPTIONS" {
c.AbortWithStatus(200)
return
}
}
return decorator
}