go-zero/rest/internal/cors/handlers.go

package cors

import (
	"net/http"
	"strings"

	"github.com/zeromicro/go-zero/rest/internal/response"
)

const (
	allowOrigin      = "Access-Control-Allow-Origin"
	allOrigins       = "*"
	allowMethods     = "Access-Control-Allow-Methods"
	allowHeaders     = "Access-Control-Allow-Headers"
	allowCredentials = "Access-Control-Allow-Credentials"
	exposeHeaders    = "Access-Control-Expose-Headers"
	requestMethod    = "Access-Control-Request-Method"
	requestHeaders   = "Access-Control-Request-Headers"
	allowHeadersVal  = "Content-Type, Origin, X-CSRF-Token, Authorization, AccessToken, Token, Range"
	exposeHeadersVal = "Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers"
	methods          = "GET, HEAD, POST, PATCH, PUT, DELETE"
	allowTrue        = "true"
	maxAgeHeader     = "Access-Control-Max-Age"
	maxAgeHeaderVal  = "86400"
	varyHeader       = "Vary"
	originHeader     = "Origin"
)

// NotAllowedHandler handles cross domain not allowed requests.
// At most one origin can be specified, other origins are ignored if given, default to be *.
func NotAllowedHandler(fn func(w http.ResponseWriter), origins ...string) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		gw := response.NewHeaderOnceResponseWriter(w)
		checkAndSetHeaders(gw, r, origins)
		if fn != nil {
			fn(gw)
		}

		if r.Method == http.MethodOptions {
			gw.WriteHeader(http.StatusNoContent)
		} else {
			gw.WriteHeader(http.StatusNotFound)
		}
	})
}

// Middleware returns a middleware that adds CORS headers to the response.
func Middleware(fn func(w http.Header), origins ...string) func(http.HandlerFunc) http.HandlerFunc {
	return func(next http.HandlerFunc) http.HandlerFunc {
		return func(w http.ResponseWriter, r *http.Request) {
			checkAndSetHeaders(w, r, origins)
			if fn != nil {
				fn(w.Header())
			}

			if r.Method == http.MethodOptions {
				w.WriteHeader(http.StatusNoContent)
			} else {
				next(w, r)
			}
		}
	}
}

func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string) {
	setVaryHeaders(w, r)

	if len(origins) == 0 {
		setHeader(w, allOrigins)
		return
	}

	origin := r.Header.Get(originHeader)
	if isOriginAllowed(origins, origin) {
		setHeader(w, origin)
	}
}

func isOriginAllowed(allows []string, origin string) bool {
	origin = strings.ToLower(origin)

	for _, allow := range allows {
		if allow == allOrigins {
			return true
		}

		allow = strings.ToLower(allow)
		if origin == allow {
			return true
		}

		if strings.HasSuffix(origin, "."+allow) {
			return true
		}
	}

	return false
}

func setHeader(w http.ResponseWriter, origin string) {
	header := w.Header()
	header.Set(allowOrigin, origin)
	header.Set(allowMethods, methods)
	header.Set(allowHeaders, allowHeadersVal)
	header.Set(exposeHeaders, exposeHeadersVal)
	if origin != allOrigins {
		header.Set(allowCredentials, allowTrue)
	}
	header.Set(maxAgeHeader, maxAgeHeaderVal)
}

func setVaryHeaders(w http.ResponseWriter, r *http.Request) {
	header := w.Header()
	header.Add(varyHeader, originHeader)
	if r.Method == http.MethodOptions {
		header.Add(varyHeader, requestMethod)
		header.Add(varyHeader, requestHeaders)
	}
}
feat: support CORS by using rest.WithCors(...) (#1212) * feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors 3 years ago			`package cors`

