osbzr
/
com
项目红包剩余9514,下一贡献奖励5%,即 476个红包
Watch 14
Star 6
Wiki 捐赠
本站源代码
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branch: gamification
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'gamification'
${ noResults }
com/vendor/gitea.com/macaron/cors/cors.go

169 lines
4.7KB
Raw Permalink Blame History 

  1. package cors

  2. 

  3. import (

  4. 	"fmt"

  5. 	"log"

  6. 	"net/http"

  7. 	"net/url"

  8. 	"strconv"

  9. 	"strings"

  10. 

  11. 	macaron "gitea.com/macaron/macaron"

  12. )

  13. 

  14. const version = "0.1.1"

  15. 

  16. const anyDomain = "!*"

  17. 

  18. // Version returns the version of this module

  19. func Version() string {

  20. 	return version

  21. }

  22. 

  23. /*

  24. Options to configure the CORS middleware read from the [cors] section of the ini configuration file.

  25. 

  26. SCHEME may be http or https as accepted schemes or the '*' wildcard to accept any scheme.

  27. 

  28. ALLOW_DOMAIN may be a comma separated list of domains that are allowed to run CORS requests

  29. Special values are the  a single '*' wildcard that will allow any domain to send requests without

  30. credentials and the special '!*' wildcard which will reply with requesting domain in the 'access-control-allow-origin'

  31. header and hence allow requess from any domain *with* credentials.

  32. 

  33. ALLOW_SUBDOMAIN set to true accepts requests from any subdomain of ALLOW_DOMAIN.

  34. 

  35. METHODS may be a comma separated list of HTTP-methods to be accepted.

  36. 

  37. MAX_AGE_SECONDS may be the duration in secs for which the response is cached (default 600).

  38. ref: https://stackoverflow.com/questions/54300997/is-it-possible-to-cache-http-options-response?noredirect=1#comment95790277_54300997

  39. ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age

  40. 

  41. ALLOW_CREDENTIALS set to false rejects any request with credentials.

  42. */

  43. type Options struct {

  44. 	Section          string

  45. 	Scheme           string

  46. 	AllowDomain      []string

  47. 	AllowSubdomain   bool

  48. 	Methods          []string

  49. 	MaxAgeSeconds    int

  50. 	AllowCredentials bool

  51. }

  52. 

  53. func prepareOptions(options []Options) Options {

  54. 	var opt Options

  55. 	if len(options) > 0 {

  56. 		opt = options[0]

  57. 	}

  58. 

  59. 	if len(opt.Section) == 0 {

  60. 		opt.Section = "cors"

  61. 	}

  62. 	sec := macaron.Config().Section(opt.Section)

  63. 

  64. 	if len(opt.Scheme) == 0 {

  65. 		opt.Scheme = sec.Key("SCHEME").MustString("http")

  66. 	}

  67. 	if len(opt.AllowDomain) == 0 {

  68. 		opt.AllowDomain = sec.Key("ALLOW_DOMAIN").Strings(",")

  69. 		if len(opt.AllowDomain) == 0 {

  70. 			opt.AllowDomain = []string{"*"}

  71. 		}

  72. 	}

  73. 	if !opt.AllowSubdomain {

  74. 		opt.AllowSubdomain = sec.Key("ALLOW_SUBDOMAIN").MustBool(false)

  75. 	}

  76. 	if len(opt.Methods) == 0 {

  77. 		opt.Methods = sec.Key("METHODS").Strings(",")

  78. 		if len(opt.Methods) == 0 {

  79. 			opt.Methods = []string{

  80. 				http.MethodGet,

  81. 				http.MethodHead,

  82. 				http.MethodPost,

  83. 				http.MethodPut,

  84. 				http.MethodPatch,

  85. 				http.MethodDelete,

  86. 				http.MethodOptions,

  87. 			}

  88. 		}

  89. 	}

  90. 	if opt.MaxAgeSeconds <= 0 {

  91. 		opt.MaxAgeSeconds = sec.Key("MAX_AGE_SECONDS").MustInt(600)

  92. 	}

  93. 	if !opt.AllowCredentials {

  94. 		opt.AllowCredentials = sec.Key("ALLOW_CREDENTIALS").MustBool(true)

  95. 	}

  96. 

  97. 	return opt

  98. }

  99. 

  100. // CORS responds to preflight requests with adequat access-control-* respond headers

  101. // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

  102. // https://fetch.spec.whatwg.org/#cors-protocol-and-credentials

  103. func CORS(options ...Options) macaron.Handler {

  104. 	opt := prepareOptions(options)

  105. 	return func(ctx *macaron.Context, log *log.Logger) {

  106. 		reqOptions := ctx.Req.Method == http.MethodOptions

  107. 

  108. 		headers := map[string]string{

  109. 			"access-control-allow-methods": strings.Join(opt.Methods, ","),

  110. 			"access-control-allow-headers": ctx.Req.Header.Get("access-control-request-headers"),

  111. 			"access-control-max-age":       strconv.Itoa(opt.MaxAgeSeconds),

  112. 		}

  113. 		if opt.AllowDomain[0] == "*" {

  114. 			headers["access-control-allow-origin"] = "*"

  115. 		} else {

  116. 			origin := ctx.Req.Header.Get("Origin")

  117. 			if reqOptions && origin == "" {

  118. 				respErrorf(ctx, log, http.StatusBadRequest, "missing origin header in CORS request")

  119. 				return

  120. 			}

  121. 

  122. 			u, err := url.Parse(origin)

  123. 			if err != nil {

  124. 				respErrorf(ctx, log, http.StatusBadRequest, "Failed to parse CORS origin header. Reason: %v", err)

  125. 				return

  126. 			}

  127. 

  128. 			ok := false

  129. 			for _, d := range opt.AllowDomain {

  130. 				if u.Hostname() == d || (opt.AllowSubdomain && strings.HasSuffix(u.Hostname(), "."+d)) || d == anyDomain {

  131. 					ok = true

  132. 					break

  133. 				}

  134. 			}

  135. 			if ok {

  136. 				if opt.Scheme != "*" {

  137. 					u.Scheme = opt.Scheme

  138. 				}

  139. 				headers["access-control-allow-origin"] = u.String()

  140. 				headers["access-control-allow-credentials"] = strconv.FormatBool(opt.AllowCredentials)

  141. 				headers["vary"] = "Origin"

  142. 			}

  143. 			if reqOptions && !ok {

  144. 				respErrorf(ctx, log, http.StatusBadRequest, "CORS request from prohibited domain %v", origin)

  145. 				return

  146. 			}

  147. 		}

  148. 		ctx.Resp.Before(func(w macaron.ResponseWriter) {

  149. 			for k, v := range headers {

  150. 				w.Header().Set(k, v)

  151. 			}

  152. 		})

  153. 		if reqOptions {

  154. 			ctx.Status(200) // return response

  155. 		}

  156. 	}

  157. }

  158. 

  159. func respErrorf(ctx *macaron.Context, log *log.Logger, statusCode int, format string, a ...interface{}) {

  160. 	msg := fmt.Sprintf(format, a...)

  161. 	log.Println(msg)

  162. 	ctx.WriteHeader(statusCode)

  163. 	_, err := ctx.Write([]byte(msg))

  164. 	if err != nil {

  165. 		panic(err)

  166. 	}

  167. 	return

  168. }
上海开阖软件有限公司 沪ICP备12045867号-1