169 lines
4.8 KiB
Go
169 lines
4.8 KiB
Go
package cors
|
|
|
|
import (
|
|
"errors"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// Config represents all available options for the middleware.
|
|
type Config struct {
|
|
AllowAllOrigins bool
|
|
|
|
// AllowedOrigins is a list of origins a cross-domain request can be executed from.
|
|
// If the special "*" value is present in the list, all origins will be allowed.
|
|
// Default value is []
|
|
AllowOrigins []string
|
|
|
|
// AllowOriginFunc is a custom function to validate the origin. It take the origin
|
|
// as argument and returns true if allowed or false otherwise. If this option is
|
|
// set, the content of AllowedOrigins is ignored.
|
|
AllowOriginFunc func(origin string) bool
|
|
|
|
// AllowedMethods is a list of methods the client is allowed to use with
|
|
// cross-domain requests. Default value is simple methods (GET and POST)
|
|
AllowMethods []string
|
|
|
|
// AllowedHeaders is list of non simple headers the client is allowed to use with
|
|
// cross-domain requests.
|
|
AllowHeaders []string
|
|
|
|
// AllowCredentials indicates whether the request can include user credentials like
|
|
// cookies, HTTP authentication or client side SSL certificates.
|
|
AllowCredentials bool
|
|
|
|
// ExposedHeaders indicates which headers are safe to expose to the API of a CORS
|
|
// API specification
|
|
ExposeHeaders []string
|
|
|
|
// MaxAge indicates how long (in seconds) the results of a preflight request
|
|
// can be cached
|
|
MaxAge time.Duration
|
|
|
|
// Allows to add origins like http://some-domain/*, https://api.* or http://some.*.subdomain.com
|
|
AllowWildcard bool
|
|
|
|
// Allows usage of popular browser extensions schemas
|
|
AllowBrowserExtensions bool
|
|
|
|
// Allows usage of WebSocket protocol
|
|
AllowWebSockets bool
|
|
|
|
// Allows usage of file:// schema (dangerous!) use it only when you 100% sure it's needed
|
|
AllowFiles bool
|
|
}
|
|
|
|
// AddAllowMethods is allowed to add custom methods
|
|
func (c *Config) AddAllowMethods(methods ...string) {
|
|
c.AllowMethods = append(c.AllowMethods, methods...)
|
|
}
|
|
|
|
// AddAllowHeaders is allowed to add custom headers
|
|
func (c *Config) AddAllowHeaders(headers ...string) {
|
|
c.AllowHeaders = append(c.AllowHeaders, headers...)
|
|
}
|
|
|
|
// AddExposeHeaders is allowed to add custom expose headers
|
|
func (c *Config) AddExposeHeaders(headers ...string) {
|
|
c.ExposeHeaders = append(c.ExposeHeaders, headers...)
|
|
}
|
|
|
|
func (c Config) getAllowedSchemas() []string {
|
|
allowedSchemas := DefaultSchemas
|
|
if c.AllowBrowserExtensions {
|
|
allowedSchemas = append(allowedSchemas, ExtensionSchemas...)
|
|
}
|
|
if c.AllowWebSockets {
|
|
allowedSchemas = append(allowedSchemas, WebSocketSchemas...)
|
|
}
|
|
if c.AllowFiles {
|
|
allowedSchemas = append(allowedSchemas, FileSchemas...)
|
|
}
|
|
return allowedSchemas
|
|
}
|
|
|
|
func (c Config) validateAllowedSchemas(origin string) bool {
|
|
allowedSchemas := c.getAllowedSchemas()
|
|
for _, schema := range allowedSchemas {
|
|
if strings.HasPrefix(origin, schema) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// Validate is check configuration of user defined.
|
|
func (c Config) Validate() error {
|
|
if c.AllowAllOrigins && (c.AllowOriginFunc != nil || len(c.AllowOrigins) > 0) {
|
|
return errors.New("conflict settings: all origins are allowed. AllowOriginFunc or AllowedOrigins is not needed")
|
|
}
|
|
if !c.AllowAllOrigins && c.AllowOriginFunc == nil && len(c.AllowOrigins) == 0 {
|
|
return errors.New("conflict settings: all origins disabled")
|
|
}
|
|
for _, origin := range c.AllowOrigins {
|
|
if !strings.Contains(origin, "*") && !c.validateAllowedSchemas(origin) {
|
|
return errors.New("bad origin: origins must contain '*' or include " + strings.Join(c.getAllowedSchemas(), ","))
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (c Config) parseWildcardRules() [][]string {
|
|
var wRules [][]string
|
|
|
|
if !c.AllowWildcard {
|
|
return wRules
|
|
}
|
|
|
|
for _, o := range c.AllowOrigins {
|
|
if !strings.Contains(o, "*") {
|
|
continue
|
|
}
|
|
|
|
if c := strings.Count(o, "*"); c > 1 {
|
|
panic(errors.New("only one * is allowed").Error())
|
|
}
|
|
|
|
i := strings.Index(o, "*")
|
|
if i == 0 {
|
|
wRules = append(wRules, []string{"*", o[1:]})
|
|
continue
|
|
}
|
|
if i == (len(o) - 1) {
|
|
wRules = append(wRules, []string{o[:i-1], "*"})
|
|
continue
|
|
}
|
|
|
|
wRules = append(wRules, []string{o[:i], o[i+1:]})
|
|
}
|
|
|
|
return wRules
|
|
}
|
|
|
|
// DefaultConfig returns a generic default configuration mapped to localhost.
|
|
func DefaultConfig() Config {
|
|
return Config{
|
|
AllowMethods: []string{"GET", "POST", "PUT", "PATCH", "DELETE", "HEAD"},
|
|
AllowHeaders: []string{"Origin", "Content-Length", "Content-Type"},
|
|
AllowCredentials: false,
|
|
MaxAge: 12 * time.Hour,
|
|
}
|
|
}
|
|
|
|
// Default returns the location middleware with default configuration.
|
|
func Default() gin.HandlerFunc {
|
|
config := DefaultConfig()
|
|
config.AllowAllOrigins = true
|
|
return New(config)
|
|
}
|
|
|
|
// New returns the location middleware with user-defined custom configuration.
|
|
func New(config Config) gin.HandlerFunc {
|
|
cors := newCors(config)
|
|
return func(c *gin.Context) {
|
|
cors.applyCors(c)
|
|
}
|
|
}
|