package cors import ( "errors" "strings" "time" "github.com/gin-gonic/gin" ) // Config represents all available options for the middleware. type Config struct { AllowAllOrigins bool // AllowOrigins is a list of origins a cross-domain request can be executed from. // If the special "*" value is present in the list, all origins will be allowed. // Default value is [] AllowOrigins []string // AllowOriginFunc is a custom function to validate the origin. It take the origin // as argument and returns true if allowed or false otherwise. If this option is // set, the content of AllowOrigins is ignored. AllowOriginFunc func(origin string) bool // AllowMethods is a list of methods the client is allowed to use with // cross-domain requests. Default value is simple methods (GET and POST) AllowMethods []string // AllowHeaders is list of non simple headers the client is allowed to use with // cross-domain requests. AllowHeaders []string // AllowCredentials indicates whether the request can include user credentials like // cookies, HTTP authentication or client side SSL certificates. AllowCredentials bool // ExposedHeaders indicates which headers are safe to expose to the API of a CORS // API specification ExposeHeaders []string // MaxAge indicates how long (in seconds) the results of a preflight request // can be cached MaxAge time.Duration // Allows to add origins like http://some-domain/*, https://api.* or http://some.*.subdomain.com AllowWildcard bool // Allows usage of popular browser extensions schemas AllowBrowserExtensions bool // Allows usage of WebSocket protocol AllowWebSockets bool // Allows usage of file:// schema (dangerous!) use it only when you 100% sure it's needed AllowFiles bool } // AddAllowMethods is allowed to add custom methods func (c *Config) AddAllowMethods(methods ...string) { c.AllowMethods = append(c.AllowMethods, methods...) } // AddAllowHeaders is allowed to add custom headers func (c *Config) AddAllowHeaders(headers ...string) { c.AllowHeaders = append(c.AllowHeaders, headers...) } // AddExposeHeaders is allowed to add custom expose headers func (c *Config) AddExposeHeaders(headers ...string) { c.ExposeHeaders = append(c.ExposeHeaders, headers...) } func (c Config) getAllowedSchemas() []string { allowedSchemas := DefaultSchemas if c.AllowBrowserExtensions { allowedSchemas = append(allowedSchemas, ExtensionSchemas...) } if c.AllowWebSockets { allowedSchemas = append(allowedSchemas, WebSocketSchemas...) } if c.AllowFiles { allowedSchemas = append(allowedSchemas, FileSchemas...) } return allowedSchemas } func (c Config) validateAllowedSchemas(origin string) bool { allowedSchemas := c.getAllowedSchemas() for _, schema := range allowedSchemas { if strings.HasPrefix(origin, schema) { return true } } return false } // Validate is check configuration of user defined. func (c *Config) Validate() error { if c.AllowAllOrigins && (c.AllowOriginFunc != nil || len(c.AllowOrigins) > 0) { return errors.New("conflict settings: all origins are allowed. AllowOriginFunc or AllowOrigins is not needed") } if !c.AllowAllOrigins && c.AllowOriginFunc == nil && len(c.AllowOrigins) == 0 { return errors.New("conflict settings: all origins disabled") } for _, origin := range c.AllowOrigins { if origin == "*" { c.AllowAllOrigins = true return nil } else if !strings.Contains(origin, "*") && !c.validateAllowedSchemas(origin) { return errors.New("bad origin: origins must contain '*' or include " + strings.Join(c.getAllowedSchemas(), ",")) } } return nil } func (c Config) parseWildcardRules() [][]string { var wRules [][]string if !c.AllowWildcard { return wRules } for _, o := range c.AllowOrigins { if !strings.Contains(o, "*") { continue } if c := strings.Count(o, "*"); c > 1 { panic(errors.New("only one * is allowed").Error()) } i := strings.Index(o, "*") if i == 0 { wRules = append(wRules, []string{"*", o[1:]}) continue } if i == (len(o) - 1) { wRules = append(wRules, []string{o[:i-1], "*"}) continue } wRules = append(wRules, []string{o[:i], o[i+1:]}) } return wRules } // DefaultConfig returns a generic default configuration mapped to localhost. func DefaultConfig() Config { return Config{ AllowMethods: []string{"GET", "POST", "PUT", "PATCH", "DELETE", "HEAD"}, AllowHeaders: []string{"Origin", "Content-Length", "Content-Type"}, AllowCredentials: false, MaxAge: 12 * time.Hour, } } // Default returns the location middleware with default configuration. func Default() gin.HandlerFunc { config := DefaultConfig() config.AllowAllOrigins = true return New(config) } // New returns the location middleware with user-defined custom configuration. func New(config Config) gin.HandlerFunc { cors := newCors(config) return func(c *gin.Context) { cors.applyCors(c) } }