mirror of
https://github.com/labstack/echo.git
synced 2024-11-28 08:38:39 +02:00
9a28fb8608
enable cors to use regex pattern for allowed origins implementation is similar to another popular cors middleware: https://github.com/astaxie/beego/blob/master/plugins/cors/cors.go#L196-L201
178 lines
5.3 KiB
Go
178 lines
5.3 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
"regexp"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/labstack/echo/v4"
|
|
)
|
|
|
|
type (
|
|
// CORSConfig defines the config for CORS middleware.
|
|
CORSConfig struct {
|
|
// Skipper defines a function to skip middleware.
|
|
Skipper Skipper
|
|
|
|
// AllowOrigin defines a list of origins that may access the resource.
|
|
// Optional. Default value []string{"*"}.
|
|
AllowOrigins []string `yaml:"allow_origins"`
|
|
|
|
// AllowMethods defines a list methods allowed when accessing the resource.
|
|
// This is used in response to a preflight request.
|
|
// Optional. Default value DefaultCORSConfig.AllowMethods.
|
|
AllowMethods []string `yaml:"allow_methods"`
|
|
|
|
// AllowHeaders defines a list of request headers that can be used when
|
|
// making the actual request. This is in response to a preflight request.
|
|
// Optional. Default value []string{}.
|
|
AllowHeaders []string `yaml:"allow_headers"`
|
|
|
|
// AllowCredentials indicates whether or not the response to the request
|
|
// can be exposed when the credentials flag is true. When used as part of
|
|
// a response to a preflight request, this indicates whether or not the
|
|
// actual request can be made using credentials.
|
|
// Optional. Default value false.
|
|
AllowCredentials bool `yaml:"allow_credentials"`
|
|
|
|
// ExposeHeaders defines a whitelist headers that clients are allowed to
|
|
// access.
|
|
// Optional. Default value []string{}.
|
|
ExposeHeaders []string `yaml:"expose_headers"`
|
|
|
|
// MaxAge indicates how long (in seconds) the results of a preflight request
|
|
// can be cached.
|
|
// Optional. Default value 0.
|
|
MaxAge int `yaml:"max_age"`
|
|
}
|
|
)
|
|
|
|
var (
|
|
// DefaultCORSConfig is the default CORS middleware config.
|
|
DefaultCORSConfig = CORSConfig{
|
|
Skipper: DefaultSkipper,
|
|
AllowOrigins: []string{"*"},
|
|
AllowMethods: []string{http.MethodGet, http.MethodHead, http.MethodPut, http.MethodPatch, http.MethodPost, http.MethodDelete},
|
|
}
|
|
)
|
|
|
|
// CORS returns a Cross-Origin Resource Sharing (CORS) middleware.
|
|
// See: https://developer.mozilla.org/en/docs/Web/HTTP/Access_control_CORS
|
|
func CORS() echo.MiddlewareFunc {
|
|
return CORSWithConfig(DefaultCORSConfig)
|
|
}
|
|
|
|
// CORSWithConfig returns a CORS middleware with config.
|
|
// See: `CORS()`.
|
|
func CORSWithConfig(config CORSConfig) echo.MiddlewareFunc {
|
|
// Defaults
|
|
if config.Skipper == nil {
|
|
config.Skipper = DefaultCORSConfig.Skipper
|
|
}
|
|
if len(config.AllowOrigins) == 0 {
|
|
config.AllowOrigins = DefaultCORSConfig.AllowOrigins
|
|
}
|
|
if len(config.AllowMethods) == 0 {
|
|
config.AllowMethods = DefaultCORSConfig.AllowMethods
|
|
}
|
|
|
|
allowOriginPatterns := []string{}
|
|
for _, origin := range config.AllowOrigins {
|
|
pattern := regexp.QuoteMeta(origin)
|
|
pattern = strings.Replace(pattern, "\\*", ".*", -1)
|
|
pattern = strings.Replace(pattern, "\\?", ".", -1)
|
|
pattern = "^" + pattern + "$"
|
|
allowOriginPatterns = append(allowOriginPatterns, pattern)
|
|
}
|
|
|
|
allowMethods := strings.Join(config.AllowMethods, ",")
|
|
allowHeaders := strings.Join(config.AllowHeaders, ",")
|
|
exposeHeaders := strings.Join(config.ExposeHeaders, ",")
|
|
maxAge := strconv.Itoa(config.MaxAge)
|
|
|
|
return func(next echo.HandlerFunc) echo.HandlerFunc {
|
|
return func(c echo.Context) error {
|
|
if config.Skipper(c) {
|
|
return next(c)
|
|
}
|
|
|
|
req := c.Request()
|
|
res := c.Response()
|
|
origin := req.Header.Get(echo.HeaderOrigin)
|
|
allowOrigin := ""
|
|
|
|
// Check allowed origins
|
|
for _, o := range config.AllowOrigins {
|
|
if o == "*" && config.AllowCredentials {
|
|
allowOrigin = origin
|
|
break
|
|
}
|
|
if o == "*" || o == origin {
|
|
allowOrigin = o
|
|
break
|
|
}
|
|
if matchSubdomain(origin, o) {
|
|
allowOrigin = origin
|
|
break
|
|
}
|
|
}
|
|
|
|
// Check allowed origin patterns
|
|
for _, re := range allowOriginPatterns {
|
|
if allowOrigin == "" {
|
|
didx := strings.Index(origin, "://")
|
|
if didx == -1 {
|
|
continue
|
|
}
|
|
domAuth := origin[didx+3:]
|
|
// to avoid regex cost by invalid long domain
|
|
if len(domAuth) > 253 {
|
|
break
|
|
}
|
|
|
|
if match, _ := regexp.MatchString(re, origin); match {
|
|
allowOrigin = origin
|
|
break
|
|
}
|
|
}
|
|
}
|
|
|
|
// Simple request
|
|
if req.Method != http.MethodOptions {
|
|
res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)
|
|
res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowOrigin)
|
|
if config.AllowCredentials {
|
|
res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
|
|
}
|
|
if exposeHeaders != "" {
|
|
res.Header().Set(echo.HeaderAccessControlExposeHeaders, exposeHeaders)
|
|
}
|
|
return next(c)
|
|
}
|
|
|
|
// Preflight request
|
|
res.Header().Add(echo.HeaderVary, echo.HeaderOrigin)
|
|
res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestMethod)
|
|
res.Header().Add(echo.HeaderVary, echo.HeaderAccessControlRequestHeaders)
|
|
res.Header().Set(echo.HeaderAccessControlAllowOrigin, allowOrigin)
|
|
res.Header().Set(echo.HeaderAccessControlAllowMethods, allowMethods)
|
|
if config.AllowCredentials {
|
|
res.Header().Set(echo.HeaderAccessControlAllowCredentials, "true")
|
|
}
|
|
if allowHeaders != "" {
|
|
res.Header().Set(echo.HeaderAccessControlAllowHeaders, allowHeaders)
|
|
} else {
|
|
h := req.Header.Get(echo.HeaderAccessControlRequestHeaders)
|
|
if h != "" {
|
|
res.Header().Set(echo.HeaderAccessControlAllowHeaders, h)
|
|
}
|
|
}
|
|
if config.MaxAge > 0 {
|
|
res.Header().Set(echo.HeaderAccessControlMaxAge, maxAge)
|
|
}
|
|
return c.NoContent(http.StatusNoContent)
|
|
}
|
|
}
|
|
}
|