2016-04-08 01:16:58 +02:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
"strconv"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/labstack/echo"
|
|
|
|
)
|
|
|
|
|
|
|
|
type (
|
|
|
|
// CORSConfig defines the config for CORS middleware.
|
|
|
|
CORSConfig struct {
|
|
|
|
// AllowOrigin defines a list of origins that may access the resource.
|
2016-05-10 20:52:04 +02:00
|
|
|
// Optional. Default value []string{"*"}.
|
2016-04-08 01:16:58 +02:00
|
|
|
AllowOrigins []string
|
|
|
|
|
|
|
|
// AllowMethods defines a list methods allowed when accessing the resource.
|
|
|
|
// This is used in response to a preflight request.
|
2016-05-10 20:52:04 +02:00
|
|
|
// Optional. Default value DefaultCORSConfig.AllowMethods.
|
2016-04-08 01:16:58 +02:00
|
|
|
AllowMethods []string
|
|
|
|
|
|
|
|
// AllowHeaders defines a list of request headers that can be used when
|
|
|
|
// making the actual request. This in response to a preflight request.
|
2016-05-10 20:52:04 +02:00
|
|
|
// Optional. Default value []string{}.
|
2016-04-08 01:16:58 +02:00
|
|
|
AllowHeaders []string
|
|
|
|
|
|
|
|
// AllowCredentials indicates whether or not the response to the request
|
|
|
|
// can be exposed when the credentials flag is true. When used as part of
|
|
|
|
// a response to a preflight request, this indicates whether or not the
|
|
|
|
// actual request can be made using credentials.
|
2016-05-10 20:52:04 +02:00
|
|
|
// Optional. Default value false.
|
2016-04-08 01:16:58 +02:00
|
|
|
AllowCredentials bool
|
|
|
|
|
|
|
|
// ExposeHeaders defines a whitelist headers that clients are allowed to
|
|
|
|
// access.
|
2016-05-10 20:52:04 +02:00
|
|
|
// Optional. Default value []string{}.
|
2016-04-08 01:16:58 +02:00
|
|
|
ExposeHeaders []string
|
|
|
|
|
|
|
|
// MaxAge indicates how long (in seconds) the results of a preflight request
|
|
|
|
// can be cached.
|
2016-05-10 20:52:04 +02:00
|
|
|
// Optional. Default value 0.
|
2016-04-08 01:16:58 +02:00
|
|
|
MaxAge int
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
// DefaultCORSConfig is the default CORS middleware config.
|
|
|
|
DefaultCORSConfig = CORSConfig{
|
|
|
|
AllowOrigins: []string{"*"},
|
|
|
|
AllowMethods: []string{echo.GET, echo.HEAD, echo.PUT, echo.POST, echo.DELETE},
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2016-04-08 01:57:57 +02:00
|
|
|
// CORS returns a Cross-Origin Resource Sharing (CORS) middleware.
|
2016-05-13 02:45:00 +02:00
|
|
|
// See: https://developer.mozilla.org/en/docs/Web/HTTP/Access_control_CORS
|
2016-04-08 01:16:58 +02:00
|
|
|
func CORS() echo.MiddlewareFunc {
|
2016-04-08 06:20:50 +02:00
|
|
|
return CORSWithConfig(DefaultCORSConfig)
|
2016-04-08 01:16:58 +02:00
|
|
|
}
|
|
|
|
|
2016-04-08 06:20:50 +02:00
|
|
|
// CORSWithConfig returns a CORS middleware from config.
|
2016-05-13 02:45:00 +02:00
|
|
|
// See: `CORS()`.
