CORS: add an optional custom function to validate the origin

2024-11-28 08:38:39 +02:00 · 2020-10-09 18:07:29 +09:00 · 2020-10-09 18:07:29 +09:00 · 26ab188922
commit 26ab188922
parent 17a5fca161
2 changed files with 94 additions and 30 deletions
--- a/middleware/cors.go
+++ b/middleware/cors.go
@ -19,6 +19,13 @@ type (
 		// Optional. Default value []string{"*"}.
 		AllowOrigins []string `yaml:"allow_origins"`

+		// AllowOriginFunc is a custom function to validate the origin. It takes the
+		// origin as an argument and returns true if allowed or false otherwise. If
+		// an error is returned, it is returned by the handler. If this option is
+		// set, AllowOrigins is ignored.
+		// Optional.
+		AllowOriginFunc func(origin string) (bool, error) `yaml:"allow_origin_func"`
+
 		// AllowMethods defines a list methods allowed when accessing the resource.
 		// This is used in response to a preflight request.
 		// Optional. Default value DefaultCORSConfig.AllowMethods.
@ -113,6 +120,7 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 				return c.NoContent(http.StatusNoContent)
 			}

+			if config.AllowOriginFunc == nil {
 				// Check allowed origins
 				for _, o := range config.AllowOrigins {
 					if o == "*" && config.AllowCredentials {
@ -148,6 +156,15 @@ func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
 						}
 					}
 				}
+			} else {
+				allowed, err := config.AllowOriginFunc(origin)
+				if err != nil {
+					return err
+				}
+				if allowed {
+					allowOrigin = origin
+				}
+			}

 			// Origin not allowed
 			if allowOrigin == "" {
--- a/middleware/cors_test.go
+++ b/middleware/cors_test.go
@ -1,6 +1,7 @@
 package middleware

 import (
+	"errors"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@ -360,3 +361,49 @@ func TestCorsHeaders(t *testing.T) {
 		}
 	}
 }
+
+func Test_allowOriginFunc(t *testing.T) {
+	returnTrue := func(origin string) (bool, error) {
+		return true, nil
+	}
+	returnFalse := func(origin string) (bool, error) {
+		return false, nil
+	}
+	returnError := func(origin string) (bool, error) {
+		return true, errors.New("this is a test error")
+	}
+
+	allowOriginFuncs := []func(origin string) (bool, error){
+		returnTrue,
+		returnFalse,
+		returnError,
+	}
+
+	const origin = "http://example.com"
+
+	e := echo.New()
+	for _, allowOriginFunc := range allowOriginFuncs {
+		req := httptest.NewRequest(http.MethodOptions, "/", nil)
+		rec := httptest.NewRecorder()
+		c := e.NewContext(req, rec)
+		req.Header.Set(echo.HeaderOrigin, origin)
+		cors := CORSWithConfig(CORSConfig{
+			AllowOriginFunc: allowOriginFunc,
+		})
+		h := cors(echo.NotFoundHandler)
+		err := h(c)
+
+		expected, expectedErr := allowOriginFunc(origin)
+		if expectedErr != nil {
+			assert.Equal(t, expectedErr, err)
+			assert.Equal(t, "", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
+			continue
+		}
+
+		if expected {
+			assert.Equal(t, origin, rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
+		} else {
+			assert.Equal(t, "", rec.Header().Get(echo.HeaderAccessControlAllowOrigin))
+		}
+	}
+}