chore: avoid superfluous WriteHeader call errors (#1275) 3 years ago			`import (`
			`"net/http"`
feat: support sub domain for cors (#1827) 3 years ago			`"strings"`
feat: log 404 requests with traceid (#1554) 3 years ago
			`"github.com/zeromicro/go-zero/rest/internal/response"`
chore: avoid superfluous WriteHeader call errors (#1275) 3 years ago			`)`
feat: support CORS by using rest.WithCors(...) (#1212) * feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors 3 years ago
			`const (`
			`allowOrigin = "Access-Control-Allow-Origin"`
			`allOrigins = "*"`
			`allowMethods = "Access-Control-Allow-Methods"`
			`allowHeaders = "Access-Control-Allow-Headers"`
			`allowCredentials = "Access-Control-Allow-Credentials"`
			`exposeHeaders = "Access-Control-Expose-Headers"`
feat: support CORS, better implementation (#1217) * feat: support CORS, better implementation * chore: refine code 3 years ago			`requestMethod = "Access-Control-Request-Method"`
			`requestHeaders = "Access-Control-Request-Headers"`
feat: support CORS by using rest.WithCors(...) (#1212) * feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors 3 years ago			`allowHeadersVal = "Content-Type, Origin, X-CSRF-Token, Authorization, AccessToken, Token, Range"`
			`exposeHeadersVal = "Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers"`
			`methods = "GET, HEAD, POST, PATCH, PUT, DELETE"`
			`allowTrue = "true"`
			`maxAgeHeader = "Access-Control-Max-Age"`
			`maxAgeHeaderVal = "86400"`
feat: support CORS, better implementation (#1217) * feat: support CORS, better implementation * chore: refine code 3 years ago			`varyHeader = "Vary"`
			`originHeader = "Origin"`
feat: support CORS by using rest.WithCors(...) (#1212) * feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors 3 years ago			`)`

feat: support CORS, better implementation (#1217) * feat: support CORS, better implementation * chore: refine code 3 years ago			`// NotAllowedHandler handles cross domain not allowed requests.`
feat: support CORS by using rest.WithCors(...) (#1212) * feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors 3 years ago			`// At most one origin can be specified, other origins are ignored if given, default to be *.`
feat: add rest.WithCustomCors to let caller customize the response (#1274) 3 years ago			`func NotAllowedHandler(fn func(w http.ResponseWriter), origins ...string) http.Handler {`
feat: support CORS by using rest.WithCors(...) (#1212) * feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors 3 years ago			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
feat: log 404 requests with traceid (#1554) 3 years ago			`gw := response.NewHeaderOnceResponseWriter(w)`
chore: avoid superfluous WriteHeader call errors (#1275) 3 years ago			`checkAndSetHeaders(gw, r, origins)`
feat: add rest.WithCustomCors to let caller customize the response (#1274) 3 years ago			`if fn != nil {`
chore: avoid superfluous WriteHeader call errors (#1275) 3 years ago			`fn(gw)`
feat: add rest.WithCustomCors to let caller customize the response (#1274) 3 years ago			`}`
feat: support CORS by using rest.WithCors(...) (#1212) * feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors 3 years ago
chore: avoid superfluous WriteHeader call errors (#1275) 3 years ago			`if r.Method == http.MethodOptions {`
			`gw.WriteHeader(http.StatusNoContent)`
feat: support CORS by using rest.WithCors(...) (#1212) * feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors 3 years ago			`} else {`
chore: avoid superfluous WriteHeader call errors (#1275) 3 years ago			`gw.WriteHeader(http.StatusNotFound)`
feat: support CORS by using rest.WithCors(...) (#1212) * feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors 3 years ago			`}`
			`})`
			`}`

			`// Middleware returns a middleware that adds CORS headers to the response.`
chore: only allow cors middleware to change headers (#1276) 3 years ago			`func Middleware(fn func(w http.Header), origins ...string) func(http.HandlerFunc) http.HandlerFunc {`
feat: support CORS by using rest.WithCors(...) (#1212) * feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors 3 years ago			`return func(next http.HandlerFunc) http.HandlerFunc {`
			`return func(w http.ResponseWriter, r *http.Request) {`
feat: support CORS, better implementation (#1217) * feat: support CORS, better implementation * chore: refine code 3 years ago			`checkAndSetHeaders(w, r, origins)`
feat: add rest.WithCustomCors to let caller customize the response (#1274) 3 years ago			`if fn != nil {`
chore: only allow cors middleware to change headers (#1276) 3 years ago			`fn(w.Header())`
feat: add rest.WithCustomCors to let caller customize the response (#1274) 3 years ago			`}`
feat: support CORS by using rest.WithCors(...) (#1212) * feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors 3 years ago
			`if r.Method == http.MethodOptions {`
			`w.WriteHeader(http.StatusNoContent)`
			`} else {`
			`next(w, r)`
			`}`
			`}`
			`}`
			`}`