|
2016-04-08 06:20:50 +02:00
|
|
|
func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
|
2016-04-08 01:16:58 +02:00
|
|
|
// Defaults
|
|
|
|
if len(config.AllowOrigins) == 0 {
|
|
|
|
config.AllowOrigins = DefaultCORSConfig.AllowOrigins
|
|
|
|
}
|
|
|
|
if len(config.AllowMethods) == 0 {
|
|
|
|
config.AllowMethods = DefaultCORSConfig.AllowMethods
|
|
|
|
}
|
|
|
|
allowMethods := strings.Join(config.AllowMethods, ",")
|
|
|
|
allowHeaders := strings.Join(config.AllowHeaders, ",")
|
|
|
|
exposeHeaders := strings.Join(config.ExposeHeaders, ",")
|
|
|
|
maxAge := strconv.Itoa(config.MaxAge)
|
|
|
|
|
|
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
|
|
return func(c echo.Context) error {
|
2016-04-24 19:21:23 +02:00
|
|
|
req := c.Request()
|
2016-05-03 17:32:28 +02:00
|
|
|
res := c.Response()
|
|
|
|
origin := req.Header().Get(echo.HeaderOrigin)
|
2016-04-08 01:16:58 +02:00
|
|
|
|
|
|
|
// Check allowed origins
|
|
|
|
allowedOrigin := ""
|
|
|
|
for _, o := range config.AllowOrigins {
|
|
|
|
if o == "*" || o == origin {
|
|
|
|
allowedOrigin = o
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Simple request
|
2016-04-24 19:21:23 +02:00
|
|
|
if req.Method() != echo.OPTIONS {
|
2016-05-03 17:32:28 +02:00
|
|
|
res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)
|
2016-04-08 01:16:58 +02:00
|
|
|
if origin == "" || allowedOrigin == "" {
|
|
|
|
return next(c)
|
|
|
|
}
|
2016-05-03 17:32:28 +02:00
|
|
|
res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigin)
|
2016-04-08 01:16:58 +02:00
|
|
|
if config.AllowCredentials {
|
2016-05-03 17:32:28 +02:00
|
|
|
res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
|
2016-04-08 01:16:58 +02:00
|
|
|
}
|
|
|
|
if exposeHeaders != "" {
|
2016-05-03 17:32:28 +02:00
|
|
|
res.Header().Set(echo.HeaderAccessControlExposeHeaders, exposeHeaders)
|
2016-04-08 01:16:58 +02:00
|
|
|
}
|
|
|
|
return next(c)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Preflight request
|
2016-05-03 17:32:28 +02:00
|
|
|
res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)
|
|
|
|
res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestMethod)
|
|
|
|
res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestHeaders)
|
2016-04-08 01:16:58 +02:00
|
|
|
if origin == "" || allowedOrigin == "" {
|
|
|
|
return next(c)
|
|
|
|
}
|
2016-05-03 17:32:28 +02:00
|
|
|
res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigin)
|
|
|
|
res.Header().Set(echo.HeaderAccessControlAllowMethods, allowMethods)
|
2016-04-08 01:16:58 +02:00
|
|
|
if config.AllowCredentials {
|
2016-05-03 17:32:28 +02:00
|
|
|
res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
|
2016-04-08 01:16:58 +02:00
|
|
|
}
|
|
|
|
if allowHeaders != "" {
|
2016-05-03 17:32:28 +02:00
|
|
|
res.Header().Set(echo.HeaderAccessControlAllowHeaders, allowHeaders)
|
2016-04-08 01:16:58 +02:00
|
|
|
} else {
|
2016-04-24 19:21:23 +02:00
|
|
|
h := req.Header().Get(echo.HeaderAccessControlRequestHeaders)
|
2016-04-08 01:16:58 +02:00
|
|
|
if h != "" {
|
2016-05-03 17:32:28 +02:00
|
|
|
res.Header().Set(echo.HeaderAccessControlAllowHeaders, h)
|
2016-04-08 01:16:58 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
if config.MaxAge > 0 {
|
2016-05-03 17:32:28 +02:00
|
|
|
res.Header().Set(echo.HeaderAccessControlMaxAge, maxAge)
|
2016-04-08 01:16:58 +02:00
|
|
|
}
|
|
|
|
return c.NoContent(http.StatusNoContent)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|