middleware/cors.go

package middleware

import (
	"net/http"
	"strconv"
	"strings"

	"github.com/labstack/echo"
)

type (
	// CORSConfig defines the config for CORS middleware.
	CORSConfig struct {
		// Skipper defines a function to skip middleware.
		Skipper Skipper

		// AllowOrigin defines a list of origins that may access the resource.
		// Optional. If request header `Origin` is set, value is []string{"<Origin>"}
		// else []string{"*"}.
		AllowOrigins []string `json:"allow_origins"`

		// AllowMethods defines a list methods allowed when accessing the resource.
		// This is used in response to a preflight request.
		// Optional. Default value DefaultCORSConfig.AllowMethods.
		AllowMethods []string `json:"allow_methods"`

		// AllowHeaders defines a list of request headers that can be used when
		// making the actual request. This in response to a preflight request.
		// Optional. Default value []string{}.
		AllowHeaders []string `json:"allow_headers"`

		// AllowCredentials indicates whether or not the response to the request
		// can be exposed when the credentials flag is true. When used as part of
		// a response to a preflight request, this indicates whether or not the
		// actual request can be made using credentials.
		// Optional. Default value false.
		AllowCredentials bool `json:"allow_credentials"`

		// ExposeHeaders defines a whitelist headers that clients are allowed to
		// access.
		// Optional. Default value []string{}.
		ExposeHeaders []string `json:"expose_headers"`

		// MaxAge indicates how long (in seconds) the results of a preflight request
		// can be cached.
		// Optional. Default value 0.
		MaxAge int `json:"max_age"`
	}
)

var (
	// DefaultCORSConfig is the default CORS middleware config.
	DefaultCORSConfig = CORSConfig{
		Skipper:      defaultSkipper,
		AllowMethods: []string{echo.GET, echo.HEAD, echo.PUT, echo.PATCH, echo.POST, echo.DELETE},
	}
)

// CORS returns a Cross-Origin Resource Sharing (CORS) middleware.
// See: https://developer.mozilla.org/en/docs/Web/HTTP/Access_control_CORS
func CORS() echo.MiddlewareFunc {
	return CORSWithConfig(DefaultCORSConfig)
}

// CORSWithConfig returns a CORS middleware with config.
// See: `CORS()`.
func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
	// Defaults
	if config.Skipper == nil {
		config.Skipper = DefaultCORSConfig.Skipper
	}
	if len(config.AllowMethods) == 0 {
		config.AllowMethods = DefaultCORSConfig.AllowMethods
	}

	allowedOrigins := strings.Join(config.AllowOrigins, ",")
	allowMethods := strings.Join(config.AllowMethods, ",")
	allowHeaders := strings.Join(config.AllowHeaders, ",")
	exposeHeaders := strings.Join(config.ExposeHeaders, ",")
	maxAge := strconv.Itoa(config.MaxAge)

	return func(next echo.HandlerFunc) echo.HandlerFunc {
		return func(c echo.Context) error {
			if config.Skipper(c) {
				return next(c)
			}

			req := c.Request()
			res := c.Response()
			origin := req.Header.Get(echo.HeaderOrigin)

			if allowedOrigins == "" {
				if origin != "" {
					allowedOrigins = origin
				} else {
					if !config.AllowCredentials {
						allowedOrigins = "*"
					}
				}
			}

			// Simple request
			if req.Method != echo.OPTIONS {
				res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)
				res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigins)
				if config.AllowCredentials {
					res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
				}
				if exposeHeaders != "" {
					res.Header().Set(echo.HeaderAccessControlExposeHeaders, exposeHeaders)
				}
				return next(c)
			}

			// Preflight request
			res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)
			res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestMethod)
			res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestHeaders)
			res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigins)
			res.Header().Set(echo.HeaderAccessControlAllowMethods, allowMethods)
			if config.AllowCredentials {
				res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
			}
			if allowHeaders != "" {
				res.Header().Set(echo.HeaderAccessControlAllowHeaders, allowHeaders)
			} else {
				h := req.Header.Get(echo.HeaderAccessControlRequestHeaders)
				if h != "" {
					res.Header().Set(echo.HeaderAccessControlAllowHeaders, h)
				}
			}
			if config.MaxAge > 0 {
				res.Header().Set(echo.HeaderAccessControlMaxAge, maxAge)
			}
			return c.NoContent(http.StatusNoContent)
		}
	}
}
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`package middleware`