feat: support CORS, better implementation (#1217) * feat: support CORS, better implementation * chore: refine code 3 years ago			`func checkAndSetHeaders(w http.ResponseWriter, r *http.Request, origins []string) {`
			`setVaryHeaders(w, r)`

			`if len(origins) == 0 {`
			`setHeader(w, allOrigins)`
			`return`
			`}`

			`origin := r.Header.Get(originHeader)`
			`if isOriginAllowed(origins, origin) {`
			`setHeader(w, origin)`
			`}`
			`}`

			`func isOriginAllowed(allows []string, origin string) bool {`
Merge pull request from GHSA-fgxv-gw55-r5fq * fix: Authorization Bypass Through User-Controlled Key * chore: add not safe domain test 2 years ago			`origin = strings.ToLower(origin)`
fix: gateway conf doesn't work (#2968) 2 years ago
Merge pull request from GHSA-fgxv-gw55-r5fq * fix: Authorization Bypass Through User-Controlled Key * chore: add not safe domain test 2 years ago			`for _, allow := range allows {`
			`if allow == allOrigins {`
feat: support CORS, better implementation (#1217) * feat: support CORS, better implementation * chore: refine code 3 years ago			`return true`
			`}`

Merge pull request from GHSA-fgxv-gw55-r5fq * fix: Authorization Bypass Through User-Controlled Key * chore: add not safe domain test 2 years ago			`allow = strings.ToLower(allow)`
			`if origin == allow {`
			`return true`
			`}`

			`if strings.HasSuffix(origin, "."+allow) {`
feat: support CORS, better implementation (#1217) * feat: support CORS, better implementation * chore: refine code 3 years ago			`return true`
			`}`
feat: support CORS by using rest.WithCors(...) (#1212) * feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors 3 years ago			`}`
feat: support CORS, better implementation (#1217) * feat: support CORS, better implementation * chore: refine code 3 years ago
			`return false`
feat: support CORS by using rest.WithCors(...) (#1212) * feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors 3 years ago			`}`

			`func setHeader(w http.ResponseWriter, origin string) {`
chore: refactor, better goctl message (#1228) 3 years ago			`header := w.Header()`
			`header.Set(allowOrigin, origin)`
			`header.Set(allowMethods, methods)`
			`header.Set(allowHeaders, allowHeadersVal)`
			`header.Set(exposeHeaders, exposeHeadersVal)`
feat: support CORS, better implementation (#1217) * feat: support CORS, better implementation * chore: refine code 3 years ago			`if origin != allOrigins {`
chore: refactor, better goctl message (#1228) 3 years ago			`header.Set(allowCredentials, allowTrue)`
feat: support CORS, better implementation (#1217) * feat: support CORS, better implementation * chore: refine code 3 years ago			`}`
chore: refactor, better goctl message (#1228) 3 years ago			`header.Set(maxAgeHeader, maxAgeHeaderVal)`
feat: support CORS by using rest.WithCors(...) (#1212) * feat: support CORS by using rest.WithCors(...) * chore: add comments * refactor: lowercase unexported methods * ci: fix lint errors 3 years ago			`}`
feat: support CORS, better implementation (#1217) * feat: support CORS, better implementation * chore: refine code 3 years ago
			`func setVaryHeaders(w http.ResponseWriter, r *http.Request) {`
			`header := w.Header()`
			`header.Add(varyHeader, originHeader)`
			`if r.Method == http.MethodOptions {`
			`header.Add(varyHeader, requestMethod)`
			`header.Add(varyHeader, requestHeaders)`
			`}`
			`}`