			`import (`
			`"net/http"`
			`"strconv"`
			`"strings"`

			`"github.com/labstack/echo"`
			`)`

			`type (`
			`// CORSConfig defines the config for CORS middleware.`
			`CORSConfig struct {`
Ability to skip a middleware via callback 2016-07-27 09:34:44 -07:00			`// Skipper defines a function to skip middleware.`
			`Skipper Skipper`

Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`// AllowOrigin defines a list of origins that may access the resource.`
fixed #712 2016-11-12 20:24:53 -08:00			// Optional. If request header `Origin` is set, value is []string{"<Origin>"}
			`// else []string{"*"}.`
Added json tags to middleware config 2016-05-18 18:53:54 -07:00			AllowOrigins []string `json:"allow_origins"`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00
			`// AllowMethods defines a list methods allowed when accessing the resource.`
			`// This is used in response to a preflight request.`
Updated docs, changes to static middleware config 2016-05-10 11:52:04 -07:00			`// Optional. Default value DefaultCORSConfig.AllowMethods.`
Added json tags to middleware config 2016-05-18 18:53:54 -07:00			AllowMethods []string `json:"allow_methods"`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00
			`// AllowHeaders defines a list of request headers that can be used when`
			`// making the actual request. This in response to a preflight request.`
Updated docs, changes to static middleware config 2016-05-10 11:52:04 -07:00			`// Optional. Default value []string{}.`
Added json tags to middleware config 2016-05-18 18:53:54 -07:00			AllowHeaders []string `json:"allow_headers"`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00
			`// AllowCredentials indicates whether or not the response to the request`
			`// can be exposed when the credentials flag is true. When used as part of`
			`// a response to a preflight request, this indicates whether or not the`
			`// actual request can be made using credentials.`
Updated docs, changes to static middleware config 2016-05-10 11:52:04 -07:00			`// Optional. Default value false.`
Added json tags to middleware config 2016-05-18 18:53:54 -07:00			AllowCredentials bool `json:"allow_credentials"`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00
			`// ExposeHeaders defines a whitelist headers that clients are allowed to`
			`// access.`
Updated docs, changes to static middleware config 2016-05-10 11:52:04 -07:00			`// Optional. Default value []string{}.`
Added json tags to middleware config 2016-05-18 18:53:54 -07:00			ExposeHeaders []string `json:"expose_headers"`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00
			`// MaxAge indicates how long (in seconds) the results of a preflight request`
			`// can be cached.`
Updated docs, changes to static middleware config 2016-05-10 11:52:04 -07:00			`// Optional. Default value 0.`
Added json tags to middleware config 2016-05-18 18:53:54 -07:00			MaxAge int `json:"max_age"`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`}`
			`)`

			`var (`
			`// DefaultCORSConfig is the default CORS middleware config.`
			`DefaultCORSConfig = CORSConfig{`
Ability to skip a middleware via callback 2016-07-27 09:34:44 -07:00			`Skipper: defaultSkipper,`
Add PATCH to default allowed methods 2016-05-31 15:41:09 +03:00			`AllowMethods: []string{echo.GET, echo.HEAD, echo.PUT, echo.PATCH, echo.POST, echo.DELETE},`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`}`
			`)`

Updated README.md with CORS middleware 2016-04-07 16:57:57 -07:00			`// CORS returns a Cross-Origin Resource Sharing (CORS) middleware.`
Added CSRF middleware, #341 . 2016-05-12 17:45:00 -07:00			`// See: https://developer.mozilla.org/en/docs/Web/HTTP/Access_control_CORS`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`func CORS() echo.MiddlewareFunc {`
API changes from to with 2016-04-07 21:20:50 -07:00			`return CORSWithConfig(DefaultCORSConfig)`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`}`

Options for redirect middleware 2016-08-31 20:10:14 -07:00			`// CORSWithConfig returns a CORS middleware with config.`
Added CSRF middleware, #341 . 2016-05-12 17:45:00 -07:00			// See: `CORS()`.
API changes from to with 2016-04-07 21:20:50 -07:00			`func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`// Defaults`
Ability to skip a middleware via callback 2016-07-27 09:34:44 -07:00			`if config.Skipper == nil {`
			`config.Skipper = DefaultCORSConfig.Skipper`
			`}`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`if len(config.AllowMethods) == 0 {`
			`config.AllowMethods = DefaultCORSConfig.AllowMethods`
			`}`
fixed #712 2016-11-12 20:24:53 -08:00
cors: not checking for origin header 2016-11-12 14:05:41 -08:00			`allowedOrigins := strings.Join(config.AllowOrigins, ",")`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`allowMethods := strings.Join(config.AllowMethods, ",")`
			`allowHeaders := strings.Join(config.AllowHeaders, ",")`
			`exposeHeaders := strings.Join(config.ExposeHeaders, ",")`
			`maxAge := strconv.Itoa(config.MaxAge)`

			`return func(next echo.HandlerFunc) echo.HandlerFunc {`
			`return func(c echo.Context) error {`
Ability to skip a middleware via callback 2016-07-27 09:34:44 -07:00			`if config.Skipper(c) {`
			`return next(c)`
			`}`

Refactored variable names 2016-04-24 10:21:23 -07:00			`req := c.Request()`
Added test for secure middleware 2016-05-03 08:32:28 -07:00			`res := c.Response()`
fixed #712 2016-11-12 20:24:53 -08:00			`origin := req.Header.Get(echo.HeaderOrigin)`

			`if allowedOrigins == "" {`
			`if origin != "" {`
			`allowedOrigins = origin`
			`} else {`
			`if !config.AllowCredentials {`
			`allowedOrigins = "*"`
			`}`
			`}`
			`}`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00
			`// Simple request`
First commit to v3, #665 2016-09-22 22:53:44 -07:00			`if req.Method != echo.OPTIONS {`
Added test for secure middleware 2016-05-03 08:32:28 -07:00			`res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)`
cors: not checking for origin header 2016-11-12 14:05:41 -08:00			`res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigins)`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`if config.AllowCredentials {`
Added test for secure middleware 2016-05-03 08:32:28 -07:00			`res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`}`
			`if exposeHeaders != "" {`
Added test for secure middleware 2016-05-03 08:32:28 -07:00			`res.Header().Set(echo.HeaderAccessControlExposeHeaders, exposeHeaders)`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`}`
			`return next(c)`
			`}`

			`// Preflight request`
Added test for secure middleware 2016-05-03 08:32:28 -07:00			`res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)`
			`res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestMethod)`
			`res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestHeaders)`
cors: not checking for origin header 2016-11-12 14:05:41 -08:00			`res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowedOrigins)`
Added test for secure middleware 2016-05-03 08:32:28 -07:00			`res.Header().Set(echo.HeaderAccessControlAllowMethods, allowMethods)`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`if config.AllowCredentials {`
Added test for secure middleware 2016-05-03 08:32:28 -07:00			`res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`}`
			`if allowHeaders != "" {`
Added test for secure middleware 2016-05-03 08:32:28 -07:00			`res.Header().Set(echo.HeaderAccessControlAllowHeaders, allowHeaders)`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`} else {`
First commit to v3, #665 2016-09-22 22:53:44 -07:00			`h := req.Header.Get(echo.HeaderAccessControlRequestHeaders)`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`if h != "" {`
Added test for secure middleware 2016-05-03 08:32:28 -07:00			`res.Header().Set(echo.HeaderAccessControlAllowHeaders, h)`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`}`
			`}`
			`if config.MaxAge > 0 {`
Added test for secure middleware 2016-05-03 08:32:28 -07:00			`res.Header().Set(echo.HeaderAccessControlMaxAge, maxAge)`
Fixed #454 , Fixed #274 2016-04-07 16:16:58 -07:00			`}`
			`return c.NoContent(http.StatusNoContent)`
			`}`
			`}`
			`}`